The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #013 [A worm "condom" enclosed.] (1 message, 973 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/013.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

From: Gene Spafford <spaf>
To: phage
Date: Thu 21:20:10 03/11/1988 EST
Subject: A worm "condom" enclosed.
References: [Thread Prev: 008] [Thread Next: 384] [Message Prev: 010] [Message Next: 014]

First, I have created (at Steve Bellovin's suggestion) a mailing
alias at arthur.cs.purdue.edu named "phage."  You are all on it, unless
you ask to be removed.  I will also add other names if you ask.

Second, more info on what the worm does as an "end-game."  If, after
a lot of trying, it decides it cannot break into any more accounts
or machines, it goes into a state where it tries to break the
root password by brute force calculation.  As of now, we don't yet
know what it does if it succeeds -- it may just restart itself
as root, or it may turn nasty.

Third, we have first-hand experience -- it will infect a Vax 8800 running
ultrix as well as 7xx machines. An infected 8800 is an awesome
engine of contagion.  Thank heavens the worm didn't have a Symmetry
component!!

Last, and perhaps most important, Kevin Braunsdorf & Rich Kulawiec
(Purdue-CC) have come up with a "condom" to protect your machine
against the CURRENT worm.  They are not 100% sure it works, but it
seems to be completely effective and it can't do any harm.   As ROOT,
do:

mkdir /usr/tmp/sh
chmod 111 /usr/tmp/sh


The edit your rc.local file to recreate the directory in case of a reboot.
This will not stop a current infection, but it will prevent any new ones
from taking hold -- it prevents the worm from creating replicas.

More news as it happens,
--spaf

END OF DOCUMENT