Date: Tue, 8 Nov 88 21:40:00 PST
From: ge...@fernwood.mpk.ca.us (the tty of Geoff Goodfellow)
Subject: NYT/Markoff: The Computer Jam -- How it came about
THE COMPUTER JAM: HOW IT CAME ABOUT
By JOHN MARKOFF
c.1988 N.Y. Times News Service, 8-Nov-88
Computer scientists who have studied the rogue program that crashed through
many of the nation's computer networks last week say the invader actually
represents a new type of helpful software designed for computer networks.
The same class of software could be used to harness computers spread aroun
the world and put them to work simultaneously.
It could also diagnose malfunctions in a network, execute large computations
on many machines at once and act as a speedy messenger.
But it is this same capability that caused thousands of computers in
universities, military installations and corporate research centers to stall
and shut down the Defense Department's Arpanet system when an illicit version
of the program began interacting in an unexpected way.
``It is a very powerful tool for solving problems,'' said John F. Shoch, a
computer expert who has studied the programs. ``Like most tools it can be
misued, and I think we have an example here of someone who misused and abused
the tool.''
The program, written as a ``clever hack'' by Robert Tappan Morris, a
23-year-old Cornell University computer science graduate student, was
originally meant to be harmless. It was supposed to copy itself from computer
to computer via Arpanet and merely hide itself in the computers. The purpose?
Simply to prove that it could be done.
But by a quirk, the program instead reproduced itself so frequently that the
computers on the network quickly became jammed.
Interviews with computer scientists who studied the network shutdown and
with friends of Morris have disclosed the manner in which the events unfolded.
The program was introduced last Wednesday evening at a computer in the
artificial intelligence laboratory at the Massachusetts Institute of
Technology. Morris was seated at his terminal at Cornell in Ithaca, N.Y., but
he signed onto the machine at MIT. Both his terminal and the MIT machine were
attached to Arpanet, a computer network that connects research centers,
universities and military bases.
Using a feature of Arpanet, called Sendmail, to exchange messages among
computer users, he inserted his rogue program. It immediately exploited a
loophole in Sendmail at several computers on Arpanet.
Typically, Sendmail is used to transfer electronic messages from machine to
machine throughout the network, placing the messages in personal files.
However, the programmer who originally wrote Sendmail three years ago had
left a secret ``backdoor'' in the program to make it easier for his work. It
permitted any program written in the computer language known as C to be mailed
like any other message.
So instead of a program being sent only to someone's personal files, it
could also be sent to a computer's internal control programs, which would start
the new program. Only a small group of computer experts _ among them Morris _
knew of the backdoor.
As they dissected Morris's program later, computer experts found that it
elegantly exploited the Sendmail backdoor in several ways, copying itself from
computer to computer and tapping two additional security provisions to enter
new computers.
The invader first began its journey as a program written in the C language.
But it also included two ``object'' or ``binary'' files -- programs that could
be run directly on Sun Microsystems machines or Digital Equipment VAX computers
without any additional translation, making it even easier to infect a computer.
One of these binary files had the capability of guessing the passwords of
users on the newly infected computer. This permits wider dispersion of the
rogue program.
To guess the password, the program first read the list of users on the
target computer and then systematically tried using their names, permutations
of their names or a list of commonly used passwords. When successful in
guessing one, the program then signed on to the computer and used the
privileges involved to gain access to additonal computers in the Arpanet
system.
Morris's program was also written to exploit another loophole. A program on
Arpanet called Finger lets users on a remote computer know the last time that a
user on another network machine had signed on. Because of a bug, or error, in
Finger, Morris was able to use the program as a crowbar to further pry his way
through computer security.
The defect in Finger, which was widely known, gives a user access to a
computer's central control programs if an excessively long message is sent to
Finger. So by sending such a message, Morris's program gained access to these
control programs, thus allowing the further spread of the rogue.
The rogue program did other things as well. For example, each copy
frequently signaled its location back through the network to a computer at the
University of California at Berkeley. A friend of Morris said that this was
intended to fool computer researchers into thinking that the rogue had
originated at Berkeley.
The program contained another signaling mechanism that became its Achilles'
heel and led to its discovery. It would signal a new computer to learn whether
it had been invaded. If not, the program would copy itself into that computer.
But Morris reasoned that another expert could defeat his program by sending
the correct answering signal back to the rogue. To parry this, Morris
programmed his invader so that once every 10 times it sent the query signal it
would copy itself into the new machine regardless of the answer.
The choice of 1 in 10 proved disastrous because it was far too frequent. It
should have been one in 1,000 or even one in 10,000 for the invader to escape
detection.
But because the speed of communications on Arpanet is so fast, Morris's
illicit program echoed back and forth through the network in minutes, copying
and recopying itself hundreds or thousands of times on each machine, eventually
stalling the computers and then jamming the entire network.
After introducing his program Wednesday night, Morris left his terminal for
an hour. When he returned, the nationwide jamming of Arpanet was well under
way, and he could immediately see the chaos he had started. Within a few hours,
it was clear to computer system managers that something was seriously wrong
with Arpanet.
By Thursday morning, many knew what had happened, were busy ridding their
systems of the invader and were warning colleagues to unhook from the network.
They were also modifying Sendmail and making other changes to their internal
software to thwart another invader.
The software invader did not threaten all computers in the network. It was
aimed only at the Sun and Digital Equipment computers running a version of the
Unix operating system written at the University of California at Berkeley.
Other Arpanet computers using different operating systems escaped.
These rogue programs have in the past been referred to as worms or, when
they are malicious, viruses. Computer science folklore has it that the first
worms written were deployed on the Arpanet in the early 1970s.
Researchers tell of a worm called ``creeper,'' whose sole purpose was to
copy itself from machine to machine, much the way Morris's program did last
week. When it reached each new computer it would display the message: ``I'm the
creeper. Catch me if you can!''
As legend has it, a second programmer wrote another worm program that was
designed to crawl through the Arpanet, killing creepers.
Several years later, computer researchers at the Xerox Corp.'s Palo Alto
Research Center developed more advanced worm programs. Shoch and Jon Hupp
developed ``town crier'' worm programs that acted as messengers and
``diagnostic'' worms that patrolled the network looking for malfunctioning
computers.
They even described a ``vampire'' worm program. It was designed to run very
complex programs late at night while the computer's human users slept. When the
humans returned in the morning, the vampire program would go to sleep, waiting
to return to work the next evening.
[Please keep any responses short and to the point. PGN]