SITE EXPERIENCE ARMY BALLISTIC RESEARCH LAB M MUUSS Post-Mortem of 3-Nov ARPANET Incident The Ballistic Research Laboratory Anti-Viral Program M'z'chael J Adams The Advanced Computer Systems Team Army Ballistic Research Laboratory 301 Tue Nov 8 07 58 43 EST 1988 From Websters 9th a From Latin slimy liquid poison stench 1 Causative agent of an infectious disease 0 Complex molecules capable of growth and multiplication only in living cells 302 31 3 Nov 8 07 58 45 EST 1988 GLOBAL OUTLINE BRL History of Events The People Involved The BRL Approach Attack 85 Propagation Modes Network Sweep Tools Fixes BRL Stat-us 103 Tue Nov 8 08 02 54 EST 1988 What is U S Army Ballistic Research Laboratory One of America's foremost research and development labs 700 Scientists 8 Engineers pursuing in house research programs 5 Scientific Divisions 3 Support Divisions Networked Computers are all pervasive throughout research and administrative staffs 200 systems UNIX Cray and Cray 2 310 Tue Nov 8 07 58 51 EST 1988 History Part 1 1800 PST Wed Virus seen at Rand Corp 2345 EST Wed Virus enters VGR BRL MIL 0300 Thu VGR was seen attacking other machines 1000 Thu BRL disconnected from MILNET DISNET VGR totally isolated 1200 Thu BRLXET checking complete no Virus on inside 1600 Thu Coordinating w other researchers CA orders MILNET hosts shutdown blows gws 2200 Thu Virus was Lead story on CNN 2300 Thu VGR Test Cell prepared connected to MILNET ail Nov 8 07 58 53 EST 1988 History Part 2 0645 Fri MIL gateways restored 0030 Sat Virus trapped in Test Cell UCB sre rcvd 0630 Sat BRL wide power outage sigh 0600 Mon 2 Additional attack modules rev eng 1200 Mon BRL 'Vulnerability Sweep programs operating 1600 Mon Patched servers installed 1200 Tue reattaeh BRL to network am '19 Nov 8 07 58 54 EST 1988 Who BRL Worked With Through the Night Tim Smith US Naval Academy Cliff Stoll Harvard Keith Bostic Berkeley Rick Adams Seismo Jenny CONUS Monitoring Bob Fields CONUS MILNET Monitoring CPT Bill Arbaugh Pentagon Peter Yee NASA Berkeley a16 Tue NOV 8 07 58 57 EST 1988 BRL Approach 0 Use instrumented Test Cell 0 Analyze attack modes Coordinate community efforts Via telephone Assist with reverse engineering 0 Relay info on attack modes incl flukes 2nd priv inetd 3 sites Ingres lock daemon System accounting a20 Tue Nov 8 07 58 59 EST 1988 a BM Attack Modes Sendmail SMTP Server Finger Daemon fer 1 Password attack word list rhosts etc hosts equiv forward 3 30 Tue Nov 8 07 59 00 EST 1988 After Penetration Gorch Attack sends ll c sources compiles and run Ll Loading gets Sun and VAX obj from network Ll Shell Linl s 2nd stage Attack Crack Propagate 531 1119 NOV 8 07 59 02 EST 1933 Network Sweep Tool Finger Daemon buffer over run FTP bugs TFTP bugs passwd rsh SMTP Sendmail Niz Debug 340 Tue NOV 8 07 59 04 EST 1988 Fixes Improved fingerd with logging FTPD xes xes Code installed on Suns Goulds In progress on Grays Alliant Convex BRL has source code licenses Tue Nov 8 07 59 06 EST 1988 Books News Adolescense of Sole on Saphire Press Coverage was remarkable good My congratulations to the Public Relations folks My fear these headlines Computer Virus Spreads to Humans 96 Left 350 TIE Nov 8 07 59 08 EST 1988 BRL Status 0 NO information lost 9 Minor disruption of work schedules due to network disconnection BRL Computers now secure against this threat 0 Anti-Viral Team used w500 man hours Incidental people used 1000 man hours Copy of Virus still captive in test cell 2550 Tue Nov 8 08 02 58 EST 1988 Who is This MUUSS Fellow AnyWay Michael Muuss Leader Adv Computer Systems Team Ballistic Research Laboratory APG MD 21005 5066 USA AV 283 6678 ArpaNet Mike BRLMIL 01 Tue Nov 8 07 59 11 EST 1988 BRL WanBusters Mike Muuss Phil Doug Terry Slattery Bob Sue Muuss Lee Butler 315 Tue Nov 8 07 58 56 EST 1988 This document is from the holdings of The National Security Archive Suite 701 Gelman Library The George Washington University 2130 H Street NW Washington D C 20037 Phone 202 994-7000 Fax 202 994-7005 nsarchiv@gwu edu