ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #170 [A Worm Chronology, and some other info] (1 message, 5357 bytes)
NOTICE: securitydigest.org recognises the rights of all third-party works.
START OF DOCUMENT
From: steve@umiacs.UMD.EDU (Steven D. Miller)
Date: Tue 16:26:29 08/11/1988 EST
Subject: A Worm Chronology, and some other info
References: [Thread Prev: 169] [Thread Next: 173] [Message Prev: 168] [Message Next: 171]
Here's a rough chronology of the worm's attack on the CS Department and Institute For Advanced Computer Studies, including some attempt at a more general chronology detailing what was being done by whom and when. It's obviously UMCP-centric, and at least somewhat inaccurate, but it might be a useful historical document if others Out There can suggest changes. On a different topic, Olafur Gudmundsson here went through our finger logs, and found that in *every* case, the machines trying to crack mimsy and brillig were machines upon which CSD or UMIACS staff or faculty had accounts. All these accounts had .forwards pointing at mimsy or brillig. I found the correlation rather impressive... Anyway, here's the time line. Have fun, and try not to flame me too much! -Steve P.S.: Obviously, I'm the copyright holder on this. Feel free to send this amoung your friends, but if someone's going to print up copies for general distribution, I want to know about that first. (Yes, I can be talked into giving up all my copyright rights at some future date, but I don't want to be misquoted in the interim. Spoken: Steve Miller Domain: email@example.com UUCP: uunet!mimsy!steve Phone: +1-301-454-1808 USPS: UMIACS, Univ. of Maryland, College Park, MD 20742 A Rough Chronology of the Worm's Attack on UMIACS and the UMCP CS Department Steve Miller Institute For Advanced Computer Studies University of Maryland, College Park Copyright 1988 by Steve Miller, University of Maryland. Reproduction, either in whole or in part, for general distribution (i.e., through television, radio, or the newspaper media) is allowed only through prior arrangement with the author. Caveat: it's very hard to order these events, as some of the mail describing them did not arrive in strict chronological order at my site. I generally have ordered them by the times at which they were sent; note that some announcements may seem redundant. Nov 2, 10:54 PM: Worm's first attempt to enter mimsy.umd.edu via fingerd. Attempt logged as originating at Princeton University. Attempts also logged on host brillig.umd.edu throughout most of the time that mimsy was being attacked. Nov 2, 10:56 PM: Brillig is attacked (for the first time) by another UMCP host. Thus, the first successful invasion of a UMCP host must have happened before this time. Nov 2, 11:28 PM: Worm's first attempt to enter mimsy via sendmail. Nov 2, 11:28 PM: Worm attempts to enter mimsy via fingerd and from the Univ. of Rochester. Nov 3, early morning: Attempts continue from UMCP Engineering, Cornell, Univ. of Washington, Princeton, Boston University, and others. These attempts continue (with some sites dropping out, and others coming in) until 1:47 PM on Nov 4. These attempts were all through fingerd, as sendmail attempts didn't show the names of attacking hosts. Nov 3, 8:06 AM: First suggested fix (from Keith Bostic at Berkeley) to sendmail arrives at UMCP CS Department. This fix is forwarded to us by Gene Spafford of Purdue University. This fix tells one how to fix one's sources, and gives the first suggested fix for binary- only sites. Nov 3, 10 AM: First attempt to describe worm's behavior sent to network mailing lists. This message was sent by Gene Spafford. Due to network delays, this message did not arrive in my mailbox until 9 PM on Nov. 3. Nov 3, 2:27 PM: Final logged (and, thus, possibly successful) attempt on mimsy via sendmail. At this point, the first sendmail fix had been installed on mimsy, and was in the process of being installed on all other CS and UMIACS hosts. Nov 3, 5:16 PM: First message seen indicating that sendmail fix does not wholly cure the problem. Nov 3, 7:11 PM: Matt Crawford at the Univ. of Chicago announces that he has set a trap in his sendmail to try to get a copy of the first stage of the worm. This message arrives in my mailbox at about 10:30 PM. Nov 3, 7:19 PM: Keith Bostic posts a better sendmail fix for binary-only sites. This fix doesn't reach most sites until fairly late in the morning on the 4th. A new version of the finger daemon (in source form) is also posted, though it gets corrupted in transit. (This just happens sometimes, for a variety of reasons, and is not worm-related.) Nov 3, 9:20 PM: Gene Spafford announces the creation of a mailing list, based at Purdue, devoted to spreading information about the worm. The first indication that the worm attacks passwords is seen, and the first worm "condom" (from others at Purdue) is distributed. This "condom" may or may not have been successful. More or less simultaneously, people at Rochester Univ. and MIT discover the actual finger hole and how it works. Nov 3, 9:40 PM: Tim Becker of Rochester points out that the first sendmail binary-only fix from Berkeley will indeed stop the worm from getting in via sendmail, but that minor changes to the worm would render the fix ineffective. He makes another suggestion as to how the hole should be plugged. Nov 3, 10:50 PM: Keith Bostic and Gene Spafford discover that a library routine change can cause the worm to die earlier than normal. Nov 4, 1 AM: Bill Sommerfield of MIT describes in gory detail the operation of the finger "portal." He also indicates that an effort at "disassembling" the worm -- turning it into human-readable form from the machine-readable version that is being moved around -- is underway. Nov 4, 1:45 AM: Matt Crawford's trap is sprung, and phase 1 of the worm, along with its exact method of penetrating sendmail, is posted to the net. His sendmail changes are also posted, to help others spring similar traps. Nov 4, 2:41 AM: Erik Fair of Apple reports that CSNET and the MILNET have disconnected themselves from the rest of the Internet. Nov 4, 3 AM: Matt Crawford sets another trap in an attempt to grab phase 2 (the main phase) of the virus. Nov 4, early morning: Pete Cottrell installs fixes to the VAX and Sun finger daemons on CS and UMIACS hosts. It is later discovered that the non-standard finger daemons we have been running protected us from penetration on the VAXes, and that this vector of infection does not apply to Suns. Nov 4, 6 AM: Pete Cottrell of the CS Department at UMCP passes along to other UMCP administrators a summary of the latest information about the virus. Nov 4, 8 AM: I arrive at work, and am told about the second vector of infection. I talk to Chris Torek (of the CS Department, attending a futures-workshop-turned-worm-fighting-session at Berkeley) to get the latest information about the virus. Pete Cottrell informs the CS and UMIACS faculty about the latest facts, and begins to tighten security measures. Pete has now been awake for about 20 hours, and has been working for at least 18 hours. Chris Torek has been awake and working for a similar amount of time. Nov 4, 10 AM: It is suggested that the "security" mailing list, which once existed but which has languished, be reestablished in an attempt to predict future problems like this one Nov 4, 12 PM: Someone posts the scanned-in text of the New York Times article to the Purdue list. Nov 4, 12:23 PM: Louie Mamakos of the UMCP Computer Science Center announces the availability of a complete set of worm pieces. Nov 4, 1 PM: Jon Postel of ISI suggests that an Internet RFC (Request For Comments, basically a standards document) be written about the worm. Nov 4, 2 PM: Eric Johnson of the Univ. of Florida announces the means to decrypt the text strings within the worm. Others likely knew this by then; in fact, Eric thanks Keith Bostic for this information. Nov 4, 2:20 PM: Keith Bostic posts the new version of fingerd in its entirety. At the same time, he snubs the worm's author by posting bug fixes to the disassembled worm. Nov 4, 2:30 PM: Rich Kulawiec of Purdue attempts to provide a complete detailed set of steps that the worm takes in infecting a system. A number of fixes are suggested. Nov 4, 3:36 PM: Theorore Ts'o of MIT's Project Athena announces that MIT and Berkeley have completely disassembled the worm, and clarifies some other statements that others have made about its actions and weaknesses. Nov 4, 4:15 PM: Randy Hammel of the Lanham Supercomputing Research Center posts the worm's built-in dictionary of possible passwords. Nov 4, 6:15 PM: I summarize the sendmail and finger patches to the D.C. Sun Local Users Group electronic mailing list, and to the international Sun networking issues list that I maintain. I also forward Randy Hammel's password list to the UMIACS and CS faculty, saying basically, "if your password is on this list you had better change it *now*." Nov 5, 12:11 AM: I discover that mimsy and brillig have probably been invaded. No trace of the virus remains. Later investigations suggests that only mimsy and brillig were hit. Nov 5, 1:05 AM: I see the first mention of Robert Morris, Jr. as a possible perpertrator, and of Cornell as the originating site. Sendmail logs at Cornell indicate worm activity long before the worm was released to the Internet. Nov 5, 9:30 AM: I ask people on the net if I can get a copy of the disassembled worm. Nov 5, 12 PM: I'm told by Keith Bostic that he's not going to give the worm sources to *anyone*. For the next few hours, debate rages over whether or not this is the right thing to do. (Frankly, I agree with Keith's ends on this one, though I'm not sure that I agree with his means. He sees this as a delay tactic; it's much harder to disassemble the beast, or to write it from scratch, than it is to change it slightly and start it up once again...) Nov 5, afternoon and evening: Many people relate their experiences with the media over this event. The general impression is that there are some sensationalistic and inaccurate things being propagated around. Some samples are the shots of IBM PCs and PC viruses (with the implication that PCs were involved), and some experiences that some have had with members of the press either misrepresenting their views, asking leading questions in an attempt to provoke sensationalistic answers, or both. Some media coverage is praised as excellent. At the same time, there is much discussion over whether the perpertrator should get off lightly, or whether he should be tried to the fullest extent of the law. Proponents of the light punishment viewpoint stress that this was a mistake; opponents agree that it was a mistake, but that the design of the program strongly indicates malicious intent. (After all, this is not someone's homework project accidentally run amuck...) From the tone of the discussion, it is clear that the emergency is over. Nov 5, 10 PM: Chris Torek points out that Ultrix (DEC's version of 4.3BSD Unix) 2.X sites are immune to the worm, because of some subtle software incompatibilities. Nov 5, 10:45 PM: Jeff Forys of the Univ. of Utah posts yet another better fix for sendmail. Nov 6, evening: It is pointed out by some that perhaps the media could be more clear when it talks about the Internet as the defense network. One person stresses that anyone who stores classified information on even a MILNET computer is violating security procedures, and that the cracker could only have stolen or destroyed unclassified documents even in the worst case. It is also stressed by a variety of people that the ease of communication within the Internet, which helped the worm spread quickly, also helped people communicate quickly, which helped people eradicate it quickly. Other discussion focuses briefly on similar problems (the SPAN breakins with VMS, DOS viruses) with other operating systems, in an attempt to forestall comments about Unix insecurity from those who are anti-Unix. At this point, the general discussion becomes increasingly fragmented.
END OF DOCUMENT
|ISSN 1742-948X 01 (Online) | 2005/03/01 | Copyright 2002-2008 securitydigest.org. All rights reserved.|