463 lines
24 KiB
Text
463 lines
24 KiB
Text
==Phrack Inc.==
|
|
|
|
Volume Two, Issue 22, File 10 of 12
|
|
|
|
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
|
|
PWN PWN
|
|
PWN P h r a c k W o r l d N e w s PWN
|
|
PWN ~~~~~~~~~~~ ~~~~~~~~~ ~~~~~~~ PWN
|
|
PWN Issue XXII/Part 2 PWN
|
|
PWN PWN
|
|
PWN Created by Knight Lightning PWN
|
|
PWN PWN
|
|
PWN Written and Edited by PWN
|
|
PWN Knight Lightning and Taran King PWN
|
|
PWN PWN
|
|
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
|
|
|
|
|
|
Computer Network Disrupted By "Virus" November 3, 1988
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
By John Markoff (New York Times)
|
|
|
|
In an intrusion that raises new questions about the vulnerability of the
|
|
nation's computers, a nationwide Department of Defense data network has been
|
|
disrupted since Wednesday night by a rapidly spreading "virus" software program
|
|
apparently introduced by a computer science student's malicious experiment.
|
|
|
|
The program reproduced itself through the computer network, making hundreds of
|
|
copies in each machine it reached, effectively clogging systems linking
|
|
thousands of military, corporate and university computers around the country
|
|
and preventing them from doing additional work. The virus is thought not to
|
|
have destroyed any files.
|
|
|
|
By late Thursday afternoon computer security experts were calling the virus the
|
|
largest assault ever on the nation's computers.
|
|
|
|
"The big issue is that a relatively benign software program can virtually bring
|
|
our computing community to its knees and keep it there for some time," said
|
|
Chuck Cole, deputy computer security manager at Lawerence Livermore Laboratory
|
|
in Livermore, Calif., one of the sites affected by the intrusion. "The cost is
|
|
going to be staggering."
|
|
|
|
Clifford Stoll, a computer security expert at Harvard University, added, "There
|
|
is not one system manager who is not tearing his hair out. It's causing
|
|
enormous headaches."
|
|
|
|
The affected computers carry routine communications among military officials,
|
|
researchers and corporations.
|
|
|
|
While some sensitive military data are involved, the nation's most sensitive
|
|
secret information, such as that on the control of nuclear weapons, is thought
|
|
not to have been touched by the virus.
|
|
|
|
Computer viruses are so named because they parallel in the computer world the
|
|
behavior of biological viruses. A virus is a program, or a set of instructions
|
|
to a computer, that is deliberately planted on a floppy disk meant to be used
|
|
with the computer or introduced when the computer is communicating over
|
|
telephone lines or data networks with other computers.
|
|
|
|
The programs can copy themselves into the computer's master software, or
|
|
operating system, usually without calling any attention to themselves. From
|
|
there, the program can be passed to additional computers.
|
|
|
|
Depending upon the intent of the software's creator, the program might cause a
|
|
provocative but otherwise harmless message to appear on the computer's screen.
|
|
Or it could systematically destroy data in the computer's memory.
|
|
|
|
The virus program was apparently the result of an experiment by a computer
|
|
science graduate student trying to sneak what he thought was a harmless virus
|
|
into the Arpanet computer network, which is used by universities, military
|
|
contractors and the Pentagon, where the software program would remain
|
|
undetected.
|
|
|
|
A man who said he was an associate of the student said in a telephone call to
|
|
The New York Times that the experiment went awry because of a small programming
|
|
mistake that caused the virus to multiply around the military network hundreds
|
|
of times faster than had been planned.
|
|
|
|
The caller, who refused to identify himself or the programmer, said the student
|
|
realized his error shortly after letting the program loose and that he was now
|
|
terrified of the consequences.
|
|
|
|
A spokesman at the Pentagon's Defense Communications Agency, which has set up
|
|
an emergency center to deal with the problem, said the caller's story was a
|
|
"plausible explanation of the events."
|
|
|
|
As the virus spread Wednesday night, computer experts began a huge struggle to
|
|
eradicate the invader.
|
|
|
|
A spokesman for the Defense Communications Agency in Washington acknowledged
|
|
the attack, saying, "A virus has been identified in several host computers
|
|
attached to the Arpanet and the unclassified portion of the defense data
|
|
network known as the Milnet."
|
|
|
|
He said that corrections to the security flaws exploited by the virus are now
|
|
being developed.
|
|
|
|
The Arpanet data communications network was established in 1969 and is designed
|
|
to permit computer researchers to share electronic messages, programs and data
|
|
such as project information, budget projections and research results.
|
|
|
|
In 1983 the network was split and the second network, called Milnet, was
|
|
reserved for higher-security military communications. But Milnet is thought
|
|
not to handle the most classified military information, including data related
|
|
to the control of nuclear weapons.
|
|
|
|
The Arpanet and Milnet networks are connected to hundreds of civilian networks
|
|
that link computers around the globe.
|
|
|
|
There were reports of the virus at hundreds of locations on both coasts,
|
|
including, on the East Coast, computers at the Massachusetts Institute of
|
|
Technology, Harvard University, the Naval Research Laboratory in Maryland and
|
|
the University of Maryland and, on the West Coast, NASA's Ames Research Center
|
|
in Mountain View, Calif.; Lawrence Livermore Laboratories; Stanford University;
|
|
SRI International in Menlo Park, Calif.; the University of California's
|
|
Berkeley and San Diego campuses and the Naval Ocean Systems Command in San
|
|
Diego.
|
|
|
|
A spokesman at the Naval Ocean Systems Command said that its computer systems
|
|
had been attacked Wednesday evening and that the virus had disabled many of the
|
|
systems by overloading them. He said that computer programs at the facility
|
|
were still working on the problem more than 19 hours after the original
|
|
incident.
|
|
|
|
The unidentified caller said the Arpanet virus was intended simply to "live"
|
|
secretly in the Arpanet network by slowly copying itself from computer to
|
|
computer. However, because the designer did not completely understand how the
|
|
network worked, it quickly copied itself thousands of times from machine to
|
|
machine.
|
|
|
|
Computer experts who disassembled the program said that it was written with
|
|
remarkable skill and that it exploited three security flaws in the Arpanet
|
|
network. [No. Actually UNIX] The virus' design included a program designed to
|
|
steal passwords, then masquerade as a legitimate user to copy itself to a
|
|
remote machine.
|
|
|
|
Computer security experts said that the episode illustrated the vulnerability
|
|
of computer systems and that incidents like this could be expected to happen
|
|
repeatedly if awareness about computer security risks was not heightened.
|
|
|
|
"This was an accident waiting to happen; we deserved it," said Geoffrey
|
|
Goodfellow, president of Anterior Technology Inc. and an expert on computer
|
|
communications.
|
|
|
|
"We needed something like this to bring us to our senses. We have not been
|
|
paying much attention to protecting ourselves."
|
|
|
|
Peter Neumann, a computer security expert at SRI International Inc. in Menlo
|
|
Park International, said, "Thus far the disasters we have known have been
|
|
relatively minor. The potential for rather extraordinary destruction is rather
|
|
substantial."
|
|
|
|
"In most of the cases we know of, the damage has been immediately evident. But
|
|
if you contemplate the effects of hidden programs, you could have attacks going
|
|
on and you might never know it."
|
|
_______________________________________________________________________________
|
|
|
|
Virus Attack November 6, 1988
|
|
~~~~~~~~~~~~
|
|
>From the Philadelphia Inquirer (Inquirer Wire Services)
|
|
|
|
ITHACA, N.Y. - A Cornell University graduate student whose father is a top
|
|
government computer-security expert is suspected of creating the "virus" that
|
|
slowed thousands of computers nationwide, school officials said yesterday.
|
|
|
|
The Ivy League university announced that it was investigating the computer
|
|
files of 23-year-old Robert T. Morris, Jr., as experts across the nation
|
|
assessed the unauthorized program that was injected Wednesday into a military
|
|
and university system, closing it for 24 hours. The virus slowed an estimated
|
|
6,000 computers by replicating itself and taking up memory space, but it is not
|
|
believed to have destroyed any data.
|
|
|
|
M. Stuart Lynn, Cornell vice president for information technologies, said
|
|
yesterday that Morris' files appeared to contain passwords giving him
|
|
unauthorized access to computers at Cornell and Stanford Universities.
|
|
|
|
"We also have discovered that Morris' account contains a list of passwords
|
|
substantially similar to those found in the virus," he said at a news
|
|
conference.
|
|
|
|
Although Morris "had passwords he certainly was not entitled to," Lynn
|
|
stressed, "we cannot conclude from the existence of those files that he was
|
|
responsible."
|
|
|
|
FBI spokesman Lane Betts said the agency was investigating whether any federal
|
|
laws were violated.
|
|
|
|
Morris, a first-year student in a doctoral computer-science program, has a
|
|
reputation as an expert computer hacker and is skilled enough to have written
|
|
the rogue program, Cornell instructor Dexter Kozen said.
|
|
|
|
When reached at his home yesterday in Arnold, Md., Robert T. Morris, Sr., chief
|
|
scientist at the National Computer Security Center in Bethesda, Md., would not
|
|
say where his son was or comment on the case.
|
|
|
|
The elder Morris has written widely on the security of the Unix operating
|
|
system, the target of the virus program. He is widely known for writing a
|
|
program to decipher passwords, which give users access to computers.
|
|
_______________________________________________________________________________
|
|
|
|
New News From Hacker Attack On Philips France, 1987 November 7, 1988
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
A German TV magazine reported (last week) that the German hackers which
|
|
attacked, in summer 1987, several computer systems and networks (including
|
|
NASA, the SPANET, the CERN computers which are labeled "European hacker
|
|
center," as well as computers of Philips France and Thompson-Brandt/France) had
|
|
transferred design and construction plans of the MegaBit chip having been
|
|
developed in the Philips laboratories. The only information available is that
|
|
detailed graphics are available to the reporters showing details of the MegaBit
|
|
design.
|
|
|
|
Evidently it is very difficult to prosecute this data theft since German law
|
|
does not apply to France based enterprises. Moreover, the German law may
|
|
generally not be applicable since its prerequit may not be true that PHILIPS'
|
|
computer system has "special protection mechanisms." Evidently, the system was
|
|
only be protected with UID and password, which may not be a sufficient
|
|
protection (and was not).
|
|
|
|
Evidently, the attackers had much more knowledge as well as instruments (e.g.
|
|
sophisticated graphic terminals and plotters, special software) than a "normal
|
|
hacker" has. Speculations are that these hackers were spions rather than
|
|
hackers of the Chaos Computer Club (CCC) which was blamed for the attack.
|
|
Moreover, leading members of CCC one of whom was arrested for the attack,
|
|
evidently have not enough knowledge to work with such systems.
|
|
|
|
Information Provided By
|
|
Klaus Brunnstein, Hamburg, FRG
|
|
_______________________________________________________________________________
|
|
|
|
The Computer Jam: How It Came About November 8, 1988
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
By John Markoff (New York Times)
|
|
|
|
Computer scientists who have studied the rogue program that crashed through
|
|
many of the nation's computer networks last week say the invader actually
|
|
represents a new type of helpful software designed for computer networks.
|
|
|
|
The same class of software could be used to harness computers spread around the
|
|
world and put them to work simultaneously.
|
|
|
|
It could also diagnose malfunctions in a network, execute large computations on
|
|
many machines at once and act as a speedy messenger.
|
|
|
|
But it is this same capability that caused thousands of computers in
|
|
universities, military installations and corporate research centers to stall
|
|
and shut down the Defense Department's Arpanet system when an illicit version
|
|
of the program began interacting in an unexpected way.
|
|
|
|
"It is a very powerful tool for solving problems," said John F. Shoch, a
|
|
computer expert who has studied the programs. "Like most tools it can be
|
|
misued, and I think we have an example here of someone who misused and abused
|
|
the tool."
|
|
|
|
The program, written as a "clever hack" by Robert Tappan Morris, a 23-year-old
|
|
Cornell University computer science graduate student, was originally meant to
|
|
be harmless. It was supposed to copy itself from computer to computer via
|
|
Arpanet and merely hide itself in the computers. The purpose? Simply to prove
|
|
that it could be done.
|
|
|
|
But by a quirk, the program instead reproduced itself so frequently that the
|
|
computers on the network quickly became jammed.
|
|
|
|
Interviews with computer scientists who studied the network shutdown and with
|
|
friends of Morris have disclosed the manner in which the events unfolded.
|
|
|
|
The program was introduced last Wednesday evening at a computer in the
|
|
artificial intelligence laboratory at the Massachusetts Institute of
|
|
Technology. Morris was seated at his terminal at Cornell in Ithaca, N.Y., but
|
|
he signed onto the machine at MIT. Both his terminal and the MIT machine were
|
|
attached to Arpanet, a computer network that connects research centers,
|
|
universities and military bases.
|
|
|
|
Using a feature of Arpanet, called Sendmail, to exchange messages among
|
|
computer users, he inserted his rogue program. It immediately exploited a
|
|
loophole in Sendmail at several computers on Arpanet.
|
|
|
|
Typically, Sendmail is used to transfer electronic messages from machine to
|
|
machine throughout the network, placing the messages in personal files.
|
|
|
|
However, the programmer who originally wrote Sendmail three years ago had left
|
|
a secret "backdoor" in the program to make it easier for his work. It
|
|
permitted any program written in the computer language known as C to be mailed
|
|
like any other message.
|
|
|
|
So instead of a program being sent only to someone's personal files, it could
|
|
also be sent to a computer's internal control programs, which would start the
|
|
new program. Only a small group of computer experts -- among them Morris --
|
|
knew of the backdoor.
|
|
|
|
As they dissected Morris's program later, computer experts found that it
|
|
elegantly exploited the Sendmail backdoor in several ways, copying itself from
|
|
computer to computer and tapping two additional security provisions to enter
|
|
new computers.
|
|
|
|
The invader first began its journey as a program written in the C language.
|
|
But it also included two "object" or "binary" files -- programs that could be
|
|
run directly on Sun Microsystems machines or Digital Equipment VAX computers
|
|
without any additional translation, making it even easier to infect a computer.
|
|
|
|
One of these binary files had the capability of guessing the passwords of users
|
|
on the newly infected computer. This permits wider dispersion of the rogue
|
|
program.
|
|
|
|
To guess the password, the program first read the list of users on the target
|
|
computer and then systematically tried using their names, permutations of their
|
|
names or a list of commonly used passwords. When successful in guessing one,
|
|
the program then signed on to the computer and used the privileges involved to
|
|
gain access to additonal computers in the Arpanet system.
|
|
|
|
Morris's program was also written to exploit another loophole. A program on
|
|
Arpanet called Finger lets users on a remote computer know the last time that a
|
|
user on another network machine had signed on. Because of a bug, or error, in
|
|
Finger, Morris was able to use the program as a crowbar to further pry his way
|
|
through computer security.
|
|
|
|
The defect in Finger, which was widely known, gives a user access to a
|
|
computer's central control programs if an excessively long message is sent to
|
|
Finger. So by sending such a message, Morris's program gained access to these
|
|
control programs, thus allowing the further spread of the rogue.
|
|
|
|
The rogue program did other things as well. For example, each copy frequently
|
|
signaled its location back through the network to a computer at the University
|
|
of California at Berkeley. A friend of Morris said that this was intended to
|
|
fool computer researchers into thinking that the rogue had originated at
|
|
Berkeley.
|
|
|
|
The program contained another signaling mechanism that became its Achilles'
|
|
heel and led to its discovery. It would signal a new computer to learn whether
|
|
it had been invaded. If not, the program would copy itself into that computer.
|
|
|
|
But Morris reasoned that another expert could defeat his program by sending the
|
|
correct answering signal back to the rogue. To parry this, Morris programmed
|
|
his invader so that once every 10 times it sent the query signal it would copy
|
|
itself into the new machine regardless of the answer.
|
|
|
|
The choice of 1 in 10 proved disastrous because it was far too frequent. It
|
|
should have been one in 1,000 or even one in 10,000 for the invader to escape
|
|
detection.
|
|
|
|
But because the speed of communications on Arpanet is so fast, Morris's illicit
|
|
program echoed back and forth through the network in minutes, copying and
|
|
recopying itself hundreds or thousands of times on each machine, eventually
|
|
stalling the computers and then jamming the entire network.
|
|
|
|
After introducing his program Wednesday night, Morris left his terminal for an
|
|
hour. When he returned, the nationwide jamming of Arpanet was well under way,
|
|
and he could immediately see the chaos he had started. Within a few hours, it
|
|
was clear to computer system managers that something was seriously wrong with
|
|
Arpanet.
|
|
|
|
By Thursday morning, many knew what had happened, were busy ridding their
|
|
systems of the invader and were warning colleagues to unhook from the network.
|
|
They were also modifying Sendmail and making other changes to their internal
|
|
software to thwart another invader.
|
|
|
|
The software invader did not threaten all computers in the network. It was
|
|
aimed only at the Sun and Digital Equipment computers running a version of the
|
|
Unix operating system written at the University of California at Berkeley.
|
|
Other Arpanet computers using different operating systems escaped.
|
|
|
|
These rogue programs have in the past been referred to as worms or, when they
|
|
are malicious, viruses. Computer science folklore has it that the first worms
|
|
written were deployed on the Arpanet in the early 1970s.
|
|
|
|
Researchers tell of a worm called "creeper," whose sole purpose was to copy
|
|
itself from machine to machine, much the way Morris's program did last week.
|
|
When it reached each new computer it would display the message: "I'm the
|
|
creeper. Catch me if you can!"
|
|
|
|
As legend has it, a second programmer wrote another worm program that was
|
|
designed to crawl through the Arpanet, killing creepers.
|
|
|
|
Several years later, computer researchers at the Xerox Corp.'s Palo Alto
|
|
Research Center developed more advanced worm programs. Shoch and Jon Hupp
|
|
developed "town crier" worm programs that acted as messengers and "diagnostic"
|
|
worms that patrolled the network looking for malfunctioning computers.
|
|
|
|
They even described a "vampire" worm program. It was designed to run very
|
|
complex programs late at night while the computer's human users slept. When
|
|
the humans returned in the morning, the vampire program would go to sleep,
|
|
waiting to return to work the next evening.
|
|
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|
|
Comments from Mark Eichin (SIPB Member & Project Athena "Watchmaker");
|
|
|
|
The following paragraph from Markoff's article comes from a telephone
|
|
conversation he had with me at the airport leaving the November 8, 1988 "virus
|
|
conference":
|
|
|
|
"But Morris reasoned that another expert could defeat his program by
|
|
sending the correct answering signal back to the rogue. To parry
|
|
this, Morris programmed his invader so that once every 10 times it
|
|
sent the query signal it would copy itself into the new machine
|
|
regardless of the answer.
|
|
|
|
The choice of 1 in 10 proved disastrous because it was far too
|
|
frequent. It should have been one in 1,000 or even one in 10,000
|
|
for the invader to escape detection."
|
|
|
|
However, it is incorrect (I did think Markoff had grasped my comments, perhaps
|
|
not). The virus design seems to have been to reinfect with a 1 in 15 chance a
|
|
machine already infected.
|
|
|
|
The code was BACKWARD, so it reinfected with a *14* in 15 chance. Changing the
|
|
denominator would have had no effect.
|
|
_______________________________________________________________________________
|
|
|
|
US Is Moving To Restrict Access To Facts About Computer Virus Nov. 11, 1988
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
By John Markoff (New York Times)
|
|
|
|
Government officials are moving to bar wider dissemination of information on
|
|
techniques used in a rogue software program that jammed more than 6,000
|
|
computers in a nationwide computer network last week.
|
|
|
|
Their action comes amid bitter debate among computer scientists. One group of
|
|
experts believes wide publication of such information would permit computer
|
|
network experts to identify problems more quickly and to correct flaws in their
|
|
systems. But others argue that such information is too potentially explosive
|
|
to be widely circulated.
|
|
|
|
Yesterday, officials at the National Computer Security Center, a division of
|
|
the National Security Agency (NSA), contacted researchers at Purdue University
|
|
in West Lafayette, Indiana, and asked them to remove information from campus
|
|
computers describing internal workings of the software program that jammed
|
|
computers around the nation on November 3, 1988. (A spokesperson) said the
|
|
agency was concerned because it was not certain that all computer sites had
|
|
corrected the software problems that permitted the program to invade systems in
|
|
the first place.
|
|
|
|
Some computer security experts said they were concerned that techniques
|
|
developed in the program would be widely exploited by those trying to break
|
|
into computer systems.
|
|
_______________________________________________________________________________
|
|
|
|
FBI Studies Possible Charges In "Virus" November 12, 1988
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
>From the Los Angeles Times
|
|
|
|
WASHINGTON -- FBI Director William S. Sessions on Thursday added two more laws
|
|
that agents are scrutinizing to determine whether to seek charges against
|
|
Robert T. Morris Jr. for unleashing a computer "virus" that shut down or slowed
|
|
computers across the country last week.
|
|
|
|
One of the laws - malicious mischief involving government communication lines,
|
|
stations or systems - appears not to require the government to prove criminal
|
|
intent, a requirement that lawyers have described as a possible barrier to
|
|
successful prosecution in the case.
|
|
|
|
Sessions told a press conference at FBI headquarters that the preliminary phase
|
|
of the investigation should be completed in two weeks and defended the pace of
|
|
the inquiry in which Morris, a Cornell University graduate student, has not yet
|
|
been interviewed. Friends of Morris, age 23, have said he told them that he
|
|
created the virus.
|
|
|
|
Sources have said that FBI agents have not sought to question Morris until they
|
|
obtain the detailed electronic records of the programming he used in setting
|
|
loose the virus - records that have been maintained under seal at Cornell
|
|
University.
|
|
|
|
In addition to the malicious mischief statue, which carries a maximum penalty
|
|
of 10 years in prison, Sessions listed fraud by wire as one of the laws being
|
|
considered.
|
|
_______________________________________________________________________________
|