The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #268 [Report on the Worm] (1 message, 1394 bytes)
NOTICE: recognises the rights of all third-party works.


From: Gene Spafford <spaf>
To: phage
Date: Fri 12:32:59 18/11/1988 EST
Subject: Report on the Worm
References: [Thread Prev: 261] [Thread Next: 307] [Message Prev: 270] [Message Next: 271]

On Monday, the printers should be getting an order to print copies of a
joint Purdue CS/SERC technical report entitled "The Internet Worm
Program: An Analysis," authored by yours truly.  I have enclosed an
abstract of that report below.

In order to get an idea of how many copies to order for the first
printing run, I'm posting this announcing its availability.  If you
would like to order one or more copies of the report, please send me
e-mail with your SURFACE mail address ASAP.  Purdue and SERC have a
tradition of not charging for copies of our technical reports, so just
your address is all you need to order; we may make an exception if any
one person or organization orders multiple copies. Copies should be
mailed starting the week of the 28th, and orders will be filled FIFO.

This is the first in a planned set of reports on the incident.  The
others will be announced as they become available.  One will have to do
with the spread of both the program and the fixes.  If you have not yet
sent in your local experiences with the worm to either Cliff Stoll or
myself, please do -- it will help us put together one or more such


	       The Internet Worm Program: An Analysis
			Eugene H. Spafford

	  On the evening of 2  November  1988,  someone infected  the
     Internet with a worm program.  That program used a number of
     methods  to  break  into other  machines  and  copy  itself, thus
     infecting those systems.  The infection eventually spread to
     thousands   of   machines,  and  disrupted  normal activities
     and  Internet  connectivity  for  many days.

	  This report gives a fairly detailed  description  of  the
     components of the worm program -- data and functions.  It  is
     based on  two  completely independent   reverse-compilations  of
     the worm, along  with  a  disassembled  version.  Almost  no
     source code  is given in the paper due to current concerns about
     the state of the "immune system" on the  Internet,  but the
     description should be complete enough to allow  the  reader  to
     completely understand  the  nature of the attacks used by the

	  The paper contains a list of  the  security  flaws
     exploited  by  the  worm program, and gives some recommendations
     on how to eliminate  or mitigate   their  future  use.   The
     report  also includes an  analysis  of  the  coding  style  and
     methods  used  by  the  author(s) of the worm, and draws some
     conclusions about both their  abilities and intent.