TUCoPS :: Malware :: wankworm.txt

The W.A.N.K. worm takes over NASA computers

Monday, 16 October 1989
Kennedy Space Center, Florida

NASA buzzed with the excitement of a launch. Galileo was finally going to

Administrators and scientists in the world's most prestigious space agency
had spent years trying to get the unmanned probe into space. Now, on
Tuesday, 17 October, if all went well, the five astronauts in the Atlantis
space shuttle would blast off from the Kennedy Space Center at Cape
Canaveral, Florida, with Galileo in tow. On the team's fifth orbit, as the
shuttle floated 295 kilometres above the Gulf of Mexico, the crew would
liberate the three-tonne space probe.

An hour later, as Galileo skated safely away from the shuttle, the probe's
32500 pound booster system would fire up and NASA staff would watch this
exquisite piece of human ingenuity embark on a six-year mission to the
largest planet in the solar system. Galileo would take a necessarily
circuitous route, flying by Venus once and Earth twice in a gravitational
slingshot effort to get up enough momentum to reach Jupiter.

NASA's finest minds had wrestled for years with the problem of exactly how
to get the probe across the solar system. Solar power was one option. But if
Jupiter was a long way from Earth, it was even further from the Sun - 778.3
million kilometres to be exact. Galileo would need ridiculously large solar
panels to generate enough power for its instruments at such a distance from
the Sun. In the end, NASA's engineers decided on a tried if not true earthly
energy source: nuclear power.

Nuclear power was perfect for space, a giant void free of human life which
could play host to a bit of radioactive plutonium 238 dioxide. The plutonium
was compact for the amount of energy it gave off - and it lasted a long time.
It seemed logical enough. Pop just under 24 kilograms of plutonium in a lead
box, let it heat up through its own decay, generate electricity for the
probe's instruments, and presto! Galileo would be on its way to investigate

American anti-nuclear activists didn't quite see it that way. They figured
what goes up might come down ..NASA assured them Galileo's power pack was
quite safe. The agency spent about $50 million on tests which supposedly
proved the probe's generators were very safe. They would survive intact in
the face of any number of terrible explosions, mishaps and accidents. NASA
told journalists that the odds of a plutonium release due to 'inadvertent
atmospheric re-entry' were 1 in 2 million. The likelihood of a plutonium
radiation leak as a result of a launch disaster was a reassuring 1 in 2700.

NASA's Goddard Space Flight Center, Greenbelt, Maryland

Across the vast NASA empire, reaching from Maryland to California, from
Europe to Japan, NASA workers greeted each other, checked their in-trays for
mail, got their cups of coffee, settled into their chairs and tried to login
to their computers for a day of solving complex physics problems. But many
of the computer systems were behaving very strangely.

>From the moment staff logged in, it was clear that someone - or something - had

taken over. Instead of the usual system's official identification banner,
they were startled to find the following message staring them in the face:

      W O R M S    A G A I N S T    N U C L E A R    K I L L E R S
    \__  ____________  _____    ________    ____  ____   __  _____/
     \ \ \    /\    / /    / /\ \       | \ \  | |    | | / /    /
      \ \ \  /  \  / /    / /__\ \      | |\ \ | |    | |/ /    /
       \ \ \/ /\ \/ /    / ______ \     | | \ \| |    | |\ \   /
        \_\  /__\  /____/ /______\ \____| |__\ | |____| |_\ \_/
          \                                                 /
           \    Your System Has Been Officically WANKed    /

     You talk of times of peace for all, and then prepare for war.

This was not going to be a good day for the guys down at the NASA SPAN
computer network office.
This was not going to be a good day for John McMahon.


As the assistant DECNET protocol manager for NASA's Goddard Space Flight
Center in Maryland, John McMahon normally spent the day managing the chunk
of the SPAN computer network which ran between Goddard's fifteen to twenty

McMahon worked for Code 630.4, otherwise known as Goddard's Advanced Data
Flow Technology Office, in Building 28. Goddard scientists would call him up
for help with their computers. Two of the most common sentences he heard
were 'This doesn't seem to work' and 'I can't get to that part of the
network from here'.

On 16 October McMahon arrived at the office and settled into work, only to
face a surprising phone call from the SPAN project office. Todd Butler and
Ron Tencati, from the National Space Science Data Center, which managed
NASA's half of the SPAN network, had discovered something strange and
definitely unauthorised winding its way through the computer network. It
looked like a computer worm.

A computer worm is a little like a computer virus. It invades computer
systems, interfering with their normal functions. It travels along any
available compatible computer network and stops to knock at the door of
systems attached to that network. If there is a hole in the security of the
computer system, it will crawl through and enter the system. When it does
this, it might have instructions to do any number of things, from sending
computer users a message to trying to take over the system. What makes a
worm different from other computer programs, such as viruses, is that it is
self-propagating. It propels itself forward, wiggles into a new system and
propagates itself at the new site. Unlike a virus, a worm doesn't latch onto
a data file or a program. It is autonomous.

At the SPAN centre, things were becoming hectic. The worm was spreading
through more and more systems and the phones were beginning to ring every
few minutes. NASA computers were getting hit all over the place.

The SPAN project staff needed more arms. They were simultaneously trying to
calm callers and concentrate on developing an analysis of the alien program.
Was the thing a practical joke or a time bomb just waiting to go off? Who
was behind this?

NASA was working in an information void when it came to WANK. Some staff
knew of the protesters' action down at the Space Center, but nothing could
have prepared them for this. NASA officials were confident enough about a
link between the protests against Galileo and the attack on NASA's computers
to speculate publicly that the two were related. It seemed a reasonable
likelihood, but there were still plenty of unanswered questions.

Callers coming into the SPAN office were worried. People at the other end of
the phone were scared. Many of the calls came from network managers who took
care of a piece of SPAN at a specific NASA site, such as the Marshall Space
Flight Center. Some were panicking; others spoke in a sort of monotone,
flattened by a morning of calls from 25 different hysterical system
administrators. A manager could lose his job over something like this.

Most of the callers to the SPAN head office were starved for information.
How did this rogue worm get into their computers? Was it malicious? Would it
destroy all the scientific data it came into contact with? What could be
done to kill it?

NASA stored a great deal of valuable information on its SPAN computers. None
of it was supposed to be classified, but the data on those computers is
extremely valuable. Millions of man-hours go into gathering and analysing
it. So the crisis team which had formed in the NASA SPAN project office, was
alarmed when reports of massive data destruction starting coming in. People
were phoning to say that the worm was erasing files.

It was every computer manager's worst nightmare, and it looked as though the
crisis team's darkest fears were about to be confirmed.

Yet the worm was behaving inconsistently. On some computers it would only
send anonymous messages, some of them funny, some bizarre and a few quite
rude or obscene. No sooner would a user login than a message would flash
across his or her screen:

         Remember, even if you win the rat race-you're still a rat.

Or perhaps they were graced with some bad humour:

                Nothing is faster than the speed of light...
           To prove this to yourself, try opening the refrigerator
                       door before the light comes on.

Other users were treated to anti-authoritarian observations of the paranoid:

                          The FBI is watching YOU.


                               Vote anarchist.

But the worm did not appear to be erasing files on these systems. Perhaps
the seemingly random file-erasing trick was a portent of things to come - just
a small taste of what might happen at a particular time, such as midnight.
Perhaps an unusual keystroke by an unwitting computer user on those systems
which seemed only mildly affected could trigger something in the worm. One
keystroke might begin an irreversible chain of commands to erase everything
on that system.

The NASA SPAN computer team were in a race with the worm. Each minute they
spent trying to figure out what it did, the worm was pushing forward, ever
deeper into NASA's computer network. Every hour NASA spent developing a
cure, the worm spent searching, probing, breaking and entering. A day's
delay in getting the cure out to all the systems could mean dozens of new
worm invasions doing God knows what in vulnerable computers. The SPAN team
had to dissect this thing completely, and they had to do it fast.

Some computer network managers were badly shaken. The SPAN office received a
call from NASA's Jet Propulsion Laboratories in California, an important
NASA centre with 6500 employees and close ties to California Institute of
Technology (Caltech).

JPL was pulling itself off the network.

This worm was too much of a risk. The only safe option was to isolate their
computers. There would be no SPAN DEC-based communications with the rest of
NASA until the crisis was under control. This made things harder for the
SPAN team; getting a worm exterminating program out to JPL, like other sites
which had cut their connection to SPAN, was going to be that much tougher.
Everything had to be done over the phone.

Worse, JPL was one of five routing centres for NASA's SPAN computer network.
It was like the centre of a wheel, with a dozen spokes branching off - each
leading to another SPAN site. All these places, known as tailsites, depended
on the lab site for their connections into SPAN. When JPL pulled itself off
the network, the tailsites went down too.

It was a serious problem for the people in the SPAN office back in Virginia.
To Ron Tencati, head of security for NASA SPAN, taking a routing centre
off-line was a major issue. But his hands were tied. The SPAN office
exercised central authority over the wide area network, but it couldn't
dictate how individual field centres dealt with the worm. That was each
centre's own decision. The SPAN team could only give them advice and rush to

 * Message split, to be continued *
--- ifmail v.2.10-tx8.2
 * Origin: IQ (1:340/13@fidonet)

 Msg  : 404 of 500                                                              
 From : Julian Assange              1:340/13                22 Jun 97  20:28:22 
 To   : All                                                 23 Jun 97  14:19:04 
 Subj : [part 2] Extract: _Underground_ new book on international computer crim 
.RFC-Subject: Extract: _Underground_ new book on international computer crime -
"The WANK worm"
From: proff@profane.iq.org (Julian Assange)

 * Continuation 1 of a split message *

develop a way to poison the worm.

Next or Previous

The SPAN office called John McMahon again, this time with a more urgent
request. Would he come over to help handle the crisis?

The SPAN centre was only 800 metres away from McMahon's office. His boss,
Jerome Bennett, the DECNET protocol manager, gave the nod. McMahon would be
on loan until the crisis was under control.

When he got to Building 26, home of the NASA SPAN project office, McMahon
became part of a core NASA crisis team .. At first the core team seemed only
to include NASA people and to be largely based at Goddard. But as the day
wore on, new people from other parts of the US government would join the

The worm had spread outside NASA.

It had also attacked the US Department of Energy's worldwide High-Energy
Physics' Network of computers. Known as HEPNET, it was another piece of the
overall SPAN network, along with Euro-HEPNET and Euro-SPAN. The NASA and DOE
computer networks of DEC computers crisscrossed at a number of places. A
research laboratory might, for example, need to have access to computers
from both HEPNET and NASA SPAN. For convenience, the lab might just connect
the two networks. The effect as far as the worm was concerned was that
NASA's SPAN and DOE's HEPNET were in fact just one giant computer network,
all of which the worm could invade.

The Department of Energy keeps classified information on its computers. Very
classified information. There are two groups in DOE: the people who do
research on civilian energy projects and the people who make atomic bombs.
So DOE takes security seriously, as in 'threat to national security'
seriously. Although HEPNET wasn't meant to be carrying any classified
information across its wires, DOE responded with military efficiency when
its computer managers discovered the invader. They grabbed the one guy who
knew a lot about computer security on VMS systems and put him on the case:
Kevin Oberman.

Even as the WANK worm coursed through NASA, it was launching an aggressive
attack on DOE's Fermi National Accelerator Laboratory, near Chicago. It had
broken into a number of computer systems there and the Fermilab people were
not happy. They called in CIAC, who contacted Oberman with an early morning
phone call on 16 October. They wanted him to analyse the WANK worm. They
wanted to know how dangerous it was. Most of all, they wanted to know what
to do about it.

The DOE people traced their first contact with the worm back to 14 October.
Further, they hypothesised, the worm had actually been launched the day
before, on Friday the 13th. Such an inauspicious day would, in Oberman's
opinion, have been in keeping with the type of humour exhibited by the
creator or creators of the worm.

Oberman began his own analysis of the worm, oblivious to the fact that 3200
kilometres away, on the other side of the continent, his colleague and
acquaintance John McMahon was doing exactly the same thing. ..


John McMahon's analysis suggested there were three versions of the WANK
worm. These versions, isolated from worm samples collected from the network,
were very similar, but each contained a few subtle differences. In McMahon's
view, these differences could not be explained by the way the worm recreated
itself at each site in order to spread. But why would the creator of the
worm release different versions? Why not just write one version properly and
fire it off? The worm wasn't just one incoming missile; it was a frenzied
attack. It was coming from all directions, at all sorts of different levels
within NASA's computers.

McMahon guessed that the worm's designer had released the different versions
at slightly different times. Maybe the creator released the worm, and then
discovered a bug. He fiddled with the worm a bit to correct the problem and
then released it again. Maybe he didn't like the way he had fixed the bug
the first time, so he changed it a little more and released it a third time.

In northern California, Kevin Oberman came to a different conclusion. He
believed there was in fact only one real version of the worm spiralling
through HEPNET and SPAN. The small variations in the different copies he
dissected seemed to stem from the worm's ability to learn and change as it
moved from computer to computer.

The worm circumnavigated the globe. It had reach into European sites, such
as CERN - formerly known as the European Centre for Nuclear Research - in
Switzerland, through to Goddard's computers in Maryland, on to Fermilab in
Chicago and propelled itself across the Pacific into the Riken Accelerator
Facility in Japan.

NASA officials told the media they believed the worm had been launched about
4.30 a.m. on Monday, 16 October.

They also believed it had originated in Europe, possibly in France ..

The WANK worm left a number of unanswered questions in its wake, a number of
loose ends which still puzzle John McMahon. Was the hacker behind the worm
really protesting against NASA's launch of the plutonium-powered Galileo
space probe? Did the use of the word 'WANK' - a most un-American word - mean the
hacker wasn't American? Why had the creator recreated the worm and released
it a second time? Why had no-one, no political or other group, claimed
responsibility for the WANK worm?

One of the many details which remained an enigma was contained in the
version of the worm used in the second attack. The worm's creator had
replaced the original process name, NETW_, with a new one, presumably to
thwart the anti-WANK program. McMahon figured the original process name
stood for 'netwank' - a reasonable guess at the hacker's intended meaning. The
new process name, however, left everyone on the SPAN team scratching their
heads: it didn't seem to stand for anything. The letters formed an unlikely
set of initials for someone's name. No-one recognised it as an acronym for a
saying or an organisation. And it certainly wasn't a proper word in the
English language. It was a complete mystery why the creator of the WANK
worm, the hacker who launched an invasion into hundreds of NASA and DOE
computers, should choose this weird word. The word was 'OILZ'.

It is not surprising the SPAN security team would miss the mark. It is not
surprising, for example, that these officials should to this day be
pronouncing the 'Oilz' version of the WANK worm as 'oil zee' .. nor that
they hypothesised the worm's creator chose the word 'Oilz' because the
modifications made to the last version made it slippery, perhaps even oily.

Likely as not, only an Australian would see the worm's link to the lyrics of
Midnight Oil.

This was the world's first worm with a political message, and the second
major worm in the history of the worldwide computer networks...

Yet, NASA and the US Department of Energy were half a world away from
finding the creator of the WANK worm. Even as investigators sniffed around
electronic trails leading to France, it appears the perpetrator was hiding
behind his computer and modem in Australia ...

Underground; Tales of Hacking, Madness and Obsession on the Electronic
Frontier, by Suelette Dreyfus; published by Mandarin (Random House
Australia); (P) 475 pages with bib. http://www.underground-book.com/

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH