Fermilab in Chicago and propelled itself across the Pacific into the
Riken Accelerator Facility in Japan.14
NASA officials told the media they believed the worm had been launched
about 4.30 a.m. on Monday, 16 October.15 They also believed it had
originated in Europe, possibly in France.
Wednesday, 18 October 1989
Kennedy Space Center, Florida
The five-member Atlantis had some bad news on Wednesday morning. The
weather forecasters gave the launch site a 40 per cent chance of
launch guideline-violating rain and cloud. And then there was the
earthquake in California.
The Kennedy Space Center wasn't the only place which had to be in
tip-top working order for a launch to go ahead. The launch depended on
many sites far away from Florida. These included Edwards Air Force
Base in California, where the shuttle was due to land on Monday. They
also included other sites, often military bases, which were essential
for shuttle tracking and other mission support. One of these sites was
a tracking station at Onizuka Air Force Base at Sunnyvale, California.
The earthquake which ripped through the Bay area had damaged the
tracking station and senior NASA decision-makers planned to meet on
Wednesday morning to consider the Sunnyvale situation. Still, the
space agency maintained a calm, cool exterior. Regardless of the
technical problems, the court challenges and the protesters, the
whimsical weather, the natural disasters, and the WANK worm, NASA was
still in control of the situation.
`There's been some damage, but we don't know how much. The sense I get
is it's fairly positive,' a NASA spokesman told UPI. `But there are
some problems.'16 In Washington, Pentagon spokesman Rick Oborn
reassured the public again, `They are going to be able to handle
shuttle tracking and support for the mission ... They will be able to
do their job'.17
Atlantis waited, ready to go, at launchpad 39B. The technicians had
filled the shuttle up with rocket fuel and it looked as if the weather
might hold. It was partly cloudy, but conditions at Kennedy passed
The astronauts boarded the shuttle. Everything was in place.
problems in Africa, the site of an emergency landing location. If it
wasn't one thing, it was another. NASA ordered a four-minute delay.
Finally at 12.54 p.m., Atlantis boomed from its launchpad. Rising up
from the Kennedy Center, streaking a trail of twin flames from its
huge solid-fuel boosters, the shuttle reached above the atmosphere and
At 7.15 p.m., exactly 6 hours and 21 minutes after lift-off, Galileo
began its solo journey into space. And at 8.15 p.m., Galileo's booster
`The spacecraft Galileo ... has achieved Earth escape velocity'.18
Monday, 30 October 1989
NASA's Goddard Space Flight Center, Greenbelt, Maryland
The week starting 16 October had been a long one for the SPAN team.
They were keeping twelve-hour days and dealing with hysterical people
all day long. Still, they managed to get copies of anti-WANK out,
despite the limitations of the dated SPAN records and the paucity of
good logs allowing them to retrace the worm's path. `What we learned
that week was just how much data is not collected,' McMahon observed.
By Friday, 20 October, there were no new reports of worm attacks. It
looked as though the crisis had passed. Things could be tidied up by
the rest of the SPAN team and McMahon returned to his own work.
A week passed. All the while, though, McMahon was on edge. He doubted
that someone who had gone to all that trouble of creating the WANK
worm would let his baby be exterminated so quickly. The decoy-duck
strategy only worked as long as the worm kept the same process name,
and as long as it was programmed not to activate itself on systems
which were already infected. Change the process name, or teach the
worm to not to suicide, and the SPAN team would face another, larger
problem. John McMahon had an instinct about the worm; it might just
The following Monday, McMahon received another phone call from the
SPAN project office. When he poked his head in his boss's office,
Jerome Bennett looked up from his desk.
`The thing is back,' McMahon told him. There was no need to explain
what `the thing' was. `I'm going over to the SPAN office.'
Ron Tencati and Todd Butler had a copy of the new WANK worm ready for
McMahon. This version of the worm was far more virulent. It copied
itself more effectively and therefore moved through the network much
faster. The revised worm's penetration rate was much higher--more than
four times greater than the version of WANK released in the first
attack. The phone was ringing off the hook again. John took a call
from one irate manager who launched into a tirade. `I ran your
anti-WANK program, followed your instructions to the letter, and look
The worm had changed its process name. It was also designed to hunt down
and kill the decoy-duck program. In fact, the SPAN network was going to
turn into a rather bloody battlefield. This worm didn't just kill the
decoy, it also killed any other copy of the WANK worm. Even if McMahon
changed the process name used by his program, the decoy-duck strategy
was not going to work any longer.
There were other disturbing improvements to the new version of the
WANK worm. Preliminary information suggested it changed the password
on any account it got into. This was a problem. But not nearly as big
a problem as if the passwords it changed were for the only privileged
accounts on the system. The new worm was capable of locking a system
manager out of his or her own system.
Prevented from getting into his own account, the computer manager
might try borrowing the account of an average user, call him Edwin.
Unfortunately, Edwin's account probably only had low-level privileges.
Even in the hands of a skilful computer manager, the powers granted to
Edwin's account were likely too limited to eradicate the worm from its
newly elevated status as computer manager. The manager might spend his
whole morning matching wits with the worm from the disadvantaged
position of a normal user's account. At some point he would have to
make the tough decision of last resort: turn the entire computer
The manager would have to conduct a forced reboot of the machine. Take
it down, then bring it back up on minimum configuration. Break back
into it. Fix the password which the worm had changed. Logout. Reset
some variables. Reboot the machine again. Close up any underlying
security holes left behind by the worm. Change any passwords which
matched users' names. A cold start of a large VMS machine took time.
All the while, the astronomers, physicists and engineers who worked in
this NASA office wouldn't be able to work on their computers.
At least the SPAN team was better prepared for the worm this time.
They had braced themselves psychologically for a possible return
attack. Contact information for the network had been updated. And the
general DECNET internet community was aware of the worm and was
lending a hand wherever possible.
Help came from a system manager in France, a country which seemed to
be of special interest to the worm's author. The manager, Bernard
Perrot of Institut de Physique Nucleaire in Orsay, had obtained a copy
of the worm, inspected it and took special notice of the creature's
poor error checking ability. This was the worm's true Achilles' heel.
The worm was trained to go after the RIGHTSLIST database, the list of
all the people who have accounts on the computer. What if someone
moved the database by renaming it and put a dummy database in its
place? The worm would, in theory, go after the dummy, which could be
designed with a hidden bomb. When the worm sniffed out the dummy, and
latched onto it, the creature would explode and die. If it worked, the
SPAN team would not have to depend on the worm killing itself, as they
had during the first invasion. They would have the satisfaction of
destroying the thing themselves.
Ron Tencati procured a copy of the French manager's worm-killing
program and gave it to McMahon, who set up a sort of mini-laboratory
experiment. He cut the worm into pieces and extracted the relevant
bits. This allowed him to test the French worm-killing program with
little risk of the worm escaping and doing damage. The French program
worked wonderfully. Out it went. The second version of the worm was so
much more virulent, getting it out of SPAN was going to take
considerably longer than the first time around. Finally, almost two
weeks after the second onslaught, the WANK worm had been eradicated
By McMahon's estimate, the WANK worm had incurred up to half a million
dollars in costs. Most of these were through people wasting time and
resources chasing the worm instead of doing their normal jobs. The
worm was, in his view, a crime of theft. `People's time and resources
had been wasted,' he said. `The theft was not the result of the
accident. This was someone who deliberately went out to make a mess.
`In general, I support prosecuting people who think breaking into
machines is fun. People like that don't seem to understand what kind
of side effects that kind of fooling around has. They think that
breaking into a machine and not touching anything doesn't do anything.
That is not true. You end up wasting people's time. People are dragged
into the office at strange hours. Reports have to be written. A lot of
yelling and screaming occurs. You have to deal with law enforcement.
These are all side effects of someone going for a joy ride in someone
else's system, even if they don't do any damage. Someone has to pay
McMahon never found out who created the WANK worm. Nor did he ever
discover what he intended to prove by releasing it. The creator's
motives were never clear and, if it had been politically inspired,
no-one took credit.
The WANK worm left a number of unanswered questions in its wake, a
number of loose ends which still puzzle John McMahon. Was the hacker
behind the worm really protesting against NASA's launch of the
plutonium-powered Galileo space probe? Did the use of the word
`WANK'--a most un-American word--mean the hacker wasn't American? Why
had the creator recreated the worm and released it a second time? Why
had no-one, no political or other group, claimed responsibility for
the WANK worm?
One of the many details which remained an enigma was contained in the
version of the worm used in the second attack. The worm's creator had
replaced the original process name, NETW_, with a new one, presumably
to thwart the anti-WANK program. McMahon figured the original process
name stood for `netwank'--a reasonable guess at the hacker's intended
meaning. The new process name, however, left everyone on the SPAN team
scratching their heads: it didn't seem to stand for anything. The
letters formed an unlikely set of initials for someone's name. No-one
recognised it as an acronym for a saying or an organisation. And it
certainly wasn't a proper word in the English language. It was a
complete mystery why the creator of the WANK worm, the hacker who
launched an invasion into hundreds of NASA and DOE computers, should
choose this weird word.
The word was `OILZ'.
Chapter 2 -- The Corner Pub
You talk of times of peace for all
and then prepare for war
-- from `Blossom of Blood' on Species Deceases by Midnight Oil
It is not surprising the SPAN security team would miss the mark. It is
not surprising, for example, that these officials should to this day
be pronouncing the `Oilz' version of the WANK worm as `oil zee'. It is
also not surprising that they hypothesised the worm's creator chose
the word `Oilz' because the modifications made to the last version
made it slippery, perhaps even oily.
Likely as not, only an Australian would see the worm's link to the
lyrics of Midnight Oil.
This was the world's first worm with a political message, and the
second major worm in the history of the worldwide computer networks.
It was also the trigger for the creation of FIRST, the Forum of
Incident Response and Security Teams.2 FIRST was an international
security alliance allowing governments, universities and commercial
organisations to share information about computer network security
incidents. Yet, NASA and the US Department of Energy were half a world
away from finding the creator of the WANK worm. Even as investigators
sniffed around electronic trails leading to France, it appears the
perpetrator was hiding behind his computer and modem in Australia.
Geographically, Australia is a long way from anywhere. To Americans,
it conjures up images of fuzzy marsupials, not computer hackers.
American computer security officials, like those at NASA and the US
Department of Energy, had other barriers as well. They function in a
world of concretes, of appointments made and kept, of real names,
business cards and official titles. The computer underground, by
contrast, is a veiled world populated by characters slipping in and
out of the half-darkness. It is not a place where people use their
real names. It is not a place where people give out real personal
intangible--a foggy labyrinth of unmapped, winding streets through
which one occasionally ascertains the contours of a fellow traveller.
When Ron Tencati, the manager in charge of NASA SPAN security, realised
that NASA's computers were being attacked by an intruder, he rang the
FBI. The US Federal Bureau of Investigation's Computer Crime Unit fired
off a stream of questions. How many computers had been attacked? Where
were they? Who was behind the attack? The FBI told Tencati, `keep us
informed of the situation'. Like the CIAC team in the Department of
Energy, it appears the FBI didn't have much knowledge of VMS, the
primary computer operating system used in SPAN.
But the FBI knew enough to realise the worm attack was potentially
very serious. The winding electronic trail pointed vaguely to a
foreign computer system and, before long, the US Secret Service was
involved. Then the French secret service, the Direction de la
Surveillance du Territoire, or DST, jumped into the fray.
DST and the FBI began working together on the case. A casual observer
with the benefit of hindsight might see different motivations driving
the two government agencies. The FBI wanted to catch the perpetrator.
The DST wanted to make it clear that the infamous WANK worm attack on
the world's most prestigious space agency did not originate in France.
In the best tradition of cloak-and-dagger government agencies, the FBI
and DST people established two communication channels--an official
channel and an unofficial one. The official channel involved
embassies, attachés, formal communiques and interminable delays in
getting answers to the simplest questions. The unofficial channel
involved a few phone calls and some fast answers.
Ron Tencati had a colleague named Chris on the SPAN network in France,
which was the largest user of SPAN in Europe. Chris was involved in
more than just science computer networks. He had certain contacts in
the French government and seemed to be involved in their computer
networks. So, when the FBI needed technical information for its
investigation--the kind of information likely to be sanitised by some
embassy bureaucrat--one of its agents rang up Ron Tencati. `Ron, ask
your friend this,' the FBI would say. And Ron would.
`Chris, the FBI wants to know this,' Tencati would tell his colleague
on SPAN France. Then Chris would get the necessary information. He
would call Tencati back, saying, `Ron, here is the answer. Now, the
DST wants to know that'. And off Ron would go in search of information
requested by the DST.
The investigation proceeded in this way, with each helping the other
through backdoor channels. But the Americans' investigation was headed
toward the inescapable conclusion that the attack on NASA had
originated from a French computer. The worm may have simply travelled
through the French computer from yet another system, but the French
machine appeared to be the sole point of infection for NASA.
The French did not like this outcome. Not one bit. There was no way
that the worm had come from France. Ce n'est pas vrai.
Word came back from the French that they were sure the worm had come
from the US. Why else would it have been programmed to mail details of
all computer accounts it penetrated around the world back to a US
machine, the computer known as GEMPAK? Because the author of the worm
was an American, of course! Therefore it is not our problem, the
French told the Americans. It is your problem.
Most computer security experts know it is standard practice among
hackers to create the most tangled trail possible between the hacker
and the hacked. It makes it very difficult for people like the FBI to
trace who did it. So it would be difficult to draw definite
conclusions about the nationality of the hacker from the location of a
hacker's information drop-off point--a location the hacker no doubt
figured would be investigated by the authorities almost immediately
after the worm's release.
Tencati had established the French connection from some computer logs
showing NASA under attack very early on Monday, 16 October. The logs
were important because they were relatively clear. As the worm had
procreated during that day, it had forced computers all over the
network to attack each other in ever greater numbers. By 11 a.m. it
was almost impossible to tell where any one attack began and the other
Some time after the first attack, DST sent word that certain agents
a meeting with the FBI. A representative from the NASA Inspector
General's Office would attend the meeting, as would someone from NASA
Tencati was sure he could show the WANK worm attack on NASA originated
in France. But he also knew he had to document everything, to have
exact answers to every question and counter-argument put forward by
the French secret service agents at the FBI meeting. When he developed
a timeline of attacks, he found that the GEMPAK machine showed X.25
network connection, via another system, from a French computer around
the same time as the WANK worm attack. He followed the scent and
contacted the manager of that system. Would he help Tencati? Mais oui.
The machine is at your disposal, Monsieur Tencati.
Tencati had never used an X.25 network before; it had a unique set of
commands unlike any other type of computer communications network. He
wanted to retrace the steps of the worm, but he needed help. So he
called his friend Bob Lyons at DEC to walk him through the process.
What Tencati found startled him. There were traces of the worm on the
machine all right, the familiar pattern of login failures as the worm
attempted to break into different accounts. But these remnants of the
WANK worm were not dated 16 October or any time immediately around
then. The logs showed worm-related activity up to two weeks before the
attack on NASA. This computer was not just a pass-through machine the
worm had used to launch its first attack on NASA. This was the
Tencati went into the meeting with DST at the FBI offices prepared. He
knew the accusations the French were going to put forward. When he
presented the results of his sleuthwork, the French secret service
couldn't refute it, but they dropped their own bombshell. Yes they
told him, you might be able to point to a French system as ground zero
for the attack, but our investigations reveal incoming X.25
connections from elsewhere which coincided with the timing of the
development of the WANK worm.
The connections came from Australia.
The French had satisfied themselves that it wasn't a French hacker who
had created the WANK worm. Ce n'est pas notre problem. At least, it's
not our problem any more.
It is here that the trail begins to go cold. Law enforcement and
computer security people in the US and Australia had ideas about just
who had created the WANK worm. Fingers were pointed, accusations were
made, but none stuck. At the end of the day, there was coincidence and
innuendo, but not enough evidence to launch a case. Like many
Australian hackers, the creator of the WANK worm had emerged from the
shadows of the computer underground, stood momentarily in hazy
silhouette, and then disappeared again.
The Australian computer underground in the late 1980s was an
environment which spawned and shaped the author of the WANK worm.
Affordable home computers, such as the Apple IIe and the Commodore 64,
made their way into ordinary suburban families. While these computers
were not widespread, they were at least in a price range which made
them attainable by dedicated computer enthusiasts.
In 1988, the year before the WANK worm attack on NASA, Australia was
on an upswing. The country was celebrating its bicentennial. The
economy was booming. Trade barriers and old regulatory structures were
coming down. Crocodile Dundee had already burst on the world movie
scene and was making Australians the flavour of the month in cities
like LA and New York. The mood was optimistic. People had a sense they
were going places. Australia, a peaceful country of seventeen or so
million people, poised on the edge of Asia but with the order of a
Western European democracy, was on its way up. Perhaps for the first