==Phrack Inc.== Volume Two, Issue 22, File 10 of 12 PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN P h r a c k W o r l d N e w s PWN PWN ~~~~~~~~~~~ ~~~~~~~~~ ~~~~~~~ PWN PWN Issue XXII/Part 2 PWN PWN PWN PWN Created by Knight Lightning PWN PWN PWN PWN Written and Edited by PWN PWN Knight Lightning and Taran King PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN Computer Network Disrupted By "Virus" November 3, 1988 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By John Markoff (New York Times) In an intrusion that raises new questions about the vulnerability of the nation's computers, a nationwide Department of Defense data network has been disrupted since Wednesday night by a rapidly spreading "virus" software program apparently introduced by a computer science student's malicious experiment. The program reproduced itself through the computer network, making hundreds of copies in each machine it reached, effectively clogging systems linking thousands of military, corporate and university computers around the country and preventing them from doing additional work. The virus is thought not to have destroyed any files. By late Thursday afternoon computer security experts were calling the virus the largest assault ever on the nation's computers. "The big issue is that a relatively benign software program can virtually bring our computing community to its knees and keep it there for some time," said Chuck Cole, deputy computer security manager at Lawerence Livermore Laboratory in Livermore, Calif., one of the sites affected by the intrusion. "The cost is going to be staggering." Clifford Stoll, a computer security expert at Harvard University, added, "There is not one system manager who is not tearing his hair out. It's causing enormous headaches." The affected computers carry routine communications among military officials, researchers and corporations. While some sensitive military data are involved, the nation's most sensitive secret information, such as that on the control of nuclear weapons, is thought not to have been touched by the virus. Computer viruses are so named because they parallel in the computer world the behavior of biological viruses. A virus is a program, or a set of instructions to a computer, that is deliberately planted on a floppy disk meant to be used with the computer or introduced when the computer is communicating over telephone lines or data networks with other computers. The programs can copy themselves into the computer's master software, or operating system, usually without calling any attention to themselves. From there, the program can be passed to additional computers. Depending upon the intent of the software's creator, the program might cause a provocative but otherwise harmless message to appear on the computer's screen. Or it could systematically destroy data in the computer's memory. The virus program was apparently the result of an experiment by a computer science graduate student trying to sneak what he thought was a harmless virus into the Arpanet computer network, which is used by universities, military contractors and the Pentagon, where the software program would remain undetected. A man who said he was an associate of the student said in a telephone call to The New York Times that the experiment went awry because of a small programming mistake that caused the virus to multiply around the military network hundreds of times faster than had been planned. The caller, who refused to identify himself or the programmer, said the student realized his error shortly after letting the program loose and that he was now terrified of the consequences. A spokesman at the Pentagon's Defense Communications Agency, which has set up an emergency center to deal with the problem, said the caller's story was a "plausible explanation of the events." As the virus spread Wednesday night, computer experts began a huge struggle to eradicate the invader. A spokesman for the Defense Communications Agency in Washington acknowledged the attack, saying, "A virus has been identified in several host computers attached to the Arpanet and the unclassified portion of the defense data network known as the Milnet." He said that corrections to the security flaws exploited by the virus are now being developed. The Arpanet data communications network was established in 1969 and is designed to permit computer researchers to share electronic messages, programs and data such as project information, budget projections and research results. In 1983 the network was split and the second network, called Milnet, was reserved for higher-security military communications. But Milnet is thought not to handle the most classified military information, including data related to the control of nuclear weapons. The Arpanet and Milnet networks are connected to hundreds of civilian networks that link computers around the globe. There were reports of the virus at hundreds of locations on both coasts, including, on the East Coast, computers at the Massachusetts Institute of Technology, Harvard University, the Naval Research Laboratory in Maryland and the University of Maryland and, on the West Coast, NASA's Ames Research Center in Mountain View, Calif.; Lawrence Livermore Laboratories; Stanford University; SRI International in Menlo Park, Calif.; the University of California's Berkeley and San Diego campuses and the Naval Ocean Systems Command in San Diego. A spokesman at the Naval Ocean Systems Command said that its computer systems had been attacked Wednesday evening and that the virus had disabled many of the systems by overloading them. He said that computer programs at the facility were still working on the problem more than 19 hours after the original incident. The unidentified caller said the Arpanet virus was intended simply to "live" secretly in the Arpanet network by slowly copying itself from computer to computer. However, because the designer did not completely understand how the network worked, it quickly copied itself thousands of times from machine to machine. Computer experts who disassembled the program said that it was written with remarkable skill and that it exploited three security flaws in the Arpanet network. [No. Actually UNIX] The virus' design included a program designed to steal passwords, then masquerade as a legitimate user to copy itself to a remote machine. Computer security experts said that the episode illustrated the vulnerability of computer systems and that incidents like this could be expected to happen repeatedly if awareness about computer security risks was not heightened. "This was an accident waiting to happen; we deserved it," said Geoffrey Goodfellow, president of Anterior Technology Inc. and an expert on computer communications. "We needed something like this to bring us to our senses. We have not been paying much attention to protecting ourselves." Peter Neumann, a computer security expert at SRI International Inc. in Menlo Park International, said, "Thus far the disasters we have known have been relatively minor. The potential for rather extraordinary destruction is rather substantial." "In most of the cases we know of, the damage has been immediately evident. But if you contemplate the effects of hidden programs, you could have attacks going on and you might never know it." _______________________________________________________________________________ Virus Attack November 6, 1988 ~~~~~~~~~~~~ >From the Philadelphia Inquirer (Inquirer Wire Services) ITHACA, N.Y. - A Cornell University graduate student whose father is a top government computer-security expert is suspected of creating the "virus" that slowed thousands of computers nationwide, school officials said yesterday. The Ivy League university announced that it was investigating the computer files of 23-year-old Robert T. Morris, Jr., as experts across the nation assessed the unauthorized program that was injected Wednesday into a military and university system, closing it for 24 hours. The virus slowed an estimated 6,000 computers by replicating itself and taking up memory space, but it is not believed to have destroyed any data. M. Stuart Lynn, Cornell vice president for information technologies, said yesterday that Morris' files appeared to contain passwords giving him unauthorized access to computers at Cornell and Stanford Universities. "We also have discovered that Morris' account contains a list of passwords substantially similar to those found in the virus," he said at a news conference. Although Morris "had passwords he certainly was not entitled to," Lynn stressed, "we cannot conclude from the existence of those files that he was responsible." FBI spokesman Lane Betts said the agency was investigating whether any federal laws were violated. Morris, a first-year student in a doctoral computer-science program, has a reputation as an expert computer hacker and is skilled enough to have written the rogue program, Cornell instructor Dexter Kozen said. When reached at his home yesterday in Arnold, Md., Robert T. Morris, Sr., chief scientist at the National Computer Security Center in Bethesda, Md., would not say where his son was or comment on the case. The elder Morris has written widely on the security of the Unix operating system, the target of the virus program. He is widely known for writing a program to decipher passwords, which give users access to computers. _______________________________________________________________________________ New News From Hacker Attack On Philips France, 1987 November 7, 1988 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A German TV magazine reported (last week) that the German hackers which attacked, in summer 1987, several computer systems and networks (including NASA, the SPANET, the CERN computers which are labeled "European hacker center," as well as computers of Philips France and Thompson-Brandt/France) had transferred design and construction plans of the MegaBit chip having been developed in the Philips laboratories. The only information available is that detailed graphics are available to the reporters showing details of the MegaBit design. Evidently it is very difficult to prosecute this data theft since German law does not apply to France based enterprises. Moreover, the German law may generally not be applicable since its prerequit may not be true that PHILIPS' computer system has "special protection mechanisms." Evidently, the system was only be protected with UID and password, which may not be a sufficient protection (and was not). Evidently, the attackers had much more knowledge as well as instruments (e.g. sophisticated graphic terminals and plotters, special software) than a "normal hacker" has. Speculations are that these hackers were spions rather than hackers of the Chaos Computer Club (CCC) which was blamed for the attack. Moreover, leading members of CCC one of whom was arrested for the attack, evidently have not enough knowledge to work with such systems. Information Provided By Klaus Brunnstein, Hamburg, FRG _______________________________________________________________________________ The Computer Jam: How It Came About November 8, 1988 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By John Markoff (New York Times) Computer scientists who have studied the rogue program that crashed through many of the nation's computer networks last week say the invader actually represents a new type of helpful software designed for computer networks. The same class of software could be used to harness computers spread around the world and put them to work simultaneously. It could also diagnose malfunctions in a network, execute large computations on many machines at once and act as a speedy messenger. But it is this same capability that caused thousands of computers in universities, military installations and corporate research centers to stall and shut down the Defense Department's Arpanet system when an illicit version of the program began interacting in an unexpected way. "It is a very powerful tool for solving problems," said John F. Shoch, a computer expert who has studied the programs. "Like most tools it can be misued, and I think we have an example here of someone who misused and abused the tool." The program, written as a "clever hack" by Robert Tappan Morris, a 23-year-old Cornell University computer science graduate student, was originally meant to be harmless. It was supposed to copy itself from computer to computer via Arpanet and merely hide itself in the computers. The purpose? Simply to prove that it could be done. But by a quirk, the program instead reproduced itself so frequently that the computers on the network quickly became jammed. Interviews with computer scientists who studied the network shutdown and with friends of Morris have disclosed the manner in which the events unfolded. The program was introduced last Wednesday evening at a computer in the artificial intelligence laboratory at the Massachusetts Institute of Technology. Morris was seated at his terminal at Cornell in Ithaca, N.Y., but he signed onto the machine at MIT. Both his terminal and the MIT machine were attached to Arpanet, a computer network that connects research centers, universities and military bases. Using a feature of Arpanet, called Sendmail, to exchange messages among computer users, he inserted his rogue program. It immediately exploited a loophole in Sendmail at several computers on Arpanet. Typically, Sendmail is used to transfer electronic messages from machine to machine throughout the network, placing the messages in personal files. However, the programmer who originally wrote Sendmail three years ago had left a secret "backdoor" in the program to make it easier for his work. It permitted any program written in the computer language known as C to be mailed like any other message. So instead of a program being sent only to someone's personal files, it could also be sent to a computer's internal control programs, which would start the new program. Only a small group of computer experts -- among them Morris -- knew of the backdoor. As they dissected Morris's program later, computer experts found that it elegantly exploited the Sendmail backdoor in several ways, copying itself from computer to computer and tapping two additional security provisions to enter new computers. The invader first began its journey as a program written in the C language. But it also included two "object" or "binary" files -- programs that could be run directly on Sun Microsystems machines or Digital Equipment VAX computers without any additional translation, making it even easier to infect a computer. One of these binary files had the capability of guessing the passwords of users on the newly infected computer. This permits wider dispersion of the rogue program. To guess the password, the program first read the list of users on the target computer and then systematically tried using their names, permutations of their names or a list of commonly used passwords. When successful in guessing one, the program then signed on to the computer and used the privileges involved to gain access to additonal computers in the Arpanet system. Morris's program was also written to exploit another loophole. A program on Arpanet called Finger lets users on a remote computer know the last time that a user on another network machine had signed on. Because of a bug, or error, in Finger, Morris was able to use the program as a crowbar to further pry his way through computer security. The defect in Finger, which was widely known, gives a user access to a computer's central control programs if an excessively long message is sent to Finger. So by sending such a message, Morris's program gained access to these control programs, thus allowing the further spread of the rogue. The rogue program did other things as well. For example, each copy frequently signaled its location back through the network to a computer at the University of California at Berkeley. A friend of Morris said that this was intended to fool computer researchers into thinking that the rogue had originated at Berkeley. The program contained another signaling mechanism that became its Achilles' heel and led to its discovery. It would signal a new computer to learn whether it had been invaded. If not, the program would copy itself into that computer. But Morris reasoned that another expert could defeat his program by sending the correct answering signal back to the rogue. To parry this, Morris programmed his invader so that once every 10 times it sent the query signal it would copy itself into the new machine regardless of the answer. The choice of 1 in 10 proved disastrous because it was far too frequent. It should have been one in 1,000 or even one in 10,000 for the invader to escape detection. But because the speed of communications on Arpanet is so fast, Morris's illicit program echoed back and forth through the network in minutes, copying and recopying itself hundreds or thousands of times on each machine, eventually stalling the computers and then jamming the entire network. After introducing his program Wednesday night, Morris left his terminal for an hour. When he returned, the nationwide jamming of Arpanet was well under way, and he could immediately see the chaos he had started. Within a few hours, it was clear to computer system managers that something was seriously wrong with Arpanet. By Thursday morning, many knew what had happened, were busy ridding their systems of the invader and were warning colleagues to unhook from the network. They were also modifying Sendmail and making other changes to their internal software to thwart another invader. The software invader did not threaten all computers in the network. It was aimed only at the Sun and Digital Equipment computers running a version of the Unix operating system written at the University of California at Berkeley. Other Arpanet computers using different operating systems escaped. These rogue programs have in the past been referred to as worms or, when they are malicious, viruses. Computer science folklore has it that the first worms written were deployed on the Arpanet in the early 1970s. Researchers tell of a worm called "creeper," whose sole purpose was to copy itself from machine to machine, much the way Morris's program did last week. When it reached each new computer it would display the message: "I'm the creeper. Catch me if you can!" As legend has it, a second programmer wrote another worm program that was designed to crawl through the Arpanet, killing creepers. Several years later, computer researchers at the Xerox Corp.'s Palo Alto Research Center developed more advanced worm programs. Shoch and Jon Hupp developed "town crier" worm programs that acted as messengers and "diagnostic" worms that patrolled the network looking for malfunctioning computers. They even described a "vampire" worm program. It was designed to run very complex programs late at night while the computer's human users slept. When the humans returned in the morning, the vampire program would go to sleep, waiting to return to work the next evening. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Comments from Mark Eichin (SIPB Member & Project Athena "Watchmaker"); The following paragraph from Markoff's article comes from a telephone conversation he had with me at the airport leaving the November 8, 1988 "virus conference": "But Morris reasoned that another expert could defeat his program by sending the correct answering signal back to the rogue. To parry this, Morris programmed his invader so that once every 10 times it sent the query signal it would copy itself into the new machine regardless of the answer. The choice of 1 in 10 proved disastrous because it was far too frequent. It should have been one in 1,000 or even one in 10,000 for the invader to escape detection." However, it is incorrect (I did think Markoff had grasped my comments, perhaps not). The virus design seems to have been to reinfect with a 1 in 15 chance a machine already infected. The code was BACKWARD, so it reinfected with a *14* in 15 chance. Changing the denominator would have had no effect. _______________________________________________________________________________ US Is Moving To Restrict Access To Facts About Computer Virus Nov. 11, 1988 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By John Markoff (New York Times) Government officials are moving to bar wider dissemination of information on techniques used in a rogue software program that jammed more than 6,000 computers in a nationwide computer network last week. Their action comes amid bitter debate among computer scientists. One group of experts believes wide publication of such information would permit computer network experts to identify problems more quickly and to correct flaws in their systems. But others argue that such information is too potentially explosive to be widely circulated. Yesterday, officials at the National Computer Security Center, a division of the National Security Agency (NSA), contacted researchers at Purdue University in West Lafayette, Indiana, and asked them to remove information from campus computers describing internal workings of the software program that jammed computers around the nation on November 3, 1988. (A spokesperson) said the agency was concerned because it was not certain that all computer sites had corrected the software problems that permitted the program to invade systems in the first place. Some computer security experts said they were concerned that techniques developed in the program would be widely exploited by those trying to break into computer systems. _______________________________________________________________________________ FBI Studies Possible Charges In "Virus" November 12, 1988 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >From the Los Angeles Times WASHINGTON -- FBI Director William S. Sessions on Thursday added two more laws that agents are scrutinizing to determine whether to seek charges against Robert T. Morris Jr. for unleashing a computer "virus" that shut down or slowed computers across the country last week. One of the laws - malicious mischief involving government communication lines, stations or systems - appears not to require the government to prove criminal intent, a requirement that lawyers have described as a possible barrier to successful prosecution in the case. Sessions told a press conference at FBI headquarters that the preliminary phase of the investigation should be completed in two weeks and defended the pace of the inquiry in which Morris, a Cornell University graduate student, has not yet been interviewed. Friends of Morris, age 23, have said he told them that he created the virus. Sources have said that FBI agents have not sought to question Morris until they obtain the detailed electronic records of the programming he used in setting loose the virus - records that have been maintained under seal at Cornell University. In addition to the malicious mischief statue, which carries a maximum penalty of 10 years in prison, Sessions listed fraud by wire as one of the laws being considered. _______________________________________________________________________________