harder for the SPAN team; getting a worm exterminating program out to
JPL, like other sites which had cut their connection to SPAN, was
going to be that much tougher. Everything had to be done over the
phone.
Worse, JPL was one of five routing centres for NASA's SPAN computer
network. It was like the centre of a wheel, with a dozen spokes
branching off--each leading to another SPAN site. All these places,
known as tailsites, depended on the lab site for their connections
into SPAN. When JPL pulled itself off the network, the tailsites went
down too.
It was a serious problem for the people in the SPAN office back in
Virginia. To Ron Tencati, head of security for NASA SPAN, taking a
routing centre off-line was a major issue. But his hands were tied.
The SPAN office exercised central authority over the wide area
network, but it couldn't dictate how individual field centres dealt
with the worm. That was each centre's own decision. The SPAN team
could only give them advice and rush to develop a way to poison the
worm.
The SPAN office called John McMahon again, this time with a more
urgent request. Would he come over to help handle the crisis?
The SPAN centre was only 800 metres away from McMahon's office. His
boss, Jerome Bennett, the DECNET protocol manager, gave the nod.
McMahon would be on loan until the crisis was under control.
When he got to Building 26, home of the NASA SPAN project office,
McMahon became part of a core NASA crisis team including Todd Butler,
Ron Tencati and Pat Sisson. Other key NASA people jumped in when
needed, such as Dave Peters and Dave Stern. Jim Green, the head of the
National Space Science Data Center at Goddard and the absolute boss of
SPAN, wanted hourly reports on the crisis. At first the core team
seemed only to include NASA people and to be largely based at Goddard.
But as the day wore on, new people from other parts of the US
government would join the team.
The worm had spread outside NASA.
It had also attacked the US Department of Energy's worldwide
High-Energy Physics' Network of computers. Known as HEPNET, it was
another piece of the overall SPAN network, along with Euro-HEPNET and
Euro-SPAN. The NASA and DOE computer networks of DEC computers
crisscrossed at a number of places. A research laboratory might, for
example, need to have access to computers from both HEPNET and NASA
SPAN. For convenience, the lab might just connect the two networks.
The effect as far as the worm was concerned was that NASA's SPAN and
DOE's HEPNET were in fact just one giant computer network, all of
which the worm could invade.
The Department of Energy keeps classified information on its
computers. Very classified information. There are two groups in DOE:
the people who do research on civilian energy projects and the people
who make atomic bombs. So DOE takes security seriously, as in `threat
to national security' seriously. Although HEPNET wasn't meant to be
carrying any classified information across its wires, DOE responded
with military efficiency when its computer managers discovered the
invader. They grabbed the one guy who knew a lot about computer
security on VMS systems and put him on the case: Kevin Oberman.
Like McMahon, Oberman wasn't formally part of the computer security
staff. He had simply become interested in computer security and was
known in-house as someone who knew about VMS systems and security.
Officially, his job was network manager for the engineering department
at the DOE-financed Lawrence Livermore National Laboratory, or LLNL,
near San Francisco.
LLNL conducted mostly military research, much of it for the Strategic
Defense Initiative. Many LLNL scientists spent their days designing
nuclear arms and developing beam weapons for the Star Wars program.9
DOE already had a computer security group, known as CIAC, the Computer
Incident Advisory Capability. But the CIAC team tended to be experts
in security issues surrounding Unix rather than VMS-based computer
systems and networks. `Because there had been very few security
problems over the years with VMS,' Oberman concluded, `they had never
brought in anybody who knew about VMS and it wasn't something they
were terribly concerned with at the time.'
The worm shattered that peaceful confidence in VMS computers. Even as
the WANK worm coursed through NASA, it was launching an aggressive
attack on DOE's Fermi National Accelerator Laboratory, near Chicago. It
had broken into a number of computer systems there and the Fermilab
people were not happy. They called in CIAC, who contacted Oberman with
an early morning phone call on 16 October. They wanted him to analyse
the WANK worm. They wanted to know how dangerous it was. Most of all,
they wanted to know what to do about it.
The DOE people traced their first contact with the worm back to 14
October. Further, they hypothesised, the worm had actually been
launched the day before, on Friday the 13th. Such an inauspicious day
would, in Oberman's opinion, have been in keeping with the type of
humour exhibited by the creator or creators of the worm.
Oberman began his own analysis of the worm, oblivious to the fact that
3200 kilometres away, on the other side of the continent, his colleague
and acquaintance John McMahon was doing exactly the same thing.
Every time McMahon answered a phone call from an irate NASA system or
network manager, he tried to get a copy of the worm from the infected
machine. He also asked for the logs from their computer systems. Which
computer had the worm come from? Which systems was it attacking from
the infected site? In theory, the logs would allow the NASA team to
map the worm's trail. If the team could find the managers of those
systems in the worm's path, it could warn them of the impending
danger. It could also alert the people who ran recently infected
systems which had become launchpads for new worm attacks.
This wasn't always possible. If the worm had taken over a computer and
was still running on it, then the manager would only be able to trace
the worm backward, not forward. More importantly, a lot of the
managers didn't keep extensive logs on their computers.
McMahon had always felt it was important to gather lots of information
about who was connecting to a computer. In his previous job, he had
modified his machines so they collected as much security information
as possible about their connections to other computers.
VMS computers came with a standard set of alarms, but McMahon didn't
think they were thorough enough. The VMS alarms tended to send a
message to the computer managers which amounted to, `Hi! You just got
a network connection from here'. The modified alarm system said, `Hi!
You just got a network connection from here. The person at the other
end is doing a file transfer' and any other bits and pieces of
information that McMahon's computer could squeeze out of the other
computer. Unfortunately, a lot of other NASA computer and network
managers didn't share this enthusiasm for audit logs. Many did not
keep extensive records of who had been accessing their machines and
when, which made the job of chasing the worm much tougher.
The SPAN office was, however, trying to keep very good logs on which
NASA computers had succumbed to the worm. Every time a NASA manager
called to report a worm disturbance, one of the team members wrote
down the details with paper and pen. The list, outlining the addresses
of the affected computers and detailed notations of the degree of
infection, would also be recorded on a computer. But handwritten lists
were a good safeguard. The worm couldn't delete sheets of paper.
When McMahon learned DOE was also under attack, he began checking in
with them every three hours or so. The two groups swapped lists of
infected computers by telephone because voice, like the handwritten
word, was a worm-free medium. `It was a kind of archaic system, but on
the other hand we didn't have to depend on the network being up,'
McMahon said. `We needed to have some chain of communications which
was not the same as the network being attacked.'
A number of the NASA SPAN team members had developed contacts within
different parts of DEC through the company's users' society, DECUS.
These contacts were to prove very helpful. It was easy to get lost in
the bureaucracy of DEC, which employed more than 125000 people, posted
a billion-dollar profit and declared revenues in excess of $12 billion
in 1989.10 Such an enormous and prestigious company would not want
to face a crisis such as the WANK worm, particularly in such a
publicly visible organisation like NASA. Whether or not the worm's
successful expedition could be blamed on DEC's software was a moot
point. Such a crisis was, well, undesirable. It just didn't look good.
And it mightn't look so good either if DEC just jumped into the fray.
It might look like the company was in some way at fault.
Things were different, however, if someone already had a relationship
with a technical expert inside the company. It wasn't like NASA
manager cold-calling a DEC guy who sold a million dollars worth of
machines to someone else in the agency six months ago. It was the NASA
guy calling the DEC guy he sat next to at the conference last month.
It was a colleague the NASA manager chatted with now and again.
John McMahon's analysis suggested there were three versions of the WANK
worm. These versions, isolated from worm samples collected from the
network, were very similar, but each contained a few subtle
differences. In McMahon's view, these differences could not be explained
by the way the worm recreated itself at each site in order to
spread. But why would the creator of the worm release different
versions? Why not just write one version properly and fire it off? The
worm wasn't just one incoming missile; it was a frenzied attack. It was
coming from all directions, at all sorts of different levels within
NASA's computers.
McMahon guessed that the worm's designer had released the different
versions at slightly different times. Maybe the creator released the
worm, and then discovered a bug. He fiddled with the worm a bit to
correct the problem and then released it again. Maybe he didn't like
the way he had fixed the bug the first time, so he changed it a little
more and released it a third time.
In northern California, Kevin Oberman came to a different conclusion.
He believed there was in fact only one real version of the worm
spiralling through HEPNET and SPAN. The small variations in the
different copies he dissected seemed to stem from the worm's ability
to learn and change as it moved from computer to computer.
McMahon and Oberman weren't the only detectives trying to decipher the
various manifestations of the worm. DEC was also examining the worm,
and with good reason. The WANK worm had invaded the corporation's own
network. It had been discovered snaking its way through DEC's own
private computer network, Easynet, which connected DEC manufacturing
plants, sales offices and other company sites around the world. DEC
was circumspect about discussing the matter publicly, but the Easynet
version of the WANK worm was definitely distinct. It had a strange
line of code in it, a line missing from any other versions. The worm
was under instructions to invade as many sites as it could, with one
exception. Under no circumstances was it to attack computers inside
DEC's area 48. The NASA team mulled over this information. One of them
looked up area 48. It was New Zealand.
New Zealand?
The NASA team were left scratching their heads. This attack was
getting stranger by the minute. Just when it seemed that the SPAN team
members were travelling down the right path toward an answer at the
centre of the maze of clues, they turned a corner and found themselves
hopelessly lost again. Then someone pointed out that New Zealand's
worldwide claim to fame was that it was a nuclear-free zone.
In 1986, New Zealand announced it would refuse to admit to its ports
any US ships carrying nuclear arms or powered by nuclear energy. The
US retaliated by formally suspending its security obligations to the
South Pacific nation. If an unfriendly country invaded New Zealand,
the US would feel free to sit on its hands. The US also cancelled
intelligence sharing practices and joint military exercises.
Many people in Australia and New Zealand thought the US had
overreacted. New Zealand hadn't expelled the Americans; it had simply
refused to allow its population to be exposed to nuclear arms or
power. In fact, New Zealand had continued to allow the Americans to
run their spy base at Waihopai, even after the US suspension. The
country wasn't anti-US, just anti-nuclear.
And New Zealand had very good reason to be anti-nuclear. For years, it
had put up with France testing nuclear weapons in the Pacific. Then in
July 1985 the French blew up the Greenpeace anti-nuclear protest ship
as it sat in Auckland harbour. The Rainbow Warrior was due to sail for
Mururoa Atoll, the test site, when French secret agents bombed the
ship, killing Greenpeace activist Fernando Pereira.
For weeks, France denied everything. When the truth came out--that
President Mitterand himself had known about the bombing plan--the
French were red-faced. Heads rolled. French Defence Minister Charles
Hernu was forced to resign. Admiral Pierre Lacoste, director of
France's intelligence and covert action bureau, was sacked. France
apologised and paid $NZ13 million compensation in exchange for New
Zealand handing back the two saboteurs, who had each been sentenced to
ten years' prison in Auckland.
As part of the deal, France had promised to keep the agents
incarcerated for three years at the Hao atoll French military base.
Both agents walked free by May 1988 after serving less than two years.
After her return to France, one of the agents, Captain Dominique
Prieur, was promoted to the rank of commandant.
Finally, McMahon thought. Something that made sense. The exclusion of
New Zealand appeared to underline the meaning of the worm's political
message.
When the WANK worm invaded a computer system, it had instructions to
copy itself and send that copy out to other machines. It would slip
through the network and when it came upon a computer attached to the
network, it would poke around looking for a way in. What it really
wanted was to score a computer account with privileges, but it would
settle for a basic-level, user-level account.
VMS systems have accounts with varying levels of privilege. A
high-privilege account holder might, for example, be able to read the
electronic mail of another computer user or delete files from that
user's directory. He or she might also be allowed to create new
computer accounts on the system, or reactivate disabled accounts. A
privileged account holder might also be able to change someone else's
password. The people who ran computer systems or networks needed
accounts with the highest level of privilege in order to keep the
system running smoothly. The worm specifically sought out these sorts
of accounts because its creator knew that was where the power lay.
The worm was smart, and it learned as it went along. As it traversed
the network, it created a masterlist of commonly used account names.
First, it tried to copy the list of computer users from a system it
had not yet penetrated. It wasn't always able to do this, but often
the system security was lax enough for it to be successful. The worm
then compared that list to the list of users on its current host. When
it found a match--an account name common to both lists--the worm added
that name to the masterlist it carried around inside it, making a note
to try that account when breaking into a new system in future.
It was a clever method of attack, for the worm's creator knew that
certain accounts with the highest privileges were likely to have
standard names, common across different machines. Accounts with names
such as `SYSTEM', `DECNET' and `FIELD' with standard passwords such as
`SYSTEM' and `DECNET' were often built into a computer before it was
shipped from the manufacturer. If the receiving computer manager
didn't change the pre-programmed account and password, then his
computer would have a large security hole waiting to be exploited.
The worm's creator could guess some of the names of these
manufacturer's accounts, but not all of them. By endowing the worm
with an ability to learn, he gave it far more power. As the worm
spread, it became more and more intelligent. As it reproduced, its
offspring evolved into ever more advanced creatures, increasingly
successful at breaking into new systems.
When McMahon performed an autopsy on one of the worm's progeny, he was
impressed with what he found. Slicing the worm open and inspecting its
entrails, he discovered an extensive collection of generic privileged
accounts across the SPAN network. In fact, the worm wasn't only picking
up the standard VMS privileged accounts; it had learned accounts common
to NASA but not necessarily to other VMS computers. For example, a lot
of NASA sites which ran a type of TCP/IP mailer that needed either a
POSTMASTER or a MAILER account. John saw those names turn up inside the
worm's progeny.
Even if it only managed to break into an unprivileged account, the
worm would use the account as an incubator. The worm replicated and
then attacked other computers in the network. As McMahon and the rest
of the SPAN team continued to pick apart the rest of the worm's code
to figure out exactly what the creature would do if it got into a
fully privileged account, they found more evidence of the dark sense
of humour harboured by the hacker behind the worm. Part of the worm, a
subroutine, was named `find fucked'.
The SPAN team tried to give NASA managers calling in as much
information as they could about the worm. It was the best way to help
computer managers, isolated in their offices around the country, to
regain a sense of control over the crisis.
Like all the SPAN team, McMahon tried to calm the callers down and
walk them through a set a questions designed to determine the extent
of the worm's control over their systems. First, he asked them what
symptoms their systems were showing. In a crisis situation, when
you're holding a hammer, everything looks like a nail. McMahon wanted
to make sure that the problems on the system were in fact caused by
the worm and not something else entirely.
If the only problem seemed to be mysterious comments flashing across
the screen, McMahon concluded that the worm was probably harassing the
staff on that computer from a neighbouring system which it had
successfully invaded. The messages suggested that the recipients'
accounts had not been hijacked by the worm. Yet.
VAX/VMS machines have a feature called Phone, which is useful for
on-line communications. For example, a NASA scientist could `ring up'
one of his colleagues on a different computer and have a friendly chat
on-line. The chat session is live, but it is conducted by typing on
the computer screen, not `voice'. The VMS Phone facility enabled the
worm to send messages to users. It would simply call them using the
phone protocol. But instead of starting a chat session, it sent them
statements from what was later determined to be the aptly named
Fortune Cookie file--a collection of 60 or so pre-programmed comments.
In some cases, where the worm was really bugging staff, McMahon told
the manager at the other end of the phone to turn the computer's Phone
feature off. A few managers complained and McMahon gave them the
obvious ultimatum: choose Phone or peace. Most chose peace.
When McMahon finished his preliminary analysis, he had good news and
bad news. The good news was that, contrary to what the worm was
telling computer users all over NASA, it was not actually deleting
their files. It was just pretending to delete their data. One big
practical joke. To the creator of the worm anyway. To the NASA
scientists, just a headache and heartache. And occasionally a heart
attack.
The bad news was that, when the worm got control over a privileged
account, it would help someone--presumably its creator--perpetrate an
even more serious break-in at NASA. The worm sought out the FIELD
account created by the manufacturer and, if it had been turned off,
tried to reactivate the account and install the password FIELD. The
worm was also programmed to change the password for the standard
account named DECNET to a random string of at least twelve characters.
In short, the worm tried to pry open a backdoor to the system.
The worm sent information about accounts it had successfully broken
into back to a type of electronic mailbox--an account called GEMPAK on
SPAN node 6.59. Presumably, the hacker who created the worm would
check the worm's mailbox for information which he could use to break
into the NASA account at a later date. Not surprisingly, the mailboxes
had been surreptitiously `borrowed' by the hacker, much to the
surprise of the legitimate owners.
A computer hacker created a whole new set of problems. Although the
worm was able to break into new accounts with greater speed and reach
than a single hacker, it was more predictable. Once the SPAN and DOE
teams picked the worm apart, they would know exactly what it could be
expected to do. However, a hacker was utterly unpredictable.
McMahon realised that killing off the worm was not going to solve the
problem. All the system managers across the NASA and DOE networks
would have to change all the passwords of the accounts used by the
worm. They would also have to check every system the worm had invaded
to see if it had built a backdoor for the hacker. The system admin had
to shut and lock all the backdoors, no small feat.
What really scared the SPAN team about the worm, however, was that it
was rampaging through NASA simply by using the simplest of attack
Share with your friends: |