AOH :: P22-10.TXT

Phrack World News Issue XXII

                                ==Phrack Inc.==

                     Volume Two, Issue 22, File 10 of 12

            PWN                                                 PWN
            PWN        P h r a c k   W o r l d   N e w s        PWN
            PWN        ~~~~~~~~~~~   ~~~~~~~~~   ~~~~~~~        PWN
            PWN                Issue XXII/Part 2                PWN
            PWN                                                 PWN
            PWN           Created by Knight Lightning           PWN
            PWN                                                 PWN
            PWN              Written and Edited by              PWN
            PWN         Knight Lightning and Taran King         PWN
            PWN                                                 PWN

Computer Network Disrupted By "Virus"                          November 3, 1988
By John Markoff  (New York Times)

In an intrusion that raises new questions about the vulnerability of the
nation's computers, a nationwide Department of Defense data network has been
disrupted since Wednesday night by a rapidly spreading "virus" software program
apparently introduced by a computer science student's malicious experiment.

The program reproduced itself through the computer network, making hundreds of
copies in each machine it reached, effectively clogging systems linking
thousands of military, corporate and university computers around the country
and preventing them from doing additional work.  The virus is thought not to
have destroyed any files.

By late Thursday afternoon computer security experts were calling the virus the
largest assault ever on the nation's computers.

"The big issue is that a relatively benign software program can virtually bring
our computing community to its knees and keep it there for some time," said
Chuck Cole, deputy computer security manager at Lawerence Livermore Laboratory
in Livermore, Calif., one of the sites affected by the intrusion.  "The cost is
going to be staggering."

Clifford Stoll, a computer security expert at Harvard University, added, "There
is not one system manager who is not tearing his hair out.  It's causing
enormous headaches."

The affected computers carry routine communications among military officials,
researchers and corporations.

While some sensitive military data are involved, the nation's most sensitive
secret information, such as that on the control of nuclear weapons, is thought
not to have been touched by the virus.

Computer viruses are so named because they parallel in the computer world the
behavior of biological viruses.  A virus is a program, or a set of instructions
to a computer, that is deliberately planted on a floppy disk meant to be used
with the computer or introduced when the computer is communicating over
telephone lines or data networks with other computers.

The programs can copy themselves into the computer's master software, or
operating system, usually without calling any attention to themselves. From
there, the program can be passed to additional computers.

Depending upon the intent of the software's creator, the program might cause a
provocative but otherwise harmless message to appear on the computer's screen.
Or it could systematically destroy data in the computer's memory.

The virus program was apparently the result of an experiment by a computer
science graduate student trying to sneak what he thought was a harmless virus
into the Arpanet computer network, which is used by universities, military
contractors and the Pentagon, where the software program would remain

A man who said he was an associate of the student said in a telephone call to
The New York Times that the experiment went awry because of a small programming
mistake that caused the virus to multiply around the military network hundreds
of times faster than had been planned.

The caller, who refused to identify himself or the programmer, said the student
realized his error shortly after letting the program loose and that he was now
terrified of the consequences.

A spokesman at the Pentagon's Defense Communications Agency, which has set up
an emergency center to deal with the problem, said the caller's story was a
"plausible explanation of the events."

As the virus spread Wednesday night, computer experts began a huge struggle to
eradicate the invader.

A spokesman for the Defense Communications Agency in Washington acknowledged
the attack, saying, "A virus has been identified in several host computers
attached to the Arpanet and the unclassified portion of the defense data
network known as the Milnet."

He said that corrections to the security flaws exploited by the virus are now
being developed.

The Arpanet data communications network was established in 1969 and is designed
to permit computer researchers to share electronic messages, programs and data
such as project information, budget projections and research results.

In 1983 the network was split and the second network, called Milnet, was
reserved for higher-security military communications.  But Milnet is thought
not to handle the most classified military information, including data related
to the control of nuclear weapons.

The Arpanet and Milnet networks are connected to hundreds of civilian networks
that link computers around the globe.

There were reports of the virus at hundreds of locations on both coasts,
including, on the East Coast, computers at the Massachusetts Institute of
Technology, Harvard University, the Naval Research Laboratory in Maryland and
the University of Maryland and, on the West Coast, NASA's Ames Research Center
in Mountain View, Calif.; Lawrence Livermore Laboratories; Stanford University;
SRI International in Menlo Park, Calif.; the University of California's
Berkeley and San Diego campuses and the Naval Ocean Systems Command in San

A spokesman at the Naval Ocean Systems Command said that its computer systems
had been attacked Wednesday evening and that the virus had disabled many of the
systems by overloading them.  He said that computer programs at the facility
were still working on the problem more than 19 hours after the original

The unidentified caller said the Arpanet virus was intended simply to "live"
secretly in the Arpanet network by slowly copying itself from computer to
computer.  However, because the designer did not completely understand how the
network worked, it quickly copied itself thousands of times from machine to

Computer experts who disassembled the program said that it was written with
remarkable skill and that it exploited three security flaws in the Arpanet
network.  [No. Actually UNIX] The virus' design included a program designed to
steal passwords, then masquerade as a legitimate user to copy itself to a
remote machine.

Computer security experts said that the episode illustrated the vulnerability
of computer systems and that incidents like this could be expected to happen
repeatedly if awareness about computer security risks was not heightened.

"This was an accident waiting to happen; we deserved it," said Geoffrey
Goodfellow, president of Anterior Technology Inc. and an expert on computer

"We needed something like this to bring us to our senses.  We have not been
paying much attention to protecting ourselves."

Peter Neumann, a computer security expert at SRI International Inc. in Menlo
Park International, said, "Thus far the disasters we have known have been
relatively minor.  The potential for rather extraordinary destruction is rather

"In most of the cases we know of, the damage has been immediately evident. But
if you contemplate the effects of hidden programs, you could have attacks going
on and you might never know it."

Virus Attack                                                   November 6, 1988
>From the Philadelphia Inquirer (Inquirer Wire Services)

ITHACA, N.Y. - A Cornell University graduate student whose father is a top
government computer-security expert is suspected of creating the "virus" that
slowed thousands of computers nationwide, school officials said yesterday.

The Ivy League university announced that it was investigating the computer
files of 23-year-old Robert T. Morris, Jr., as experts across the nation
assessed the unauthorized program that was injected Wednesday into a military
and university system, closing it for 24 hours.  The virus slowed an estimated
6,000 computers by replicating itself and taking up memory space, but it is not
believed to have destroyed any data.

M. Stuart Lynn, Cornell vice president for information technologies, said
yesterday that Morris' files appeared to contain passwords giving him
unauthorized access to computers at Cornell and Stanford Universities.

"We also have discovered that Morris' account contains a list of passwords
substantially similar to those found in the virus," he said at a news

Although Morris "had passwords he certainly was not entitled to," Lynn
stressed, "we cannot conclude from the existence of those files that he was

FBI spokesman Lane Betts said the agency was investigating whether any federal
laws were violated.

Morris, a first-year student in a doctoral computer-science program, has a
reputation as an expert computer hacker and is skilled enough to have written
the rogue program, Cornell instructor Dexter Kozen said.

When reached at his home yesterday in Arnold, Md., Robert T. Morris, Sr., chief
scientist at the National Computer Security Center in Bethesda, Md., would not
say where his son was or comment on the case.

The elder Morris has written widely on the security of the Unix operating
system, the target of the virus program.  He is widely known for writing a
program to decipher passwords, which give users access to computers.

New News From Hacker Attack On Philips France, 1987            November 7, 1988
A German TV magazine reported (last week) that the German hackers which
attacked, in summer 1987, several computer systems and networks (including
NASA, the SPANET, the CERN computers which are labeled "European hacker
center," as well as computers of Philips France and Thompson-Brandt/France) had
transferred design and construction plans of the MegaBit chip having been
developed in the Philips laboratories.  The only information available is that
detailed graphics are available to the reporters showing details of the MegaBit

Evidently it is very difficult to prosecute this data theft since German law
does not apply to France based enterprises.  Moreover, the German law may
generally not be applicable since its prerequit may not be true that PHILIPS'
computer system has "special protection mechanisms."  Evidently, the system was
only be protected with UID and password, which may not be a sufficient
protection (and was not).

Evidently, the attackers had much more knowledge as well as instruments (e.g.
sophisticated graphic terminals and plotters, special software) than a "normal
hacker" has.  Speculations are that these hackers were spions rather than
hackers of the Chaos Computer Club (CCC) which was blamed for the attack.
Moreover, leading members of CCC one of whom was arrested for the attack,
evidently have not enough knowledge to work with such systems.

                            Information Provided By
                        Klaus Brunnstein, Hamburg, FRG

The Computer Jam:  How It Came About                           November 8, 1988
By John Markoff  (New York Times)

Computer scientists who have studied the rogue program that crashed through
many of the nation's computer networks last week say the invader actually
represents a new type of helpful software designed for computer networks.

The same class of software could be used to harness computers spread around the
world and put them to work simultaneously.

It could also diagnose malfunctions in a network, execute large computations on
many machines at once and act as a speedy messenger.

But it is this same capability that caused thousands of computers in
universities, military installations and corporate research centers to stall
and shut down the Defense Department's Arpanet system when an illicit version
of the program began interacting in an unexpected way.

"It is a very powerful tool for solving problems," said John F. Shoch, a
computer expert who has studied the programs.  "Like most tools it can be
misued, and I think we have an example here of someone who misused and abused
the tool."

The program, written as a "clever hack" by Robert Tappan Morris, a 23-year-old
Cornell University computer science graduate student, was originally meant to
be harmless.  It was supposed to copy itself from computer to computer via
Arpanet and merely hide itself in the computers.  The purpose?  Simply to prove
that it could be done.

But by a quirk, the program instead reproduced itself so frequently that the
computers on the network quickly became jammed.

Interviews with computer scientists who studied the network shutdown and with
friends of Morris have disclosed the manner in which the events unfolded.

The program was introduced last Wednesday evening at a computer in the
artificial intelligence laboratory at the Massachusetts Institute of
Technology.  Morris was seated at his terminal at Cornell in Ithaca, N.Y., but
he signed onto the machine at MIT.  Both his terminal and the MIT machine were
attached to Arpanet, a computer network that connects research centers,
universities and military bases.

Using a feature of Arpanet, called Sendmail, to exchange messages among
computer users, he inserted his rogue program.  It immediately exploited a
loophole in Sendmail at several computers on Arpanet.

Typically, Sendmail is used to transfer electronic messages from machine to
machine throughout the network, placing the messages in personal files.

However, the programmer who originally wrote Sendmail three years ago had left
a secret "backdoor" in the program to make it easier for his work.  It
permitted any program written in the computer language known as C to be mailed
like any other message.

So instead of a program being sent only to someone's personal files, it could
also be sent to a computer's internal control programs, which would start the
new program.  Only a small group of computer experts -- among them Morris --
knew of the backdoor.

As they dissected Morris's program later, computer experts found that it
elegantly exploited the Sendmail backdoor in several ways, copying itself from
computer to computer and tapping two additional security provisions to enter
new computers.

The invader first began its journey as a program written in the C language.
But it also included two "object" or "binary" files -- programs that could be
run directly on Sun Microsystems machines or Digital Equipment VAX computers
without any additional translation, making it even easier to infect a computer.

One of these binary files had the capability of guessing the passwords of users
on the newly infected computer.  This permits wider dispersion of the rogue

To guess the password, the program first read the list of users on the target
computer and then systematically tried using their names, permutations of their
names or a list of commonly used passwords.  When successful in guessing one,
the program then signed on to the computer and used the privileges involved to
gain access to additonal computers in the Arpanet system.

Morris's program was also written to exploit another loophole.  A program on
Arpanet called Finger lets users on a remote computer know the last time that a
user on another network machine had signed on.  Because of a bug, or error, in
Finger, Morris was able to use the program as a crowbar to further pry his way
through computer security.

The defect in Finger, which was widely known, gives a user access to a
computer's central control programs if an excessively long message is sent to
Finger.  So by sending such a message, Morris's program gained access to these
control programs, thus allowing the further spread of the rogue.

The rogue program did other things as well.  For example, each copy frequently
signaled its location back through the network to a computer at the University
of California at Berkeley.  A friend of Morris said that this was intended to
fool computer researchers into thinking that the rogue had originated at

The program contained another signaling mechanism that became its Achilles'
heel and led to its discovery.  It would signal a new computer to learn whether
it had been invaded.  If not, the program would copy itself into that computer.

But Morris reasoned that another expert could defeat his program by sending the
correct answering signal back to the rogue.  To parry this, Morris programmed
his invader so that once every 10 times it sent the query signal it would copy
itself into the new machine regardless of the answer.

The choice of 1 in 10 proved disastrous because it was far too frequent.  It
should have been one in 1,000 or even one in 10,000 for the invader to escape

But because the speed of communications on Arpanet is so fast, Morris's illicit
program echoed back and forth through the network in minutes, copying and
recopying itself hundreds or thousands of times on each machine, eventually
stalling the computers and then jamming the entire network.

After introducing his program Wednesday night, Morris left his terminal for an
hour.  When he returned, the nationwide jamming of Arpanet was well under way,
and he could immediately see the chaos he had started.  Within a few hours, it
was clear to computer system managers that something was seriously wrong with

By Thursday morning, many knew what had happened, were busy ridding their
systems of the invader and were warning colleagues to unhook from the network.
They were also modifying Sendmail and making other changes to their internal
software to thwart another invader.

The software invader did not threaten all computers in the network.  It was
aimed only at the Sun and Digital Equipment computers running a version of the
Unix operating system written at the University of California at Berkeley.
Other Arpanet computers using different operating systems escaped.

These rogue programs have in the past been referred to as worms or, when they
are malicious, viruses. Computer science folklore has it that the first worms
written were deployed on the Arpanet in the early 1970s.

Researchers tell of a worm called "creeper," whose sole purpose was to copy
itself from machine to machine, much the way Morris's program did last week.
When it reached each new computer it would display the message:  "I'm the
creeper.  Catch me if you can!"

As legend has it, a second programmer wrote another worm program that was
designed to crawl through the Arpanet, killing creepers.

Several years later, computer researchers at the Xerox Corp.'s Palo Alto
Research Center developed more advanced worm programs.  Shoch and Jon Hupp
developed "town crier" worm programs that acted as messengers and "diagnostic"
worms that patrolled the network looking for malfunctioning computers.

They even described a "vampire" worm program.  It was designed to run very
complex programs late at night while the computer's human users slept.  When
the humans returned in the morning, the vampire program would go to sleep,
waiting to return to work the next evening.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Comments from Mark Eichin (SIPB Member & Project Athena "Watchmaker");

The following paragraph from Markoff's article comes from a telephone
conversation he had with me at the airport leaving the November 8, 1988 "virus

    "But Morris reasoned that another expert could defeat his program by
     sending the correct answering signal back to the rogue.  To parry
     this, Morris programmed his invader so that once every 10 times it
     sent the query signal it would copy itself into the new machine
     regardless of the answer.

     The choice of 1 in 10 proved disastrous because it was far too
     frequent.  It should have been one in 1,000 or even one in 10,000
     for the invader to escape detection."

However, it is incorrect (I did think Markoff had grasped my comments, perhaps
not).  The virus design seems to have been to reinfect with a 1 in 15 chance a
machine already infected.

The code was BACKWARD, so it reinfected with a *14* in 15 chance.  Changing the
denominator would have had no effect.

US Is Moving To Restrict Access To Facts About Computer Virus     Nov. 11, 1988
By John Markoff  (New York Times)

Government officials are moving to bar wider dissemination of information on
techniques used in a rogue software program that jammed more than 6,000
computers in a nationwide computer network last week.

Their action comes amid bitter debate among computer scientists.  One group of
experts believes wide publication of such information would permit computer
network experts to identify problems more quickly and to correct flaws in their
systems.  But others argue that such information is too potentially explosive
to be widely circulated.

Yesterday, officials at the National Computer Security Center, a division of
the National Security Agency (NSA), contacted researchers at Purdue University
in West Lafayette, Indiana, and asked them to remove information from campus
computers describing internal workings of the software program that jammed
computers around the nation on November 3, 1988.  (A spokesperson) said the
agency was concerned because it was not certain that all computer sites had
corrected the software problems that permitted the program to invade systems in
the first place.

Some computer security experts said they were concerned that techniques
developed in the program would be widely exploited by those trying to break
into computer systems.

FBI Studies Possible Charges In "Virus"                       November 12, 1988
>From the Los Angeles Times

WASHINGTON -- FBI Director William S. Sessions on Thursday added two more laws
that agents are scrutinizing to determine whether to seek charges against
Robert T. Morris Jr. for unleashing a computer "virus" that shut down or slowed
computers across the country last week.

One of the laws - malicious mischief involving government communication lines,
stations or systems - appears not to require the government to prove criminal
intent, a requirement that lawyers have described as a possible barrier to
successful prosecution in the case.

Sessions told a press conference at FBI headquarters that the preliminary phase
of the investigation should be completed in two weeks and defended the pace of
the inquiry in which Morris, a Cornell University graduate student, has not yet
been interviewed.  Friends of Morris, age 23, have said he told them that he
created the virus.

Sources have said that FBI agents have not sought to question Morris until they
obtain the detailed electronic records of the programming he used in setting
loose the virus - records that have been maintained under seal at Cornell

In addition to the malicious mischief statue, which carries a maximum penalty
of 10 years in prison, Sessions listed fraud by wire as one of the laws being

AOH Site layout & design copyright © 2006 AOH