Cuckoo's Egg
Page 38
Now this doesn’t make sense: computer programs look like machine code. This one doesn’t. There’s no header block information and only a few commands that I recognize. The rest is guacamole.
Patiently I try to understand what those few commands do. Suppose I were a Sun workstation, and someone fed those commands to me. How would I respond? With a pad of paper, hand calculator, and a booklet of machine instructions, I start unwinding the virus’s code.
The first few commands just strip off some encryption from the rest of the virus. That’s why the virus looks strange. The actual commands have been purposely obscured.
Aha! The virus writer has hidden his virus: he’s tried to prevent other programmers from understanding his code. Throwing nails on the road to slow down his pursuers.
Diabolical.
Time to call Darren again. It’s 5 A.M. and we’re comparing notes—he’s discovered the same thing and more: “I’ve unmasked part of the virus, and I can see it’s breaking in through the mail system. Then, it uses finger and telnet to spread itself to other computers. It’s decrypting passwords by brute force guessing.”
Together, over the phone, we pry apart the program. Its whole purpose seems to be to copy itself into other computers. It searches for network connections—nearby computers, distant systems, anything that it can reach.
Whenever the virus program discovers a computer on the network, it tries to break into it, using several obscure holes in the Unix operating system.
Holes in Unix? Sure.
When you send mail from one Unix computer to another, the Unix Sendmail program handles the transfer. A mail message arrives from the network and Sendmail forwards it to the addressee. It’s an electronic post office that pigeonholes mail.
Sendmail has a hole. Normally, a foreign computer sends messages into this program and everyone’s happy. But if there’s a problem, you can ask the program to enter debug mode—the program’s backdoor.
When you’re in debug, Sendmail lets you issue ordinary Unix commands from a foreign computer. Commands like “Execute the following program.”
So that’s how this virus spawned copies. It mailed copies of itself to other computers and commanded them to execute the virus program.
After the virus program started, it searched for other computers to infect and sent mail messages to them.
On some systems, Sendmail had been fixed. If so, the virus tried yet another hole: the finger daemon.
To see if I’ve been using a Unix system, you can issue the command, finger cliff. If I’ve been logged in, Unix will respond with my name, phone number, and what I’m up to. It works well over the network; often I’ll just finger someone before calling their telephone.
The virus invaded through the program that handled finger requests. The finger daemon has room for 512 characters of data; the virus sent 536 characters. What happened to the extra 24 characters? They got executed as commands to Unix.
By overflowing the finger daemon, the virus found a second way to execute the command, “Execute the following program,” on someone else’s computer.
If that wasn’t enough, the virus had a password guesser built in. It tried to log into nearby, trusted computers, using a few hundred common passwords. If it guessed a valid password, it copied itself into the computer and started all over.
Whew! Any one of these ways would impregnate a lot of computers. Taken together, they formed a fiendishly effective virus.
Like a sorcerer’s apprentice, the program kept copying itself from one computer to another. Erase one copy, and a new one would spring into its place. Plug up one hole, and the virus would try a different hole.
Did I say virus?
“You know, Cliff, a virus modifies other programs when it runs. This thing doesn’t change other programs; it just copies itself,” Darren explained. “It’s really not a virus, it’s a network worm.”
A virus copies itself into other programs, changing the program itself. A worm copies itself from one computer to another. Both are contagious; either can spread havoc.
Viruses usually infect personal computers, spreading through floppy disks and copied programs. Worms strike over networks, spreading through the very connections used for electronic mail and communications.
But at 5 A.M., all I knew was that my computers were bogged down and it’s the fault of this self-replicating program. It’s a cuckoo, laying eggs in other birds’ nests.
Worm or virus, whoever built it has deliberately thrown up roadblocks to prevent anyone from understanding it. The code’s encrypted, and it hides its internal tables. It erases any evidence of its parent worm. It feints by appearing to send a message to a Berkeley computer, while actually sending nothing at all—an attempt to draw attention away from the real source of the program.
By 6 A.M., Thursday morning, I’m thinking about the effects of this worm: a disaster’s brewing, and someone needs to be notified. Who?
I’ve called the Arpanet Network Operations Center. They can’t do much—even if they turn off the whole network, the worm will still breed, moving around local networks. Better call the National Computer Security Center. Who do I know there? Bob Morris, their chief scientist.
I knew Bob Morris was on his computer at 6:30 A.M. Thursday morning. I could see him logged into NSA’s Dockmaster computer. After posting a message to that machine, I called him on the phone.
“Hi, Bob. We’ve got troubles. A virus is spreading over the Arpanet, and it’s infesting Unix computers.”
“When did it start?”
“Around midnight, I’d guess. Maybe earlier—I just don’t know. I’ve been up all night trying to understand it.”
“How’s it spread?”
“Through a hole in the Unix mail program.”
“You must mean Sendmail. Hell, I’ve known about that for years.” Bob Morris might have known, but he had never told me.
“Whoever wrote the virus must be laughing, but it’s going to mean a rough day for everyone.”
“Any ideas who started it?”
“Nope.”
“Don’t worry about it. I’ll look into it and see what I can do.”
We chatted awhile, then I hung up. Well, I’ve warned the authorities. As chief scientist of the National Computer Security Center, Bob had a few hours to rouse his troops and begin figuring out what this virus was all about. I stared at my computer screen for a while, then, clad in a bathrobe, fell asleep on the keyboard.
Two hours later the phone rang. It’s Don Alvarez from MIT on the line.
“Hey, Cliff,” he says, “something weird is going on. There’s a hundred jobs running on our computer. Smells like a virus.”
“You’ve got it too, huh?” We compared notes and quickly realized that Unix systems across the country must be infected. There’s not much to do but patch the bugs in the systems.
“There are only two ways to understand this virus,” Don said. “The obvious way is to disassemble it. Follow the computer code, step by step, and figure out what it does.”
“OK,” I said, “I’ve tried that, and it’s not easy. What’s the other way?”
“Treat it as a black box. Watch it send signals to other computers, and estimate what’s inside of it.”
“There’s a third way, Don.”
“What’s that?”
“Find out who wrote it.”
I scanned the computer network news: Peter Yee and Keith Bostic of the University of California at Berkeley were unraveling the virus; they described the Unix holes and even published a way to patch the software. Well done!
Within the day, Jon Rochlis, Stan Zanarotti, Ted Ts’o, and Mark Eichin of MIT were dissecting the program, translating the bits and bytes into ideas. By Thursday evening—less than twenty-four hours after the virus was released—the MIT and Berkeley groups had disassembled the code and were well along to understanding it.
Mike Muuss of the Ballistics Research Lab was making progress, too. Within a few hour
s, he built a test chamber for the virus and used his software tools to prod it. From his experiments, he understood how it spread, and which holes it used to infest other computers.
But who wrote it?
Around eleven in the morning, someone from NSA’s National Computer Security Center called me.
“Cliff, we’ve just held a meeting about the virus,” the voice said. “I’ve got just one question for you: did you write the virus?”
I was stunned. Me? Write this virus?
“No, damn it, I didn’t write it. I’ve spent the past night trying to extinguish it.”
“A couple people at the meeting suggested that you were the most likely creator. I’m just checking.”
You’ve got to be joking. Me? What could make them think that I had written it? Then I realized: I’d posted a message to their computer. I was the first to call them. What paranoia!
Their call set me to thinking. Who had written the virus? Why? You don’t accidentally write a virus. This one had taken weeks to build.
Late Thursday afternoon, I called Bob Morris back. “Any news?” I asked him.
“For once, I’ll tell you the truth,” Bob said. “I know who wrote the virus.”
“Are you going to tell me?”
“No.”
Now that’s efficient. Ten hours after I call them, the National Computer Security Center has found the culprit.
But I hadn’t. He’s still a mystery to me, so it’s back to snooping around the networks. If I could only find the computer that had been first infected. No, that won’t work. There’s thousands out there.
John Markoff, a reporter from the New York Times, called. “I heard a rumor that the person who wrote the virus has the initials RTM. Is that any help?”
“Not much, but I’ll check it out.”
How do you find someone from his initials? Of course … you look him up in the network directory.
I log into the Network Information Center and search for anyone with the initials RTM. One guy pops up: Robert T. Morris. Address: Harvard University, Aiken Laboratory.
Aiken. I’ve heard of that. It’s three blocks from my house. I think I’ll stroll by.
I pull on a coat and walk along Kirkland Street, then over to Oxford Street, where the sidewalks are brick. Across the street from Harvard’s Cyclotron Laboratory, there’s a lunch truck selling Middle Eastern food. A hundred feet away, Aiken Computer Lab—an ugly modern concrete building surrounded by old Victorian masterpieces.
I walk up to a secretary. “Hi. I’m looking for Robert Morris.”
“Never heard of him,” she says. “But I’ll check my machine.” She types into her terminal,
Finger Morris
Her computer responds:
Login name: rtm In real life: Robert T. Morris
Phone: 617/498-2247
Last login Thu Nov 3 00:25 on ttyp2 from 128.84.254.126
Well—the last time that Robert Morris used the Harvard computer was twenty-five minutes after midnight, on the morning that the virus struck. But he’s not here in Massachusetts. That address, 128.84.254.126, is at Cornell University. He entered the Harvard system from a computer at Cornell University. Curious.
The secretary sees the message, looks up, and says, “Oh, he must have once been a student here. That phone number is in Room 111.
I wander over to room 111 and knock on the door. A student in a T-shirt peers out. “Ever hear of Robert Morris?” I ask.
His face blanches. “Yeah. He’s not here anymore.” And he slams the door in my face.
I walk away, think for a moment, then return. “Have you heard about the virus?” I ask the guy at the door.
“Oh, RTM wouldn’t have done that. I’m sure.”
Wait a second. I hadn’t even asked if Morris had written the virus and this guy’s denying it. There’s an easy way to test this guy’s veracity. “When’s the last time that Morris has used Harvard’s computers?”
“Last year, when he was a student. He’s at Cornell now, and he doesn’t log into our computer anymore.”
This guy’s story doesn’t jibe with the accounting records of his computer. One of ’em’s telling the truth. I’ll bank on the computer.
We talked for five minutes, and this guy tells me how he’s a good friend of Morris, how they were officemates together, and how RTM would never write a computer virus.
“Yeah, right,” I’m thinking.
I leave, thinking that Morris’s old officemate is covering for him. Morris must be talking to this guy, and they’re both frightened. I’d be scared, too, in that squeeze. Half the country’s looking for the creator of this virus.
Where did the virus start from? I checked other computers in Cambridge, searching for connections to Cornell. One machine, over at MIT’s Artificial Intelligence Lab, showed late-night connections from Robert Morris’s computer at Cornell.
Now things made sense. The virus was designed and built at Cornell. Then the creator used the Arpanet to connect to MIT and release the virus there. A while later he panics when he realizes that his creature is out of control. So he logs into the Harvard computer, either to check on the virus’s progress, or to ask his friends for help.
The joke was on me, though. It didn’t occur to me that Robert T. Morris, Jr., was the son of Bob … er, Robert Morris, Sr. Yeah, son of Bob Morris, who only yesterday told me he’d known of the Sendmail hole for years. Bob Morris, the head honcho who’d grilled me on astrophysics, then nearly asphyxiated me with cigarette smoke.
So Bob Morris’ son froze two thousand computers. Why? To impress his dad? As a halloween prank? To show off to a couple thousand computer programmers?
Whatever his purposes were, I don’t believe he was in cahoots with his father. Rumors have it that he worked with a friend or two at Harvard’s computing department (Harvard student Paul Graham sent him mail asking for “Any news on the brilliant project”), but I doubt his father would encourage anyone to create a virus. As Bob Morris, Sr., said, “This isn’t exactly a good mark for a career at NSA.”
After dissecting the code, MIT’s Jon Rochlis characterized the virus as “not very well written.” It was unique in that it attacked computers through four pathways: Bugs in the Unix Sendmail and Finger programs, guessing passwords, and by exploiting paths of trust between computers. In addition, Morris camouflaged the program in several ways, so as to avoid detection. But he made several programming mistakes—like setting the wrong replication rate—and the worm probably could have been written by many students or programmers.
All it takes is knowledge of Unix flaws and no sense of responsibility.
Once you understand how this particular worm-virus infests computers, the cure becomes evident: repair Sendmail and the finger daemon, change the passwords, and erase all the copies of the system’s virus. Evident, yes. Easy, no.
Spreading the word isn’t easy when everyone’s chopping off their electronic mail system. After all, that’s how this worm propagates its children. Slowly, using alternate networks and telephone calls, the word went out. Within a couple days, Morris’s worm was pretty much squashed.
But how do I protect against other viruses? Things aren’t so hopeful. Since viruses masquerade as sections of legitimate programs, they’re tough to detect. Worse, once your system is infected, these are difficult beasts to understand. A programmer has to decompile the code: a time-consuming, boring job.
Fortunately, computer viruses are rare. Although it’s become fashionable to blame system problems on viruses, they mostly hit people who exchange software and use computer bulletin boards. Fortunately, these are usually knowledgeable people who make backup copies of their disks.
A computer virus is specialized: a virus that works on an IBM PC cannot do anything to a Macintosh or a Unix computer. Similarly, the Arpanet virus could only strike at systems running Berkeley Unix. Computers running other operating systems—like AT&T Unix, VMS, or DOS—were totally immune.
Diversit
y, then, works against viruses. If all the systems on the Arpanet ran Berkeley Unix, the virus would have disabled all fifty thousand of them. Instead, it infected only a couple thousand. Biological viruses are just as specialized: we can’t catch the flu from dogs.
Bureaucrats and managers will forever urge us to standardize on a single type of system: “Let’s only use Sun workstations” or “Only buy IBM systems.” Yet somehow our communities of computers are a diverse population—with Data General machines sitting next to Digital Vaxes; IBMs connected to Sonys. Like our neighborhoods, electronic communities thrive through diversity.
Meanwhile, how much astronomy was I doing?
None. For thirty-six hours, I worked on disinfecting our computers. Then came meetings and then papers to write. And a couple copycat virus makers—fortunately, none as clever as the original.
The last I heard, Robert T. Morris was laying low, avoiding interviews and wondering about the chances of an indictment. His father’s still at NSA, still the chief scientist at their computer security center.
How much damage was done? I surveyed the network, and found that two thousand computers were infected within fifteen hours. These machines were dead in the water—useless until disinfected. And removing the virus often took two days.
Suppose someone disabled two thousand automobiles, say, by letting the air out of their tires. How would you measure the damage? By one measure, there’s been no damage at all: the cars are intact, and all you need to do is pump some air.
Or you can measure damage by the loss of the cars. Let’s see: how much do you lose if your car is disabled for a day? The cost of sending a tow truck out? Or the price of a rental car? Or the amount of work that you’ve lost? Hard to say.
Perhaps you’d thank the person who let the air out of your tires—award him a medal for raising your consciousness about automotive security.
Here, someone crippled some two thousand computers for two days.
What was lost? Programmers, secretaries, and managers couldn’t work. Data wasn’t collected. Projects were delayed.
The virus writer caused that much damage at least. Deeper damage, too. A while after the virus hit, some astronomers and programmers took a poll. Some of the computer people felt the virus was a harmless prank—one of the finest jokes ever.