Read Online Underground: Tales of Hacking, Madness and Obsession from the Electronic Frontier by Suelette Dreyfus - Free Book Online
Authors: Suelette Dreyfus
Ads: Link
TO’ commands. Maybe the hacker who wrote the worm was in fact a very elegant DCL programmer who wanted the worm to be chaotic in order to protect it. Security through obscurity.
Oberman maintained a different view. He believed the programming style varied so much in different parts that it had to be the product of a number of people. He knew that when computer programmers write code they don’t make lots of odd little changes in style for no particular reason.
Kevin Oberman and John McMahon bounced ideas off one another. Both had developed their own analyses. Oberman also brought Mark Kaletka, who managed internal networking at Fermilab, one of HEPNET’s largest sites, into the cross-checking process. The worm had a number of serious vulnerabilities, but the problem was finding one, and quickly, which could be used to wipe it out with minimum impact on the besieged computers.
Whenever a VMS machine starts up an activity, the computer gives it a unique process name. When the worm burrowed into a computer site, one of the first things it did was check that another copy of itself was not already running on that computer. It did this by checking for its own process names. The worm’s processes were all called NETW_ followed by a random, four-digit number. If the incoming worm found this process name, it assumed another copy of itself was already running on the computer, so it destroyed itself.
The answer seemed to be a decoy duck. Write a program which pretended to be the worm and install it across all of NASA’s vulnerable computers. The first anti-WANK program did just that. It quietly sat on the SPAN computers all day long, posing as a NETW_ process, faking out any real version of the WANK worm which should come along.
Oberman completed an anti-WANK program first and ran it by McMahon. It worked well, but McMahon noticed one large flaw. Oberman’s program checked for the NETW_ process name, but it assumed that the worm was running under the SYSTEM group. In most cases, this was true, but it didn’t have to be. If the worm was running in another group, Oberman’s program would be useless. When McMahon pointed out the flaw, Oberman thought, God, how did I miss that?
McMahon worked up his own version of an anti-WANK
program, based on Oberman’s program, in preparation for releasing it to NASA.
At the same time, Oberman revised his anti-WANK program for DOE. By Monday night US Eastern Standard Time, Oberman was able to send out an early copy of a vaccine designed to protect computers which hadn’t been infected yet, along with an electronic warning about the worm.
His first electronic warning, distributed by CIAC, said in part:
/////////////////////////////////////////////////////////////////////////
THE COMPUTER INCIDENT ADVISORY CAPABILITY C I A C
ADVISORY NOTICE
The W.COM Worm affecting VAX VMS Systems
October 16, 1989 18:37 PSTNumber A-2
This is a mean bug to kill and could have done a lot of damage.
Since it notifies (by mail) someone of each successful penetration and leaves a trapdoor (the FIELD account), just killing the bug is not adequate. You must go in and make sure all accounts have passwords and that the passwords are not the same as the account name.
R. Kevin Oberman
Advisory Notice
A worm is attacking NASA’s SPAN network via VAX/VMS systems connected to DECnet. It is unclear if the spread of the worm has been checked.
It may spread to other systems such as DOE’s HEPNET within a few days.
VMS system managers should prepare now.
The worm targets VMS machines, and can only be propagated via DECnet.
The worm exploits two features of DECnet/VMS in order to propagate itself. The first is the default DECnet account, which is a facility for users who don’t have a specific login ID for a machine to have some degree of anonymous access. It uses the default DECnet account to copy itself to a machine, and then uses the ‘TASK 0’ feature of DECnet to invoke the remote
Oberman maintained a different view. He believed the programming style varied so much in different parts that it had to be the product of a number of people. He knew that when computer programmers write code they don’t make lots of odd little changes in style for no particular reason.
Kevin Oberman and John McMahon bounced ideas off one another. Both had developed their own analyses. Oberman also brought Mark Kaletka, who managed internal networking at Fermilab, one of HEPNET’s largest sites, into the cross-checking process. The worm had a number of serious vulnerabilities, but the problem was finding one, and quickly, which could be used to wipe it out with minimum impact on the besieged computers.
Whenever a VMS machine starts up an activity, the computer gives it a unique process name. When the worm burrowed into a computer site, one of the first things it did was check that another copy of itself was not already running on that computer. It did this by checking for its own process names. The worm’s processes were all called NETW_ followed by a random, four-digit number. If the incoming worm found this process name, it assumed another copy of itself was already running on the computer, so it destroyed itself.
The answer seemed to be a decoy duck. Write a program which pretended to be the worm and install it across all of NASA’s vulnerable computers. The first anti-WANK program did just that. It quietly sat on the SPAN computers all day long, posing as a NETW_ process, faking out any real version of the WANK worm which should come along.
Oberman completed an anti-WANK program first and ran it by McMahon. It worked well, but McMahon noticed one large flaw. Oberman’s program checked for the NETW_ process name, but it assumed that the worm was running under the SYSTEM group. In most cases, this was true, but it didn’t have to be. If the worm was running in another group, Oberman’s program would be useless. When McMahon pointed out the flaw, Oberman thought, God, how did I miss that?
McMahon worked up his own version of an anti-WANK
program, based on Oberman’s program, in preparation for releasing it to NASA.
At the same time, Oberman revised his anti-WANK program for DOE. By Monday night US Eastern Standard Time, Oberman was able to send out an early copy of a vaccine designed to protect computers which hadn’t been infected yet, along with an electronic warning about the worm.
His first electronic warning, distributed by CIAC, said in part:
/////////////////////////////////////////////////////////////////////////
THE COMPUTER INCIDENT ADVISORY CAPABILITY C I A C
ADVISORY NOTICE
The W.COM Worm affecting VAX VMS Systems
October 16, 1989 18:37 PSTNumber A-2
This is a mean bug to kill and could have done a lot of damage.
Since it notifies (by mail) someone of each successful penetration and leaves a trapdoor (the FIELD account), just killing the bug is not adequate. You must go in and make sure all accounts have passwords and that the passwords are not the same as the account name.
R. Kevin Oberman
Advisory Notice
A worm is attacking NASA’s SPAN network via VAX/VMS systems connected to DECnet. It is unclear if the spread of the worm has been checked.
It may spread to other systems such as DOE’s HEPNET within a few days.
VMS system managers should prepare now.
The worm targets VMS machines, and can only be propagated via DECnet.
The worm exploits two features of DECnet/VMS in order to propagate itself. The first is the default DECnet account, which is a facility for users who don’t have a specific login ID for a machine to have some degree of anonymous access. It uses the default DECnet account to copy itself to a machine, and then uses the ‘TASK 0’ feature of DECnet to invoke the remote
Similar Books
