The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #188 [NYT/Markoff: The Computer Jam: How It Came About.] (1 message, 3755 bytes)
NOTICE: recognises the rights of all third-party works.


From: (the tty of Geoff Goodfellow)
To: phage
Date: Wed 00:39:00 09/11/1988 EST
Subject: NYT/Markoff: The Computer Jam: How It Came About.
References: [Thread Prev: 187] [Thread Next: 191] [Message Prev: 183] [Message Next: 185]

A0179  8-Nov-88  18:25
c.1988 N.Y. Times News Service

	   Computer scientists who have studied the rogue program that
crashed through many of the nation's computer networks last week
say the invader actually represents a new type of helpful software
designed for computer networks.
	   The same class of software could be used to harness computers
spread aroun the world and put them to work simultaneously.
	   It could also diagnose malfunctions in a network, execute large
computations on many machines at once and act as a speedy messenger.
	   But it is this same capability that caused thousands of
computers in universities, military installations and corporate
research centers to stall and shut down the Defense Department's
Arpanet system when an illicit version of the program began
interacting in an unexpected way.
	   ``It is a very powerful tool for solving problems,'' said John
F. Shoch, a computer expert who has studied the programs. ``Like
most tools it can be misued, and I think we have an example here of
someone who misused and abused the tool.''
	   The program, written as a ``clever hack'' by Robert Tappan
Morris, a 23-year-old Cornell University computer science graduate
student, was originally meant to be harmless.  It was supposed to
copy itself from computer to computer via Arpanet and merely hide
itself in the computers. The purpose? Simply to prove that it could
be done.
	   But by a quirk, the program instead reproduced itself so
frequently that the computers on the network quickly became jammed.
	   Interviews with computer scientists who studied the network
shutdown and with friends of Morris have disclosed the manner in
which the events unfolded.
	   The program was introduced last Wednesday evening at a computer
in the artificial intelligence laboratory at the Massachusetts
Institute of Technology. Morris was seated at his terminal at
Cornell in Ithaca, N.Y., but he signed onto the machine at MIT.
Both his terminal and the MIT machine were attached to Arpanet, a
computer network that connects research centers, universities and
military bases.
	   Using a feature of Arpanet, called Sendmail, to exchange
messages among computer users, he inserted his rogue program. It
immediately exploited a loophole in Sendmail at several computers
on Arpanet.
	   Typically, Sendmail is used to transfer electronic messages from
machine to machine throughout the network, placing the messages in
personal files.
	   However, the programmer who originally wrote Sendmail three
years ago had left a secret ``backdoor'' in the program to make it
easier for his work. It permitted any program written in the
computer language known as C to be mailed like any other message.
	   So instead of a program being sent only to someone's personal
files, it could also be sent to a computer's internal control
programs, which would start the new program. Only a small group of
computer experts _ among them Morris _ knew of the backdoor.
	   As they dissected Morris's program later, computer experts found
that it elegantly exploited the Sendmail backdoor in several ways,
copying itself from computer to computer and tapping two additional
security provisions to enter new computers.
	   The invader first began its journey as a program written in the
C language. But it also included two ``object'' or ``binary'' files
_ programs that could be run directly on Sun Microsystems machines
or Digital Equipment VAX computers without any additional
translation, making it even easier to infect a computer.
	   One of these binary files had the capability of guessing^ @the
passwords of users on the newly infected computer. This permits
wider dispersion of the rogue program.
	   To guess the password, the program first read the list of users
on the target computer and then systematically tried using their
names, permutations of their names or a list of commonly used
passwords. When successful^ @in guessing one, the program then
signed on to the computer and used the privileges involved to gain
access to additonal computers in the Arpanet system.
	   Morris's program was also written to exploit another loophole. A
program on Arpanet called Finger lets users on a remote computer
know the last time that a user on another network machine had
signed on. Because of a bug, or error, in Finger, Morris was able
to use the program as a crowbar to further pry his way through
computer security.
	   The defect in Finger, which was widely known, gives a user
access to a computer's central control programs if an excessively
long message is sent to Finger. So by sending such a message,
Morris's program gained access to these control programs, thus
allowing the further spread of the rogue.
	   The rogue program did other things as well. For example, each
copy frequently signaled its location back through the network to a
computer at the University of California at Berkeley. A friend of
Morris said that this was intended to fool computer researchers
into thinking that the rogue had originated at Berkeley.
	   The program contained another signaling mechanism that became
its Achilles' heel and led to its discovery. It would signal a new
computer to learn whether it had been invaded. If not, the program
would copy itself into that computer.
	   But Morris reasoned that another expert could defeat his program
by sending the correct answering signal back to the rogue. To parry
this, Morris programmed his invader so that once every 10 times it
sent the query signal it would copy itself into the new machine
regardless of the answer.
	   The choice of 1 in 10 proved disastrous because it was far too
frequent. It should have been one in 1,000 or even one in 10,000
for the invader to escape detection.
	   But because the speed of communications on Arpanet is so fast,
Morris's illicit program echoed back and forth through the network
in minutes, copying and recopying itself hundreds or thousands of
times on each machine, eventually stalling the computers and then
jamming the entire network.
	   After introducing his program Wednesday night, Morris left his
terminal for an hour. When he returned, the nationwide jamming of
Arpanet was well under way, and he could immediately see the chaos
he had started. Within a few hours, it was clear to computer system
managers that something was seriously wrong with Arpanet.
	   By Thursday morning, many knew what had happened, were busy
ridding their systems of the invader and were warning colleagues to
unhook from the network. They were also modifying Sendmail and
making other changes to their internal software to thwart another
	   The software invader did not threaten all computers in the
network. It was aimed only at the Sun and Digital Equipment
computers running a version of the Unix operating system written at
the University of California at Berkeley. Other Arpanet computers
using different operating systems escaped.
	   These rogue programs have in the past been referred to as worms
or, when they are malicious, viruses. Computer science folklore has
it that the first worms written were deployed on the Arpanet in the
early 1970s.
	   Researchers tell of a worm called ``creeper,'' whose sole
purpose was to copy itself from machine to machine, much the way
Morris's program did last week. When it reached each new computer
it would display the message: ``I'm the creeper. Catch me if you can!''
	   As legend has it, a second programmer wrote another worm program
that was designed to crawl through the Arpanet, killing creepers.
	   Several years later, computer researchers at the Xerox Corp.'s
Palo Alto Research Center developed more advanced worm programs.
Shoch and Jon Hupp developed ``town crier'' worm programs that
acted as messengers and ``diagnostic'' worms that patrolled the
network looking for malfunctioning computers.
	   They even described a ``vampire'' worm program. It was designed
to run very complex programs late at night while the computer's
human users slept. When the humans returned in the morning, the
vampire program would go to sleep, waiting to return to work the
next evening.