The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #170 [A Worm Chronology, and some other info] (1 message, 5357 bytes)
NOTICE: recognises the rights of all third-party works.


From: steve@umiacs.UMD.EDU (Steven D. Miller)
To: phage
Date: Tue 16:26:29 08/11/1988 EST
Subject: A Worm Chronology, and some other info
References: [Thread Prev: 169] [Thread Next: 173] [Message Prev: 168] [Message Next: 171]

   Here's a rough chronology of the worm's attack on the CS Department and
Institute For Advanced Computer Studies, including some attempt at a more
general chronology detailing what was being done by whom and when.  It's
obviously UMCP-centric, and at least somewhat inaccurate, but it might be a
useful historical document if others Out There can suggest changes.

   On a different topic, Olafur Gudmundsson here went through our finger
logs, and found that in *every* case, the machines trying to crack mimsy and
brillig were machines upon which CSD or UMIACS staff or faculty had
accounts.  All these accounts had .forwards pointing at mimsy or brillig.  I
found the correlation rather impressive...

   Anyway, here's the time line.  Have fun, and try not to flame me too


P.S.:  Obviously, I'm the copyright holder on this.  Feel free to send this
amoung your friends, but if someone's going to print up copies for general
distribution, I want to know about that first.  (Yes, I can be talked into
giving up all my copyright rights at some future date, but I don't want to
be misquoted in the interim.

Spoken: Steve Miller    Domain:    UUCP: uunet!mimsy!steve
Phone: +1-301-454-1808  USPS: UMIACS, Univ. of Maryland, College Park, MD 20742

A Rough Chronology of the Worm's Attack on UMIACS and the UMCP CS Department

Steve Miller
Institute For Advanced Computer Studies
University of Maryland, College Park

Copyright 1988 by Steve Miller, University of Maryland.  Reproduction,
either in whole or in part, for general distribution (i.e., through
television, radio, or the newspaper media) is allowed only through prior
arrangement with the author.

Caveat: it's very hard to order these events, as some of the mail describing
	them did not arrive in strict chronological order at my site.  I
	generally have ordered them by the times at which they were sent;
	note that some announcements may seem redundant.

Nov 2, 10:54 PM: Worm's first attempt to enter via fingerd.
	Attempt logged as originating at Princeton University.  Attempts also
	logged on host throughout most of the time that mimsy
	was being attacked.

Nov 2, 10:56 PM:  Brillig is attacked (for the first time) by another UMCP
	host.  Thus, the first successful invasion of a UMCP host must have
	happened before this time.

Nov 2, 11:28 PM: Worm's first attempt to enter mimsy via sendmail.

Nov 2, 11:28 PM: Worm attempts to enter mimsy via fingerd and from the Univ.
	of Rochester.

Nov 3, early morning:  Attempts continue from UMCP Engineering, Cornell,
	Univ. of Washington, Princeton, Boston University, and others.
	These attempts continue (with some sites dropping out, and others
	coming in) until 1:47 PM on Nov 4.  These attempts were all through
	fingerd, as sendmail attempts didn't show the names of attacking hosts.

Nov 3, 8:06 AM: First suggested fix (from Keith Bostic at Berkeley) to
	sendmail arrives at UMCP CS Department.  This fix is forwarded to
	us by Gene Spafford of Purdue University.  This fix tells one how
	to fix one's sources, and gives the first suggested fix for binary-
	only sites.

Nov 3, 10 AM: First attempt to describe worm's behavior sent to network
	mailing lists.  This message was sent by Gene Spafford.  Due to
	network delays, this message did not arrive in my mailbox until
	9 PM on Nov. 3.

Nov 3, 2:27 PM: Final logged (and, thus, possibly successful) attempt on
	mimsy via sendmail.  At this point, the first sendmail fix had been
	installed on mimsy, and was in the process of being installed on
	all other CS and UMIACS hosts.

Nov 3, 5:16 PM:  First message seen indicating that sendmail fix does not
	wholly cure the problem.

Nov 3, 7:11 PM:  Matt Crawford at the Univ.  of Chicago announces that he
	has set a trap in his sendmail to try to get a copy of the first
	stage of the worm.  This message arrives in my mailbox at about
	10:30 PM.

Nov 3, 7:19 PM:  Keith Bostic posts a better sendmail fix for binary-only
	sites.  This fix doesn't reach most sites until fairly late in
	the morning on the 4th.  A new version of the finger daemon (in
	source form) is also posted, though it gets corrupted in transit.
	(This just happens sometimes, for a variety of reasons, and is not

Nov 3, 9:20 PM:  Gene Spafford announces the creation of a mailing list,
	based at Purdue, devoted to spreading information about the worm.
	The first indication that the worm attacks passwords is seen, and
	the first worm "condom" (from others at Purdue) is distributed.
	This "condom" may or may not have been successful.  More or less
	simultaneously, people at Rochester Univ.  and MIT discover the
	actual finger hole and how it works.

Nov 3, 9:40 PM:  Tim Becker of Rochester points out that the first sendmail
	binary-only fix from Berkeley will indeed stop the worm from getting
	in via sendmail, but that minor changes to the worm would render the
	fix ineffective.  He makes another suggestion as to how the hole
	should be plugged.

Nov 3, 10:50 PM:  Keith Bostic and Gene Spafford discover that a library
	routine change can cause the worm to die earlier than normal.

Nov 4, 1 AM:  Bill Sommerfield of MIT describes in gory detail the operation
	of the finger "portal."  He also indicates that an effort at
	"disassembling" the worm -- turning it into human-readable form from
	the machine-readable version that is being moved around -- is

Nov 4, 1:45 AM:  Matt Crawford's trap is sprung, and phase 1 of the worm,
	along with its exact method of penetrating sendmail, is posted to
	the net.  His sendmail changes are also posted, to help others spring
	similar traps.

Nov 4, 2:41 AM:  Erik Fair of Apple reports that CSNET and the MILNET have
	disconnected themselves from the rest of the Internet.

Nov 4, 3 AM:  Matt Crawford sets another trap in an attempt to grab phase 2
	(the main phase) of the virus.

Nov 4, early morning:  Pete Cottrell installs fixes to the VAX and Sun
	finger daemons on CS and UMIACS hosts.  It is later discovered that
	the non-standard finger daemons we have been running protected us
	from penetration on the VAXes, and that this vector of infection
	does not apply to Suns.

Nov 4, 6 AM: Pete Cottrell of the CS Department at UMCP passes along to other
	UMCP administrators a summary of the latest information about the

Nov 4, 8 AM: I arrive at work, and am told about the second vector of
	infection.  I talk to Chris Torek (of the CS Department, attending
	a futures-workshop-turned-worm-fighting-session at Berkeley) to
	get the latest information about the virus.  Pete Cottrell informs
	the CS and UMIACS faculty about the latest facts, and begins to
	tighten security measures.  Pete has now been awake for about 20
	hours, and has been working for at least 18 hours.  Chris Torek
	has been awake and working for a similar amount of time.

Nov 4, 10 AM:  It is suggested that the "security" mailing list, which once
	existed but which has languished, be reestablished in an attempt to
	predict future problems like this one

Nov 4, 12 PM:  Someone posts the scanned-in text of the New York Times
	article to the Purdue list.

Nov 4, 12:23 PM:  Louie Mamakos of the UMCP Computer Science Center
	announces the availability of a complete set of worm pieces.

Nov 4, 1 PM:  Jon Postel of ISI suggests that an Internet RFC (Request
	For Comments, basically a standards document) be written about
	the worm. 

Nov 4, 2 PM:  Eric Johnson of the Univ.  of Florida announces the means to
	decrypt the text strings within the worm.  Others likely knew this
	by then; in fact, Eric thanks Keith Bostic for this information.

Nov 4, 2:20 PM:  Keith Bostic posts the new version of fingerd in its
	entirety.  At the same time, he snubs the worm's author by posting
	bug fixes to the disassembled worm.

Nov 4, 2:30 PM:  Rich Kulawiec of Purdue attempts to provide a complete
	detailed set of steps that the worm takes in infecting a system.
	A number of fixes are suggested.

Nov 4, 3:36 PM:  Theorore Ts'o of MIT's Project Athena announces that
	MIT and Berkeley have completely disassembled the worm, and
	clarifies some other statements that others have made about
	its actions and weaknesses.

Nov 4, 4:15 PM:  Randy Hammel of the Lanham Supercomputing Research Center
	posts the worm's built-in dictionary of possible passwords.

Nov 4, 6:15 PM:  I summarize the sendmail and finger patches to the D.C.
	Sun Local Users Group electronic mailing list, and to the
	international Sun networking issues list that I maintain.  I also
	forward Randy Hammel's password list to the UMIACS and CS faculty,
	saying basically, "if your password is on this list you had better
	change it *now*."

Nov 5, 12:11 AM:  I discover that mimsy and brillig have probably been
	invaded.  No trace of the virus remains.  Later investigations
	suggests that only mimsy and brillig were hit.

Nov 5, 1:05 AM:  I see the first mention of Robert Morris, Jr. as a possible
	perpertrator, and of Cornell as the originating site.  Sendmail logs
	at Cornell indicate worm activity long before the worm was released
	to the Internet.

Nov 5, 9:30 AM:  I ask people on the net if I can get a copy of the
	disassembled worm.

Nov 5, 12 PM:  I'm told by Keith Bostic that he's not going to give the
	worm sources to *anyone*.  For the next few hours, debate rages
	over whether or not this is the right thing to do.  (Frankly, I
	agree with Keith's ends on this one, though I'm not sure that I
	agree with his means.  He sees this as a delay tactic; it's much
	harder to disassemble the beast, or to write it from scratch,
	than it is to change it slightly and start it up once again...)

Nov 5, afternoon and evening:  Many people relate their experiences with the
	media over this event.  The general impression is that there are
	some sensationalistic and inaccurate things being propagated around.
	Some samples are the shots of IBM PCs and PC viruses (with the
	implication that PCs were involved), and some experiences that some
	have had with members of the press either misrepresenting their
	views, asking leading questions in an attempt to provoke
	sensationalistic answers, or both.  Some media coverage is praised
	as excellent.

	At the same time, there is much discussion over whether the
	perpertrator should get off lightly, or whether he should be tried
	to the fullest extent of the law.  Proponents of the light punishment
	viewpoint stress that this was a mistake; opponents agree that it
	was a mistake, but that the design of the program strongly indicates
	malicious intent.  (After all, this is not someone's homework project
	accidentally run amuck...)

	From the tone of the discussion, it is clear that the emergency is

Nov 5, 10 PM:  Chris Torek points out that Ultrix (DEC's version of 4.3BSD
	Unix) 2.X sites are immune to the worm, because of some subtle
	software incompatibilities.

Nov 5, 10:45 PM:  Jeff Forys of the Univ. of Utah posts yet another
	better fix for sendmail.

Nov 6, evening:  It is pointed out by some that perhaps the media could be
	more clear when it talks about the Internet as the defense network.
	One person stresses that anyone who stores classified information on
	even a MILNET computer is violating security procedures, and that
	the cracker could only have stolen or destroyed unclassified
	documents even in the worst case.  It is also stressed by a variety
	of people that the ease of communication within the Internet, which
	helped the worm spread quickly, also helped people communicate
	quickly, which helped people eradicate it quickly.

	Other discussion focuses briefly on similar problems (the SPAN
	breakins with VMS, DOS viruses) with other operating systems,
	in an attempt to forestall comments about Unix insecurity from
	those who are anti-Unix.

	At this point, the general discussion becomes increasingly