National Computer Security Center PROCEEDINGS of the VIRUS POST-MORTEM MEETING 8 November 1988 MILNET Computer VirusAttack of 3 November 1988 TABLE OF CONTENTS MEMORANDUM RECOMMENDATIONS AGENDA INTRODUCTION THE VIRUS CHRONOLOGY OF EVENTS SITE EXPERIENCES NATIONAL COMPUTER SECURITY CENTER FORT GEORGE G MEADE MARYLAND 20755-6000 Serial C3-0021-88 14 November 1988 MEMORANDUM FOR DISTRIBUTION SUBJECT 8 November Post Mortem Meeting on the Virus Propagation INFORMATION MEMORANDUM The National Computer Security Center NCSC 'hosted a meeting on 8 November 1988 of highly respected researchers from government and university research facilities for the purpose of documenting their unique contribution in categorizing and resolving the recent virus attack Representatives from Air Force Army ASD C31 CIA DARPA DCA DOE FBI NIST NCSC NSA and their colleagues from academia recounted their site experiences and shared their respective approaches to thwarting the propagation and purging the virus from their systems The sharing of information that took place at this meeting was unprecedented and reflected very positively on all participants The high degree of professionalism and dedication by those involved particularly in the university research community was the key to rapidly understanding and ending the propagation of this virus In the pages that follow our editors have captured the essence and record of the meeting's presentations and discussions Some of the material is obviously in early draft form however we believe that the value of these proceedings will be in its timely dissemination as opposed to its format quality This virus attack was the first occurrence of a virus propagating autonomously via a network and affecting host computers throughout the United States The goal of the post- mortem was to examine this virus incident in depth and develop an assessment ofllS capability to react and recover from future attacks of this nature While the was the focus in this incident the lessons learned are generic and applicable to all networks or distributed computing systems processing classified or unclassified data Serial The attendees developed the 11 attached recommendations to reduce the vulnerability of U13 Government and private networks to virus attack All unanimously agreed with the recommendations and concluded that the computer security community faces an urgent responsibility to develop the capability to rapidly respond to subsequent attacks In response to this charge the NCSC in conjunction with the NIST is developing a detailed implementation plan for these recommendations Sincerely Mc Er LAWRENCE CASTRO Chief Research and Development Encl a s RECOMMENDATIONS FROM THE 8 NOVEHBER 1988 POST HORTEH OF THE VIRUS PROPAGATION 1 Establish a centralized coordination center This center supported jointly by NIST and NSA would also function as a clearinghouse and repository Computer site managers need a place to report problems and to obtain solutions This center might evolve into a national level command center supporting the government and private sector networks The center needs to provide 24 hour service but not necessarily be manned 24 hours a day responding via beeper after hours might be acceptable 2 Establish an emergency broadcast network In the case the network was used to disseminate the patches antidote at the same time the virus was still actively propagating If the net had gone down there would have been no way to coordinate efforts and disseminate patches It is recommended that a bank of telephone lines be designated as an emergency broadcast network The phones would be connected to digital tape recorders and operate in a continuous broadcast mode or a recorded binary announcement mode to disseminate network status patches etc 3 Establish a response team The technical skills required to quickly analyze virus code and develop antidotes or system patches are highly specialized The skills required are system specific UNIX 4 3 in this case and in many cases exist only at vendor development facilities the majority of commercial operating systems are proprietary and source code is not provided to users The concept of a response team would require advance coordination so that personnel with the requisite skills can be quickly mobilized 4 Maintain technical relationships with the computer science old boy network The virus was analyzed and eradicated through the services of this old boy network not by U11 Government USG personnel This old boy network is willing to participate in supporting USG initiatives however their consensus support and trust is required 5 Centrally orchestrate press relations An inordinate amount of time at virtually every site was spent responding to the news media Multiple press reporting from geographically dispersed sites has the potential for circular reporting of incorrect and misleading data A single USG focal point at the national level to interact with the press is recommended ENCLOSURE 6 Develop etandard procedures During this recent event several different fixes or patches to the virus were disseminated to users There was no method available to determine if the fix was to be trusted to authenticate the purported origin of the fix and determine whether the patch itself contained malicious code A related issue concerns the legal liability of the individual or organization developing and promulgating the fix in the event it causes undesired results A good samaritan exclusion is desired 7 Designate a centralized repository for virus infection reports The National Computer Security Center NCSC has designated a bulletin board on Dockmaster as a central repository for this purpose 8 Include law enforcement agencies in the planning and implementation phases The response and recovery from viral attacks will generate information which may be evidence from the legal perspective Their input is needed Participation in response teams should be an option 9 Training for system operators Many system operators lacked the technical ability to understand that a virus had attacked their system Similarly those same system operators had difficulty in administering the antidote It is recommended that standards be established and a training program started A similar event occurred during the 1986 German hacker penetration of the system operators when informed that their system had been penetrated refused to believe it 10 Establish etandard backup policies The conventional methodology of routinely performing a system backup by saving a mirror image on disk would have been disastrous in the case of this particular virus because the virus would have unwittingly been included on the backup New standards and criteria for backup should be developed and promulgated by NIST or the NCSC 11 Develop a common set of virus analysis haols The analysis of a virus is initiated by reverse engineering the virus code The reverse engineering of software is complicated tedious and computer specific A common set of virus analysis tools needs to be developed and available for use by the quick response team Caveat All of the recommendations must be implemented within the constraints of PL 100 235 PL 100 235 assigns responsibilities in computer security to NIST for unclassified systems and the National Security Agency for classified systems These recommendations clearly fall into both areas POST MORTEM OF 3 NOVEMBER ATTACK Tuesday 8 November 0900 AGENDA WELCOME L Castro KICKOFF P Gallagher INTRODUCTION D Vaurio SITE EXPERIENCES HARVARD C Stoll LAWRENCE LIVERMORE C Cole BERKELEY P Lapsley MIT D Alvarez M Eichin J Rochlis LOS ALAMDS NATIONAL LABS A Baker G Mundy ARMY BALLISTICS RESEARCH LAB M Muuss SRI D Edwards HOW THE ATTACK WORKS INTRODUCTION G Meyers CONTRAST WITH OTHER VIRUSES J Beckman RECOMMENDATIONS R Brand DISCUSSION A GOVERNMENT MALICIOUS CODE INFORMATION NETWORK D Vaurio P Fonash S Katzke W Scherlis C Stoll L Wheeler INTRODUCTION On Wednesday 2 November 1988 a sophisticated virus attacked host computers throughout the NHLNET and the ARPANET computer network communication systems and significantly reduced computer operations at many facilities Host managers and software experts responded effectively to this challenge They identified the virus attack routes analyzed the virus software developed antidotes and communicated information about both the attacks and antidotes to other sites Defensive software was in place and the virus largely purged from the network within 48 hours The National Computer Security Center NCSC hosted a meeting on Tuesday 8 November 1988 to review and document the virus attack and its subsequent solution Over 75 researchers and administrators from government industry and university computer facilities recounted their experiences and shared their approaches to stopping the propagation of the virus and purging the virus from their computer systems This document is a summary of their reports We would appreciate comments concerning errors or omissions please contact Dr C Terrence Ireland at the NCSC on 301 859 4485 THE VIRUS Once introduced into a host computer the virus can automatically propagate itself to other hosts using several different mechanisms The virus can use a documented feature in the sendmail program that was intended for use during program development gendmail is UNIX user interface to the network mail system A debugging feature in sendmail allows a user to send a program to a host which then goes directly into execution bypassing the standard login procedure The virus can use a program error in the finserd program Einaerd allows a UNIX user to query a remote host about its current activity or the profile of a specific user The error occurs when specific and improper data is passed into the program When finserd quits a rogue program contained in the passed data goes into execution The virus can masquerade as a legitimate user by discovering a user's password that was not carefully constructed logging on as that user and starting the entire infection process over The virus uses host tables maintained by the system and by its legitimate users to select other hosts and gateways to attack It takes advantage of high levels of trust between remote hosts frequently accessed by users who can connect to trusting hosts without manually having to go through the loain procedure CHRONOLOGY OF EVENTS The following chronology is compiled from presentations at the 8 November 1988 Post Mortem review As in any historical analysis it is difficult to determine the exact sequence of events The format gives the Eastern Standard Time EST of the event in the left hand column followed by the reported time of the event in parentheses if the report came from a different time zone then a short description of the event followed by a parenthesized list of the people reporting it The following list of abbreviations is used extensively BRL Army Ballistic Research Laboratory DCA Defense Communications Agency DOE Department of Energy LANL Los Alamos National Laboratory Lawrence Livermore Laboratory NASA National Aeronautic and Space Administration UCB University of California Berkeley UCD University of California University of California San Diego Wednesday 2 November 1988 1700 Cornell detects virus Stollq Myers 1830 University of Pittsburgh infects RAND Myers 2100 1800 PST Stanford and RAND detect virus Stoll 2100 1800 PST BRL hears of virus Muuss 2200 1900 PST UCB detects virus Muuss 2300 Virus spreads from MIT AI Labs Stoll 2328 2028 PST Peter Yee sends first notice that UCB UCSD Stanford and NASA Ames have been attacked by a virus Rochlis 2345 Virus enters VGR BRL MIL at BRL Muuss Thursday 3 November 1988 0000 2100 PST UCB shuts off sendmail finserd etc Muuss 0100 More than 15 ARPANET hosts infected Stoll 0105 2205 PST Virus attacks Cole 0200 Harvard detects virus Stoll 0300 Virus spreads Muuss 0300 Virus spreads into most subnets Stoll 0310 MIT detects virus Rochlis 0330 0030 PST begins virus analysis Cole 0334 0400 0400 0400 0400 0448 0500 0515 0530 0600 0600 0630 0645 0800 0800 0806 0900 1000 1000 1000 1007 1015 1028 1100 1130 1130 1200 1500 1500 1500 1800 0100 PST 0100 PST 0148 PST 0230 PST 0300 PST 0300 PST 0330 PST 0700 MST 0700 PST 0728 PST 0830 PST 1300 MST 1200 PST 1600 MST Virus threat posting from Harvard to TCPMIP with sendmail and rexecd warnings requires 26 hours to reach MIT Network overloading slows spread of virus Approximately 1000 hosts infected Stoll UCB fixes sendmgil problem Lapsley believes problem serious enough to consider disconnecting from network Cole MIT Athena Project detects virus Schiller disconnects from network Cole Stoll alerts MILNET and ARPANET operations centers Stoll MILNET monitoring center notified of virus by University of Pittsburgh Mundy notifies DOE Headquarters Cole UCB posts sendmail antidote on USENET bulletin boards Lapsley UCB contacts UCD Cole installs sendmail antidote on VAX host but it does not prevent reinfection Cole Stoll calls NCSC Stoll Smithsonian Astrophysical Center detects virus Stoll UCB identifies finserd problem Lapsley UCB sendmail fix forwarded to Rochlis DOE Headquarters notifies Los Alamos Baker DOE Headquarters advises its 7 ARPANET hosts to leave the net Vaurio holds first press conference Cole BRL disconnects DISNET NSI Mnuss MIT receives UCB sengmail fix to MIT Project Athena Rochlis MIT Math department detects virus and shuts down gateway to their Suns Rochlis NCSC requests copy of virus from Cole MIT begins work on virus Rochlis DCA inhibits mail bridges between ARPANET and MILNET Mundy tells Lab Directors to remove their hosts from the network Cole BRLNET completes internal checking for virus concludes virus no longer present Muuss LANL first receives antidotes Baker installs antidote and restarts internal networks Cole Antidote published Stoll LANL receives antidotes Baker 1800 MIT observes virus using the finserg attack Rochlis 1852 Risks digest seen at MIT Includes Stoll message describing spread and other messages describing sendmail propagation mechanism Rochlis 2000 1700 PST UCB begins decompilation of finserd component Lapsley 2100 MIT decodes most of virus strings sees the net address ernie berkeley edu to whom the virus was supposed to send messages Rochlis 2100 First press interviews at MIT Rochlis 2300 BRL connects protected host to MILNET in effort to capture virus Muuss Friday 4 November 1988 0000 2100 PST UCB posts fingerd antidote on USENET bulletin boards Lapsley 0500 MIT finishes decompilation Rochlis 0900 OSOOEGT UCB finishes virus decompilation Lapsley 1100 Mailbridges returned to service Mundy 1200 0900 PST back on network Cole 1800 Virus pretty much eliminated Stoll Saturday 5 November 1988 0030 BRL captures virus in protected host it's still out there Muuss Monday 7 November 1988 0600 Analysis completed by BRL on 2 virus modules Munss 1200 BRL Vulnerability Sweep programs operating Muuss 1600 Antidotes installed at BRL Muuss Tuesday 8 November 1988 0900 Post Mortem Review at NCSC SITE EXPERIENCES Researchers directly involved with analyzing and stopping the virus attack shared their experiences during a Post Mortem Review at the National Computer Security Center The following is a summary of their accounts presented at the 8 November 1988 Review CENTER FOR ASTROPHYSICS Personnel were alerted to the situation during the early morning hours on Thursday 3 November 1988 when the virus was first seen at Harvard Researchers who responded to the call soon realized that there had been continual network reinfection suggesting that the virus was being spread by the sandmail utility in the UNIX BSD 4 3 and related operating systems Five hours later that day the virus reinfected this site Personnel spent the rest of the day trying to eradicate the virus using the antidote that had been sent our over the network and dealing with press media inquiries Harvard researchers were frustrated in combatting the virus by the lack of coordination with other sites experiencing the same problem the lack of communication with sites that had been disconnected from the network the slow network response caused by the saturation of the network by virus packets passing between hosts and the variety of tactics used by the virus to spread among the hosts Harvard researchers provided much needed assistance to the community by suggesting'methods for host cleanup and urging users to change their passwords LAWRENCE LIVERMORE LABORATORIES OF THE DEPARTMENT OF ENERGY The security force called the appropriate Laboratory officials just before midnight on Wednesday 2 November 1988 to report a serious problem with the Laboratory s computer systems After arriving on the scene the officials assembled a six person Virus team as soon as possible and set up a response center to deal with the situation The six person team began exploring computer facilities all the while maintaining close contact with their University of California Berkeley UCB counterparts When officials were convinced that the problem was serious enough to sever network connections to prevent internal spreading of the virus the people responsible for the various interface connections were instructed to disconnect them At that point UCB researchers informed by phone that they were working on a fix for the sandmail problem A fix was later installed on a VAX which was then reconnected to the network to determine if the fix would prevent reinfection -- it did not officials then notified-DOE headquarters and the University of California Davis A memo was distributed to employees as they arrived for work at the laboratory's three entrance gates The memo advised everyone to turn on their machines As the workday began press inquiries multiplied and the community received an update on the virus situation laboratory directors were told to disconnect from the network fixes were described at a meeting with 300 people By noon Thursday the fixes had been installed on all of the computers and they were brought back on line Later that day a final press conference was held Not long after the press conference DOE headquarters was again called and again headquarters reported that it had not been hit by the Virus reported that a test fix had been created and was running expected to know whether the fix worked by late in the day on 8 November 1988 Because the virus probes a password file all users are in the process of changing their passwords on all systems UNIVERSITY OF CALIFORNIA BERKELEY Researchers first noticed that their machines had been attacked shortly after dusk PST on Wednesday 2 November 1988 Within a few hours they had determined that the systems involved included among others sendmail and telnet They were able to determine what the virus was doing through a network message from NASA Ames and phone contacts with UCB researchers were able to work out an initial fix to disable the debug option in the sendmail system They later sent out a second fix Very early Thursday morning UCB researchers had observed a second virus attack using the fingerd system and by early evening began decompiling that virus component The decompiling process lasted into the early morning hours on Friday Three UCB terminals were still decompiling as of Mbnday The UCB spokesman was quick to acknowledge that he and his colleagues had received expert assistance in the decompiling effort from members of the Berkeley UNIX workshop attendees who luckily happened to be in town LOS ALAMOS NATIONAL LABORATORY LANLJ OF THE DEPARTMENT OF ENERGY The DOE Center for Computer Security received the first word on the virus on Thursday 3 November 1988 When they learned of the virus LANL researchers gathered information from DOE headquarters and then devoted their efforts to analyzing the virus By the time LANL had learned of the virus attack others in the computer security community already had been working on virus fixes The LANL effort was hampered by a lack of timely information Most of the information they received was inaccurate and they seldom received followup information LANL researchers received conflicting information on the fixes they did not receive a cepy of the first patch until Thursday evening Since LANL does not have a UNIX expert on site it was difficult to figure out which fixes would work and which would not whether the fix was reliable and who had originated the patch LANL had difficulty dealing with information being passed from on nontechnical person to another and the technical people had problems interpreting this information effectively DEFENSE COMMUNICATIONS AGENCY DCA The MILNET monitoring center housed at DCA was notified of the virus attack early Thursday morning Just before noon on Thursday the ports on both sides of the mail bridges were looped back to prevent any traffic flow between the ARPANET and the MILNET DCA received phone calls from the Army Ballistic Research Laboratory BRL about once every 3 hours The MILNET was looped back at 1130 arm on Thursday and opened early on Friday morning at BRL's request The rest of the machines were turned back on later on Friday The Network Operations Center was not able to identify this virus attack monitoring the system usage did not yield the necessary information It is not unusual for a host or'several hosts to go down on the MILNET or ARPANET If DCA receives a call about an ARPANET problem they take it seriously In this instance they received no calls until early Thursday morning and saw no indication of a virus The MILNET and ARPANET monitoring centers do receive constant information on network status but the propagation of the virus appeared to be routine host activity DCA is in the process of evaluating the impact of the virus attack and has instructed personnel to set up a mailbox to collect information The INTERNET address of the infected machines should be useful DCA researchers are particularly interested in the impact of the virus on the NHLNET Operations personnel on the MILNET and the ARPANET are concerned about the lack of administrative reporting ARMY BALLISTICS RESEARCH LABORATORY BRL BRL researchers first learned of the virus from the attack on RAND on'Wednesday Early on Thursday BRL received phone calls notifying them that the virus had infected other sites and later that day they began a coordinated effort with various sites BRL researchers said that their contribution was fairly modest The virus attacked only one or two BRL hosts BRL personnel responsible for installing computer systems must adhere to a U S Army regulation which states that each host must defend its own host to network interface Every host is set up to defend itself The mechanisms to block improper entry attempts and to log all entry attempts are built into every host Since most weapons systems for the year 2000 are being designed at BRL researchers are forced to take a very conservative approach to computer security BRL was able to develop a protected or test cell host which they placed back on the network in an effort to capture the virus for analysis The protected host was placed on the network very late on Thursday evening but did not capture the virus until early Saturday morning By noon on Monday they had created vulnerability sweeping modules to check their machines for infestations of the virus They will reconnect all of their machines to the network once they believe their machines to be clean and protected most likely around noon on Tuesday 8 November 1988 The effort expended at BRL was estimated to be 500 work hours Six four line telephones were in active use throughout the entire effort BRL was especially concerned about the virus attack to recover user passwords They suggested that Berkeley do a code review of this problem SRI INTERNATIONAL SRI SRI became aware of the virus late Wednesday night via information received from other infected sites The SRI Computer Science Laboratory gateway was down for about 2 hours on Thursday morning with several other gateways down until Friday morning The Computer Science Laboratory remained largely unaffected due to the lack of host table entries However the virus had been detected because of unusual command usage and excessive audit entries Personnel were able to examine fingerd and to determine how they had been infected The virus problem consumed an estimated 3 workhours to shut down the gateway correct the mailers clean up the system and return to service Since the virus attacked only a small Sun network SRI researchers feel lucky Personnel are in the process of downloading to the Suns and hope to use the Sun audit data to detect the virus path If the virus had entered the main server SRI feel that could have done considerable damage SRI researchers are working on a real time intrusion- detection expert system called IDES sponsored by a 000 computer security program The IDES team feels that an IDES enhanced prototype would have detected the sandmail attack as it would have noted the compiler and command usage by finagrd the excessive audit records and the input output and CPU usage Sendmail connects to standard network ports only The virus was using nonstandard ports to download its binary images A system such as IDES could have detected the usage of nonstandard ports The communication and coordination problem existed at SR1 as it did at other sites System managers needed more instruction Suggested actions included establishing a better notification and coordination system and general procedures to follow for the INTERNET hosts FirstName LastName Organization Mr Don Alvarez MIT-Center for Space Research 37-61 8 77 MassachusettsAve Cambridge A 02139 Boomer@soace mit edu 617-253-7457 Bill Arbaugh HQDA OCSA Attn Washington DC 20316 mil 202 694 691 2 Ms Beth Babyak FBI-HQ 10th Ave NW Washinaton DC 20535 Mr Dave Bailey DOE Production Operations Division PO Box 5400 Albaquerque 87115 DB@a lanl oov 505-846-4600 Ms Alice Baker P OBOX 1663 NS E541 LosAlarnos NM 87545 505-665w2577 Mr Joseph Beckman 9800 Savage Road Ft Meade 20755-6000 Beckman@dockmaster ama 301659-4489 SA Paul Boedges HQ Bolling AFB Washinaton DC 20332-6001 202-767-5847 Dr Russell L Brand Lawrence Livermore National Labs 1862 Euclid Ave Suite 136 Berkeley CA 94709 41 Dr Leon Breault DOE Washington DC 20545 301 -353-4255 Mr Brute Calkins C331 9800 Savage Road Ft Meade 20755-6000 BCaIkins@dockmaster arpa 301 -859-4488 Mr FirstName Larry LastName Castro Organization 9800 Savage Road Ft Meade 20755 6000 Phone 301-859-4485 Jim Christy HQ Bolling AFB Washington DC 20332 202 767 5847 Mrs Judi Citrenbaum C34 9800 Savage Road Ft Meade 20755 6000 301 859 4486 Mr Chuck Cole Lawrence Livermore National Labs PO Box 808 Livermore CA 94550 Mr William Collins NCSC Attn 034 9800 Savage Road Ft Meade 20755 6000 301-859 4486 Mr Jared Dreicer DOE P O Box 1663 MS E541 Los Alamos 87545 505 667 0005 Dave Eastep Attn T33 9800 Savage Road Ft Meade 20755 6000 301 688-5456 David Edwards DCA Code 8602 McLean Washington DC 20305 2000 DLE@csl sri com 703 285 5206 Dr Mark Eichin MIT Project Athena 4 Ames Street Nichols 201 Cambridge MA 02139 Eiohin@athena mit ed 617 253 7788 Paul Esposito Attn 9800 Savage Road Ft Meade 20755-6000 Steven D Fleshman Attn X21 9300 Savage Road Ft Meade MD20755-6000 Fleshman xeval@dockmaster arpa 301-688 5726 Title FirstName LastName Organization Phone Mr Pete Fonash DCA Address Code H102 8th 8 Courthouse Road Arlington VA 202 746-3642 Paul Franceus NCSC Attn C321 9800 Savage Road Ft Meade 20755-6000 Franceus@tvcho aroa 301 859-4491 J Michael Gibbons FBI-WMFO 300 N Lee Street Suite 500 Alexandria VA 22314 703 683-2680 Bill Gordon 1300 Washington DC 20505 703-482- 5493 Kimberly Hebda 0311 9800 Savage Road Ft Meade 20755 6000 301-859-4488 Gericks Hendricks 9800 Savage Road Ft Meade 20755 6000 Alan Hensley NCSC Attn C34 9800 Savage Road Ft Meade 20755-6000 Hensley@d ockmasterarpa 301-859-4494 George oover Attn V45 9800 Savage Road Ft Meade 20755-6000 Hoover@dockmaster arpa 301-859-4374 Douglas Hunt National inst of Standards Tech Computer Security Division - 225 Gaithersburg MD 20899 DHunt@ecf icst nbs oov 301 975-5140 Dr David J lcove FBI FBlAcademy Quantico VA 703-640-1176 Dr Terry Ireland NCSC Attn 9800 Savage Road Ft Meade MD 20755-6000 keland@dockmaster arpa 301 859-4371 John Jackson 9800 Savage Road Ft Meade 20755 6000 Jackson@tvcho aroa 301 -859-4491 Title Dr FirstName Mike LastName Karels Organization University of California Address CSRG Computer Science Div EECS Berkeley CA 94720 Karels@ucbarpa Berkeley EDU Phone 41 5 642 4948 Dr Stu Katzke National Inst of Standards Tech Technology Bldg A216 Gaithersburg 20899 Katzke@ecf icst nbs oov 975-2929 Stephen J Kougoures Attn 581 9800 Savage Road Ft Meade 20755 6000 301-688-6026 Mr Timothy W Kremann NCSC Attn 031 9800 Savage Road Ft Meade MD 20755 6000 301-859-4488 Dr Phil Lapsley University of California ExperimentalComputing Facility 1998 Cory Hall Berkeley CA 94720 Phil@ucbarpa BerkeleyEDU 41 5 642 7447 Mr Peter Loscocco NCSC Atth 0321 9800 Savage Road Ft Meade M920755-6000 Loscocco@tycho arpa 301 859-4491 SSA R Stephen Mardigian FBI FBI Academy Quantico VA 704-640-6131 Capt John McCumber NCSC Attn 9800 Savage Road Ft Meade Mr Jack Moekowitz NCSC Attn C2 9800 Savage Road Ft Meade JJ Moek ow itz@cbck master 301 859-4465 LtCol George R Mundy DCA Code B602 Washington DC 20305-2000 Mundv@beast ddn mil 703 285 5481 I LastName Muuss FirstName Mike Organization US Army Ballistic Research Lab Address Leader Advanced Computer Systems Team APG Mike@brl mil 301 278 6678 Eugene Myers SecureArchitectures 9800 Savage Road Ft Meade EDMyers@dockmaster arpa 301859-4488 Gordon R I Parry CIA Washington DC 20505 703-482-6204 Mr George Prettyman Asst General Counsel 9800 Savage Road Ft Meade 020755 6000 301 688 6017 Ms Harriet Roberts NCSC Attn C34 9800 Savage Road Ft Meade D20755-6000 301-859 4486 Jon Rochlis MIT E40-3 1 1 Cambridge MA 02139 Jon@athena mit edu 61 7 253 4222 Shawn Rovansek NCSC Attn C12 9800 Savage Road Ft Meade Rovansek@dockmaster arpa 301 859w4458 Kenneth Rowe NCSC Attn C333 9800 Savage Road Ft Meade 20755 8000 Rowe@tvcho ama 301 859 4491 Dr William Scherlis DARPA 1400Wilson Blvd Arlington VA 22209 Scherlis@vax darDa mil 202 694-5800 LTC James Sells NCSC Attn C33 9800 Savage Road Ft Meade MD 20755-6000 JSells@dockmaster arpa 301 859 4494 Richard Severson NCSC Attn C333 9800 Savage Road Ft Meade MD 20755 6000 Severson@dockmaster area 301 859- 4491 Philip Sibert DOE Washington DC 20545 301 353-3307 FirstName LastName SSA Karen E Spangenberg FBI-HQ 10th NW 202-325-6594 Washinston DC 20535 Mr K H Speieriman NSA 9800 Savage Road 301-688-6434 Senior Scientist Ft Meade 20755 6000 Dr Stephen L Squires DARPA Information Science and 202 694-5800 Technology Office Director Strategic Computing 1400 Wilson Blvd Arlington VA 22209 Sq uires@vax darpa mil Capt Michael St Johns DCA DCA Code 6612 703 285 5133 Washington DC 20305-2000 Stlohns@beast ddn mil Dr Howard Steiner NCSC Attn C32 9800 Savage Road 301-859-4491 Ft Meade MD 20755-6000 Dr Dennis D Steinauer National Inst of A 216Technology 301 975-3357 Standards and Tech Gaithersburg 20899 Steinauer@ecf icst nbs gov Mr Jim Steinmeier NCSC Attn C2 9800 Savage Road 301-859 4467 Ft -Meade MD 20755-6000 Mr Cliff Stoll 60 Garden Street MS 6 Center for Astrophysics Cambridge MA 02138 Cliff@cf3200 harvard edu Mr Jeff Sweet Attn X21 9800 Savage Road 301-688 5724 Ft Meade MD 20755-6000 Maj Hugh H Thomas NCSC Attn C25 9800 Savage Road 301-859-4474 Ft Meade MD 20755 6000 Thomas@dockmaster arna Mr Mario Tinto NCSC Attn C1 9800 Savage Road 301-859-4450 Ft Meade MD 20755 6000 Tinto@dockmaster ama Organization FirstName David LastName Organization Vaurio 03 Address 98008avage Road Ft Meade 20755 6000 301 859 4485 Wayne J NCSC Attn 031 Secure Computer Systems Weingaertner 98008avage Road Ft Meade 20755-6000 WWeingaertner@ dockmasteraroa 301 -859-4488 Howard Weiss NCSC Attn C32 9800 Savage Road Ft Meade 20755-6000 HWeiss@dookmaster arpa 30 1-859-4491 Larry E Wheeler OSD Pentagon-Room3E187 Washinaton DC 20301 202-695-7181 Mark Woodcock NEE Attn C331 9800 Savage Road Ft Meade MD 20755 6000 Woodcock@tycho arpa 301 859 4494 Tom Zmudzinski DCA Code 8602 McLean Washington DC 20305 2000 TomZ@ddn1 arpa 703-285-5206 The Internet Virus of November 3 1988 Mark W Eichin MIT Project Athena November 8 1988 Contents 1 Strategies Involved 1 1 Attacks 3 1 1 1 Finger bug 1 1 2 Sendmail 1 1 3 rexec and passwords 1 1 4 side effects 1 2 defenses 1 2 1 covering tracks 1 2 2 camou age 1 3 flaws 1 3 1 reinfection prevention 1 3 2 heuristics 2 The program 2 1 main 2 1 1 initialization 2 1 2 Command line argument processing 2 2 doit routine 2 2 1 initialization 2 2 2 mainloop 2 3 Cracking routines 2 3 1 cracksome 2 3 2 crackO 2 3 3 crack 2 3 4 phaseZ 2 3 5 phase2 4 hroutines 2 42 42 42 42 42 5 attack routines 2 5 1 hit nger 2 5 2 hit rexec 2 52 5 4 makemagic 10 2 6 host modules 10 2 6 1 nametohost 10 2 6 2 address to host 10 2 6 3 add address 10 2 6 4 addname 10 2 6 5 Clean up table 11 2 6 6 get addresses 11 2 7 object routines 11 2 7 1 load object ll 2 i 2 get object by name 11 2 8 other initialization routines 11 2 8 1 ifinit 11 2 8 2 rtinit 11 Credits 12 A l The MIT team 12 A 2 The Berkeley Team 1'3 A 3 Others 12 Is Abstract This paper is a thorough analysis of the code of the virus program which attacked the Internet beginning some time November 3 1988 It discusses the actual code itseif as welt as the strategies and ideas involved in the propagation of the virus A virus according to Webster's is something which causes infectious disease as well as being capable of growth and multiplication only in iiving cells Inasmuch as a computer is analogous to a living entity this program is a virus one of its infection methods is very much like an actual virus in that it actually infects a running program to gain entry into the system Also virii infect Worms just crawl around Chapter 1 Strategies Involved 1 1 Attacks This virus attacked several things directly and indirectly lt both picked out some deliberate targets and had interesting side effects 1 1 1 Finger bug The virus hit the nger daemon by over owing a buffer which was allocated on the stack The overflow was possible because a library function which did not do range checking was used Since the buffer was on the stack the over ow allowed a fake stack frame to be created which caused a small piece of code to be executed when the procedure returned The write daemon has a similar piece of code which makes the same mistake but it exec s write directly and explicitly exits rather than returning and thus never uses the damaged return stack 1 1 2 Sendmail The sendmail mechanism is the debug function which enables debugging mode for the duration of the current connection One thing that this enables is the ability to send a mail message with a piped program as the recipient This mode is normally allowed in the sendmail configuration file or user forward file directly but not for incoming connections In this case the recipient was a command which would strip off the mail headers and pass the remainder of the message to a shell The body was a script which created a program which would suck over the rest of the modules from the host that sent it and the commands to compile and execute it The fact that debug was enabled by default was reported to Berkeley by several sources during the 4 2 release however it was not xed for the 4 3 release source or binary Project Athena was among a number of sites which disabled it however it is unlikely that many binary-only sites were able to be as diligent 1 1 3 rexec and passwords The virus attacked by the Berkeley remote esecution protocol which required the user name and plaintext password to be passed over the net The program only used pairs of usernanies and passwords which it had already verified to be correct on the local host One fundamental security tenet violated here was that passwords should not be at all readable by unprivileged entities Under most forms of the passwords are stored in as computationally extensive However this meant that a program needed merely try a large number of guesses on its own turf so to speak without going through any recorded channels The Kerbcros2 system used at Project Athena keeps passwords only on a secure central machine which is used as an authentication server Although once a username was known the password could be attacked in much the same way the usernames are aiso stored centrally making it more difficult for the virus to nd a set of names to attack 1 1 4 side effects Vt hen it became clear that the virus was propagating via sendmail the first reaction of many sites3 was to cut cz c'f mail service This did not totally stop the progress of the virus which continued to travel via rexec and finger It did effectively stop communication of information about the virus slowing down the information about nger and the patches needed to x the problem USENET news was an effective side-channel of information spread although a number of sites disabled that as well One program posted after the virus was analyzed was a tool to duplicate the password attack used including the dictionary that the virus carried with it to allow system administrators to analyze the passwords in use on their system The spread of this virus shouid be effective in raising the awareness of users and administrators to the importance of choosing difficult passwords 1 2 defenses The virus used a number of techniques to hide itself as well though they had various vulnerabilities 1 2 1 covering tracks The program did a number of things to cover its trail it zeroed out its argument list once it had finished processing the arguments so that the process status command would not show how it was invoked It also deleted the executing binary which would leave an inode only referenced by the execution of the program but not appearing in the filesystem If the machine was rebooted while the virus was actually running the le system salvager will recover the le after the reboot The program also uses resource limit functions to prevent it from using any space in a core dump Thus it prevents any bugs in the program from leaving core dumps behind ref orange book7 2cite paper 3including the Darpa MILNET 1 2 2 camou age it was compiled as the same name used by the Bourne Shell which is used often in shell scripts and automatic commands Even a diligent system manager would probably not notice a large number of shells running for short periods of time The virus did fork splitting into a parent and child approximately every three minutes The parent would then die leaving the child to continue from the exact same place 1 3 flaws The virus also had a number of aws varying between the subtle and the ciumsy Keith Bostic of Berkeley with concurrence of the team at posted patches for some of the more obvious ones as a humorous gesture 1 3 1 reinfection prevention The code for preventing reinfection of a machine which was actively infected didn t work at all It was only checked on a one in fifteen random chance making multiple infections likely This also lead to the early detection of the virus since only one in fifteen instances of the virus would actually die since the virus was careful to clean up temporary les its presence alone didn t interfere with reinfection Also a multiply infected machine would Spread the virus faster perhaps proportionally to the number of infections it was harboring since a The program scrambles the lists of hosts and users it attacks since the random number generator is seeded with the current time the separate instances are likely to hit separate targets a The program tries to spend a large amount of time sleeping and listening for other infection attempts which never report themselves so that the processes would share the resources of the machine fairly well Thus the virus spread much more quickly than the perpetrator expected and was noticed for that very reason The MIT Media Lab for example cut themselves completely the network because the computer resources absorbed by the virus were detracting from work in progress while the lack of network service was a minor problem 1 3 2 heuristics One attempt that was made to make the program not waste time on systems was to first try to telnet to the host in the list Ifthe host refused telnet connections it was likely to refuse other attacks as well There were several problems with this attack telephone call around 9AM Friday A number of machines exist which provide sendmail service for example that do not provide telnet service and although vulnerable would be ignored under this attack 5 0 The telnet probing code immediately closed the connection upon nding that-it had opened it By the time the inet daemon the funnel which handles most incoming network services identified the connection and handed it off to the telnet daemon the connection was already closed causing the telnet daemon to indicate an error condition of high enough priority to get logged on most systems Thus the times of the earliest attacks were noted if not the machines they came from for example was vulnerable to the finger daemon attack but was untouched because it did not run a telnet daemon Chapter 2 The program 2 1 main The main module made several steps to set itself up 2 1 1 initialization First the program takes some steps to hide itself It changes the zeroth ' argument which is the process name to sh so that no matter how the program was invoked it would show up in the process table with the same name as the Bourne Shell a program which is often running legitimately The program aiso sets the resource limit on core dump size to zero blocks so that if the pro gram did crash for some reason it would vanish rather than leaving a core dump behind to investigators It also turns off handling of the write errors on pipes which by default cause the program to exit The next step is to read the clock store the current time in a local variable and using that value to seed the random number generator 2 1 2 Command line argument processing The virus program itself takes an optional argument which must be followed by a decimal number which seems to be a process id of the parent which spawned it It uses this number later on to kill that process probably to close the door behind it The rest of the command line arguments are object names These are names of files it tries to load in if it can t load one of them it quits if the argument was given it also deletes the le and later tries to delete the running virus as well as a the tmp dumb 1 After all the arguments have been read if no objects were loaded the program quits It then checks for the existence of the object 11 c and quits if it is missing If the argument was given the program closes all of its le descriptors and then deletes the les The program then erases the text of all of the arguments need better explanation ofloadobject It then scans all of the network interfaces on the machine gets the ags and address of each interface It tries to get the point to point address of the interface it skips the ioopback address It also stores the netmask for that network Finally it kills off the process id given with the option It also changes the current process group so that it doesn t die when the parent exits Once this is cleaned up it falls into the doit routine which performs the rest of the work 2 2 doit routine This routine is the where the program spends most of its time 2 2 1 initialization Like the main routine it seeds the random number generator with the clock and stores the clock value to later measure how long the virus has been running on this system It then tries hg If that fails it tries hi If that fails it tries ha It then tries to check if there is already a copy of the virus running on this machine This code doesn t work correctly one of the reasons the virus was using large amounts of computer time It then sends a one byte on a TCP Stream connection to 128 32 137 13 which is ernie barkeley edu There has not been an explanation for this it only sends this packet with a lin 15 random chance 2 2 2 main loop An infinite loop comprises the main active component of the Virus It calls the cracksome routine which tries to find some hosts that it can break in to Then it waits 30 seconds while listening for bther virus programs attempting to break in and tries to break into another batch of machines After this round of attacks it forks creating two copies of the virus the originai parent dies leaving the fresh copy The child copy has all of the information the parent had while not having the accumulated CPU usage of the parent It also has a new process id making it hard to find The virus then runs the h routines which search for more machines to add to the list of hosts and then sleeps for 2 minutes again looking for other Virus attempts After that it checks to see if it has been running for more than l3 hours and if so cleans up some of the entries in the host list Finally before repeating it checks pleasequit lfit is set and it has tried more than 10 words from its own dictionary against existing passwords it quits Thus forcing pleasequit to be set in the system libraries wiil do very little to stem the progress of this virus 2 3 Cracking routines There are a collection of routines which are the brain of the virus There is a main switch which chooses which of four strategies to execute next and a number of separate strategy routines It is clearly the central point to add new strategies were the virus to be further extended 2This name was actuaily in the symbol table ofthe distributed binary 2 3 1 cracksome The cracksome routine is the main switch Again this routine was named in the global symbol table though it could have been given a confusing or random name it was actually clearly labelled which lends some credence to the idea that the virus was released prematurely 2 3 2 crack 0 The rst crack routine read through the etc host s equ iv le to nd machine names that would be likely targets While this file indicates what hosts the current machine trusts it is fairly common to find systems where all machines in a ciuster trust each other and at very least implies that people with accounts on this machine will have accounts on the other machines mentioned in hosts equiv It also read the rhosts le which lists the set of machines that this machine trusts root access from Note that it did not take advantage of any knowledge about this trust3 but merely uses the names as a list of additional machines to attack Often system managers will deny read access to this le to any user other than root itself to avoid providing any easy list of secondary targets that could be used to subvert the machine this practice would also have prevented the virus from discovering those names although rhosts is very often a subset of etc hosts equiv The program then reads the entire local password file etc passwd It uses this to nd persona forward les for names of other machines it can attack It also records the usernarne password and gecos information string which is also stored in the Rte passed frie After processing the entire le it advances the attack type selector so that the machine proceeds to the next set of attacks 2 3 3 crack 1 The next set of attacks are on passwords on the local machine It uses several functions to pick passwords which can then be and matched against the obtained in phase 0 0 No password at all 0 The username itself 0 The username appended to itself a The second ofthe comma separated gecos information elds which is commonly a nickname 0 The remainder of the full name after the rst name in the gecos elds ie probably the last name with the first letter converted to lower case 0 This last name reversed All of these attacks are applied to fty passwords at a time from those collected in phase 0 If this pass finishes all of the passwords it advances to phase 2 3such as Bob Baldwin s system KUANG would 2 3 4 phase 2 Phase 2 takes the internal word list that the virus distributes with itself and scrambles it Then it takes the words one at a time and decodes them the high bit is set on all of the characters to obscure them and then tries them against all collected passwords Thus the check in-the main loop against nextw only succeeds after ll of the words have been checked against all of the in the collected list Again if the word list is exhausted the virus advances to phase 3 2 3 5 phase 3 Phase 3 looks at the local usr dict words file a twenty four thousand word dictionary distributed with 4 3BSD and other unix systems The words are stored in his le one word per line One word at a time is tried against all passwords If the word begins with an upper case letter the letter is converted to lower case and the word is tried again When the dictionary runs out the phase counter is again advanced to 4 thus no more password cracking is attempted 2 4 routines The 11 routines are a collection of routines with short names including hg ha hi and hl which search for other hosts to attack 2 4 1 hg The hg routine calls rt_init to scan the routing table which creates a list of gateways It then tries a generic attack routine4 to attack via rsh nger and smtp 2 4 2 ha The ha routine also tries to go through the list of machines and connect to port 25 the SMTP port to determine if a mailer was running on the machine 2 4 3 h The hl routinejust looks for certain machines based on their netmasks and tries to attack them 2 4 4 hi The hi routine goes through the table of hosts and tries to actually attack a host via rsh finger smtp 4$1638 internally 8 2 4 5 11111 The hul routine is cailed by the phase one and phase three crack subroutines Once a user name and password is guessed this routine is called with a host-name read from either the user s forward or rhosts les It then runs an to that machine and has it execute a Bourne Shell thus allowing it to use standard methods to attack that machine 2 5 attack routines There were a collection of attack routines which all provided a Bourne Shell running on the remote machine if they succeeded 2 5 1 The hit finger routine tries to make a connection to the nger port of the remote machine Then it creates a magic packet which consists of hit nger A 400 byte runway of VAX n0p instructions which can be executed harinlessly I A small piece of code which executes a Bourne Shell 0 A stack frame with a return address which would hopefully point into the code Note that the piece of code is VAX code and the stack frame is a VAX frame in the wrong order for the Sun Thus although the Sun nger daemon has the same bug as the VAX one this piece of code cannot exploit it The attack on the ngerd 5 can be considered a viral attack since although the worm doesn t modify the host machine at all the nger attack does modify the running finger daemon process Then speaking in viral terms the injected component of the Virus contained the following VAX instructions pushl $68732f push push 36969623 push lbin movl sp r10 save address of start of string pushl $0 push 0 arg 3 to execve push $0 push 0 arg 2 to execve push r10 push string addr arg to execve pushl $3 push argument count movl sp ap set argument pointer $3b do execve kernel call The execve system call causes the current process to be replaced with an invocation of the named program bin sh is one of the UNIX command interpreters In this case the shell wound up running with its input coming from and its output going to the network connection The Virus then sent over the same bootstrap program that it used for its sendmail based attack William E of MIT Project Athena was the rst to discover this mode of attack and provided the description that foliows 2 5 2 hit rexec The hit rexec routine uses the exec tcp service the remote execution system which is similar to rsh but is designed for use by programs It connects sends the username the password and bin sh as the command to execute It checks to see if it succeeded to connect and get access using one of the password account pairs guessed earlier i 2 5 3 hit The hit smtp routine uses the smip tcP service to take advantage of the sendmail bug It attempts to use the debug option to make sendmail run a command the recipient ofthe message which compiles a program which is included as the body of the message 2 5 4 makemagic This routine tries to make a telnet connection to the 6 addresses for the current victim and then breaks it immediately If it succeeds it creates a listening stream socket on a random port number which the infected machine will eventually connect back to Since it breaks the connection imme- diately it often produces error reports from the telnet daemon which get recorded and provide some of the earliest reports of attack attempts 2 6 host modules There are a set of routines designed to collect names and addresses of target hosts in a master list 2 6 1 name to host This routine searches the host list for a given named host returns the list entry describing it and optionally adds it to the list if it isn t there already 2 6 2 address to host This routine searches the host list for a given host address returns the list entry describing it and optionally adds it to the list if it isn t there already 2 6 3 add address This routine adds an address to an entry in the host list Each entry contains up to twelve names up to six addresses and a ag eld 2 6 4 add name This routine adds a name to an entry in the host iist if it doesn t already exist 10 2 6 5 clean up table This routine cycles through the host list and cleans out hosts which only have ag bits 1 and 2 set and clears those bits 2 6 6 get addresses This routine takes an element of the host table and tries to find an address for the name it has or get a name for the addresses it has and include the aliases it can find in the list as well 2 7 object routines These routines are what the system uses to puli all of its pieces into memory when it starts after the host has been infected and then to retrieve them to transmit to any host it infects 2 7 1 load object This routine opens the le stats it allocates enough space to load it in reads it in as one block decodes the block of memory with XOR If the object name contains a comma it moves past it and starts the name there 2 7 2 get object by name This routine returns a pointer to the requested object This is used to nd the pieces to download when infecting another host 2 8 other initialization routines 2 8 1 if init This routine scans the array of network interfaces It gets the flags for each interface and makes sure the interface is UP and RUNNING speci c elds of the ag structure If the entry is a point to point type interface the remote address is saved and added to the host table It then tries to enter the router into the list of hosts to attack 2 8 2 rt init This routine runs netstat -r as a subprocess This shows the routing tables with the addresses listed numerically It gives up after finding 500 gateways It skips the default route as well as the loopback entry It checks for redundant entries and checks to see if there this address is already an interface address If not it adds it to the list of gateways After the gateway list is collected it scrambies it and enters the addresses in the host table 11 Appendix A Credits I'd like to mention a few people who worked on the virus hunt A 1 The MIT team Mark W Eichin Athena and SIPB and Stanley R Zanarotti LCS and SIPB lead the team di- assembling the virus code The team included William E Sommerfeld Athena SIPB and Apollo Ted Y Ts o Athena and SIPB Jon Rochlis MIT Telecom and SIPB Hal Birkeland MIT hledia Lab and John T Kohl Xthena DEC and SIPB Jeffery I Schiller Director of the MIT Network Athena did a lot of work in trapping the virus setting up an isolated test suite and dealing with the media Ron Hoffman MIT Telecom I was one of the first to notice an MIT machine attacked by finger Tim Shepard LCS provided information as to the propagtion of the virus as well as large amounts of netwatch data and other technical help A 2 The Berkeley Team We don t know how they were organized at Berkeley however we conversed extensively and ex- changed code with Keith Bostic throughout the morning of November 4 1988 A 3 Others Numerous others across the country deserve thanks many of them worked directly or indirectly on the virus and helped coordinate the spread of information Chronology of Virus from the MIT Perspective Jon Rochills jan@bitsy mi edu n7 The first posting mentioningthe virus was by PeterYee NasaAmes at 8 28pm est on Wednesday to the tcp ip iist Peter stated that UCB UCSD LLNL Stanford and NASA Ames had been attacked and described the use of sendmail to puli over the virus including the x les found in lusr tmp The virus was observed to send vex and sun binaries have DES tables built in and made some use cf rhosts and hostsequiv les A Berkeley extension was given and Phil Lapsley and Kurt Pires were listed as being knowledgable about the virus At 3 10am the first notice cf the virus at MIT was posted at AMT by Pascal Chesnais The motd on media-lab read lacsap Nov 3 1988 03 10am DO NOT CALL THE GARDEN IF YOU WANT TO PROTECT YOUR MACHINE TURN OFF SENDMAIL OR JUST TURN YOUR MACHINE OFF OR UNPLUG IT FROM THE DO NOT CALL THE I I Pascal had spotted the virus earlier but assumed it was just a locai run away program The group at AMT gured out after midnight that it was a virus and it was coming in via mail The response was to such down infected machines The network groups monitoring information shows the media lab gateway first went down at 11 40pm Wednesday but was back up by 3 00am Pascal requested that the Network group isolate the building during the Thursday 11 30pm and it remained so lsoiated until Friday at 2 30pm Pascal now reports that logs on media-lab show several scattered attempts ttIOOp peer died No such file or directory messages There were a few every couple of days several durning the Wednesday afternoon and many starting at 9 48pm These are caused by opening a telnet connection and immediately closing it speci cally inetd spawns a telnetd butwhen telnetd telnetd goes to read from the network it finds the connection has disappeared The virus did this in order to determine whether or not to try to infect a target machine The iogs on media-lab start on October 25th and the following log entries made before the swarm on Wednesday night Oct 26 15 01 57 mediaulab telnetd 23180 ttloop peer died No such file or Oct 28 11 26 55 media lab telnetdl23331 ttloop peer died No such file or Oct 28 17 36 51 media lab telnetdi12614 ttloop peer died No such file or Oct 31 16 24 41 media lab telnetd 18518 ttloop peer died No such file or Nov 1 16 08 24 media lab telnetdi16125 ttloop peer died No such file or Nov 1 18 02 43 media-lab telnetdizlsegl ttloop peer died No such file or Nov 1 18 58 30 media-lab telnetdi24644 ttloop peer died No such file or Nov 2 12 23 51 media lab telnetd 4721 ttloop peer died No such file or Nov 2 15 21 47 mediawlab ttloop peer died No such file or 1The assumption that machines not running a telnetd are not vulernabie to attack is quite interesting I allowed systems We the ijectAthena mailhub athenamftedu on which we perfered to use only karberos authentication to escape unscathed It is not clear whether these represent early testing of the virus or if they were just truely accidental premute ctosings of telnet connections With hindsight we can a telnetd that logged its peer address even for such error messages would have been quite usefui in tracing the progress arid origin of the virus At 3 34am est on Thursday Andy Sudduth from Harvard made his anonymous posting to top-lp The posting said that a virus might be lose on the internet and that there were three steps to take to prevent further transmission This inctuded not running ngerd or xing it not to overwrite the stack when reading its arguments from the netz be sure sendmail was compiled without debug and not to run rexecd The posting was make from an Annex terminat server at from Aiken Center at Harvard by teineting the SMTP port of in sbrownedu This is obvious since the message was from loo%bar apar and because the last line of the message was qun177 177 177 an attempt to get rubout processing out of the brown SMTP server a common mistakewhen faking Internet mail Etwas ironic that this posting did almost no good The path it took to get to athena was Received by ATHENA MIT EDU id 111129119 Sat 5 Nov 88 05 59 13 EST Received from RELAY CS NET by with 375 4 Nov 88 23 23 24 Received from ca brown edu by RELAY CS NET id a105627 3 Nov 88 3 47 EST Received from iris brown edu iris ARPA by cs brown edu 1 2 1 00 id Thu 3 Nov 88 03 47 19 est Received from 128 103 1 92 with SMTP via tcp ip by iris brown edu on Thu 3 Nov 88 03 34 46 EST There was a 20 hour delay before the message escaped from re ay cs net and got to srt-nlcarpa Another 6 hours went by before the message was recived by athenamitedu Other site have reported stmitar delays At 5 58am Thursday morning Keith Bostic made the virus bug x posting The message went to the tcp ip comp bugs 4bsd ucb fixes news announce and news sysadmin It supplied the compile without debug x to sendmail or patch the debug command to a garbage string as well as the very wise suggestionto rename cc and 'Id which was effective since the virus needed to compile and link itself Gene Spafford fonNarded this to nntp-managersGucbvax berkeley edu at 8 06am Ted Ts o Mso@athena mit edu forwarded this to an internal Project Athena hackers list watchmakers@athena mit edu at 10 07 He expressed disbelief it's not April thought we at Athena were safe Though no production Athena servers were infected serverai private workstations and developement machines were so this proved overly optimistic 'this was a level of detaii that only the originator of the virus could have know at that point To our knowledge nobody had yet identi ed the nger bug since it only affected certain vaxan and certainly nobody had discoveredits mechanism During Thursday morning Ray ray@math mit edu spotted the virus on the MIT math department suns and shut down the math gateway at 10 153m it remained down until 3 15pm Gene Spafford posted a message at 2 50pm Thursday to a large number of people and mailing lists include nntp managers which is howwe saw it quickly at itwamed the virus used and looked in hostsaquiv and rhosts for more hosts to attack Around this time the MIT group in E40 Project Athena and the Network Group salted Miio Medin medln@nsipo nasa gov and found out much of the above Many of us had not yet seen the messages He pointed out that the virus just ioved to attack gateways found via the routing tables and remarked that it must have not been effective at MIT were we run our own Gateway code not Unix Milo aiso informed use that DOA had shut down the mailbridges He pointed us to the group at Berkeley and Peter Yee speci cally At about 5pm on Thursday Ron Hoffmann hoffmann@bitsy mit edu observed the virus attempting to log into a standalone router using the Berkeley remote login protocol the remote login attempt originated from a machine previously believed immune3 The virus was running under the usertd nobody and it appeared that it had to be attacking through the nger sen ice the oniy network service running under that userid At that point we calied the group working at Berkeley they con rmed our suspicions that virus was spreading through ngerd On the surface it seemed that fingerd was too simple to have a protection bug similar to the one in sendmail it was a very short program and the onty exec it did involved a hard-coded pathname A check of the modi cation dates of both etortingerd and usr ucb finger showed that both had been untouched and both were identicaito known good copies located on a readonly lesystem Berkeley reported that the attack on nger involved shoving some garbage at it clearly some sort of overrun buffer wound up corrupting something Bill Sommerfelci wesommer@athena mit edu guessed that this bug might involve overwriting the saved program counter in the stack frame when he looked at the source for ngerd he found that the buffer it was using was located on the stack in addition the program used the iibrary gets function which assumes that the buffer it is given is iong enough for the line it is about to read To verify that this was a viable attack he then went on to write a programwhich exploited this hole in benign way 4 A risks digest came out at 6 52pm It included a message from Ciitf Stoll of Harvard Stoll@dockmaster arpa which described the spread of the virus on milnet and suggested that milnet 3It was running a mailer with debuggingturned off the test virus sent the string Bozol back out the network connection sights might want to remove themselves from the network Stoll also made the wonderful statement Ihisis bad news Other messages were from Spafford Peter Neumann and Matt Bishop They described the sendmail propagation mechanism In the o ice Starr Zanarotti sr2@lcs mit edu and Ted Ts o had managed to get a core dump from the virus running on a machine in the MIT Lab for Computer Science LCS as well as the vax binary Stan and Tim Sheppard been dealing with the virus from 11am Thursday over in Tech Square Their rst reaction was to Shut down the network by powering off By 1pm Tim had verified that no leshad been modified on had installed recompiled sendmail Tim also reloaded a root partition from tape just to ensure that he was running trusted software Ted and Stan started attacking the virus Pretty soon they had gured out the xor encoding cf the strings and were manually decoding strings By 9 00pm Ted had written a program to decode ail the strings and we had the list cf strings used by the program except for the built-in dictionary which was encoded in a different fashion by setting the meta bit of each character At the same time they discovered the ip address f and proceeded to take apart the send message routine to gure out what it was sending to emie how often and if a handshake was involved Stan told Jon Rochlis jon@bitsy mit edu in the Network Group of the group's progress The people in E40 called Berkeley and reported the nding of ernie s address Nobody seemed to have any idea why that was there About this time a camera crew from WNEV Channel 7 the Boston CBS af liate showed up at the of ce cf James D Bruce VP for Information Systems He called Jeff Schiller and headed over to E40 Jeff and were interviewed The 80 000 number of hosts was stated along with an estimate of 10% infection f the 2000 hosts at MIT The infection rate was a pure guess The virus was the lead story on the news and we were quite suprised that the real worid would pay that much attention Pieces of the footage shot then were shown on the CBS morning news but by that point were were too busy to watch Sheppard shows up in E40 then punts to Tech Square to check his netwatch data for ernie packets The machine with the data had been unplugged from the network Serious began at midnight Stan and Ted came to E40 John Kohl had the virus running by Sam and obseived many things They were confirmed by the decompiling which was almost done List times cf berkeley conversations and exchanges of source code Press conference in E40 at noon 7' camera crews tons of print media Total 200 until 3pm Bostic asks for our affilations and if we like the idea of posting bug xes to the virus we didl The Today show comes to the office Saturday to nd out about hackers MIT Cast of Characters Media Lab Pascal Chesnais VP information Services James D Bruce jdb@delphi mit edu Network Jeff Athena SIPB Mark Eichin eichin@athena mit edu PB Stan Zanarottl srz@lcs mit edu Athena Si PB Ted Ts o Apollo Athena S Wiliiam Sommerfeld wesommer@athena mit edu DEC Athena S John Kohl jtkohl@athena mit edu Athena SlPB Ken Raebum raeburn athenamitledu Network Jon Rochlis lon@bitsy mit edu Media Lab Hai Birkeland hkbirke@athena mit edu Network Group Ron Athena SIPB Richard Basch probe@athena mit edu LCS Tim Sheppard t mx_umm_m20m 0 1 Arpanet as a Backbone arpanet Milnlet Unix computer nix computer local area network lisually ethernet I Sun I Sun 5mm I l x running Unix What holes did the Virus exploit - Sendmail Utility to copy network packets into mail files Sometimes used to move packets into processes news feeds - Finger Daemon Utility to find out where someone is The virus was specifically designed for Unix 4 3BSD it could not spread to non-unix computers like a VMS system or an IBM PC Sun workstations Vaxj a's andVax 8800's were hit NO 800A i d LNOG ELLIS VWOEH S tllA EHJ OJ LI SWSINVHOEJW MOVLLV 380 EISNEIS EIAVH OJ ll 3 LL EDIVW Si di O 9 810le SLI TIV HOLINOW SEHHGOIN ANVW 1X08 LVEIELL EICIOC RESNI LI CINVLSEEICINH OJ AELL SLNEIWEDEJS EDNICIVEHSIIN CICIV WVNISHO 3H1 300C EIMVW EIGOO EINIHOVIN A8 EICIOO 3H1 EICIIH 3383 98 SAVM SDEIIA 8251de00 NI SVM SIHJ Xan 8 NUS 0 OJ ONES OJ ACIOEI SNIMOEIHO inOHilM XINFI HOHOHHJ ANV OlzlleELL CINES DOA SI 90830 NEIHM SCEEH SNEINJEIN 80 SESSEDOEH EAOIN NVO OlzlleELL MHONLLEIN 831k MHONLLEIN SEAOW TIIVWGNEIS 0 908 SEIWVN HEIHJ SNouvmwaac-J SEWVN saasn 10 ONICIVEIH AEI SHHIA 0 14 Quick Reaction Across the Nation - UC Berkeley- Experimental Computing Center for Disease Control - Stanford Ballistics Research Lab - MIT Lawrence Berkeley Labs Lawrence Livermore Labs Univ Rochester Harvard-Smithsonian Center for Astophysics 15 Stamping it Out - Initial cures disconnect from networks reboot standalone erase the files disable sendmail boot nearby computers - Problem virus reinfected from nearby computers rhosts especially - virus used other holes fingerd password crackinj very frustrating Hard to communicate with other sites many disconnected from network all the virus packets saturated some nets nobody was coordinating - Hard to understand tough to disassembly Exploiting a hole in Sendmail 17 Arpanet Data packets from another computer Unix Computer Sendfnail Program Normal Pipe File for Commands Electronic to the Ma computer Normally data goes through the mailer into mail files Data can be sent as commands to special programs When Debug is enabled data can be sent as commands any program u EIHEIM saamdwoo 01 com inoav 05 03133le 383M %os inoav 1v avaa SVM EIHJ NEIHM 333M AHHL ma ssa'msm ano 10 ENON %03 LDOEIV iv a %05 a 2 03103le Had 3H1 NOSECION ANVW MOH 0 CEJEIOHVJ EWSECION SEICION 00L anSV 3Hl NO 33V ANVIN MOH SFISNEO ON MONM I EIEIV ESEIHJ I ANVIN MOH Virus or Worm Virus Self replicating program that infects other programs Worm Program that snakes through computers copying itself from one system to another Purists would call this a worm not a virus Makes nodifference to me 19 Previous Viruses Hacks 2 '84 - 88 On personal computers replication by infecting programs Medium of transport oppy discs 8 phone lines to bulletin boards 86 - '87 Intruders manually break into computers to embarrass companies wreck programs or steal information Medium of transport dial-up phone lines networks '87 IBM Christmas tree virus Replication by distributing a command file to many people Each person executes the file it mails itself to many others Medium of transport SNA networks Bitnet '88 Arpa'rfset virus self replicates by entering Unix systems breaking security to obtain a root shell Medium of transport networks Arpanet Milnet local area networks This is the first virus to spread automatically across the networks The first virus to exploit multipleisecurily holes REAL EFFECTS 0 HOW MUCH DAMAGE WAS 10 000 PEOPLE LOSTZ DAYS OF AT $2 000 000 0 INDIRECTCOSTS - OPERATIONS DISRUPTED SCHEDULES DELAYED CONSCIOUSNESS RAISING ABOUT COMPUTER SECURITY DID THIS GUY DO LISA FAVOR BY SHOWING OUR WAS IT A MONTH AGO COVER OF TIM MAGAZIN WAS ABOUT 22 What to learn Networking makes the problem much worse - Our society depends heavily on interlinked computers military university commercial systems are intertwined There's no central coordinating center or clearing house for emergencies - Nobody's in charge of our networks - Security holes are subtle introduced from strange sources and exploited by competent aware people SITE EXPERIENCE BERKELEY P LAPSLEY U C BERKELEY TIMELINE PST 1900 2028 2100 0100 0300 0500 1700 THU NOV 3 2100 0600 1900 FRI NOV4 MON NOV '7 PETER MESSAGE SENDMAIL FINGERD ETC SHUT OFF LOCALLY SENDMAIL BUG FIXED SENDMAIL BUG POSTED TO USENET FINGERD BUG ED WANG HNGERDBUG DECOMPILATION STARTS FINGERD POSTED DECOMPILATION DITTO HOST CLEANUP 1 FIX SENDMAIL - DISABLE COMMAND 2 FINGERD REPLACE GETS WITH FGETS 3 DISALLOW RSH FROM INFECTED HOSTS -DISABLE RSHD -RENAME RHOSTS FILES AND VERIFY EQUIVALENT HOSTS ARE CLEAN 4 REMOVE WORMS FROM MAIL QUEUE 5 KILL RUNNING WORMS OR REBOOT 5H Om-91 RSI-I HOSTNAME 6 USERS WHOSE ACCOUNTS WERE BROKEN - CHANGE PASSWORDS SITE EXPERIENCE ARMY BALLISTIC RESEARCH LAB M MUUSS Post-Mortem of 3-Nov ARPANET Incident The Ballistic Research Laboratory Anti-Viral Program ditch an J Adams The Advanced Computer Systems Team Army Ballistic Research Laboratory 301 Tue Nov 8 07 58 43 EST 1988 From Websters 9th a From Latin slimy liquid poison stench Causative agent of an infectious disease 0 Complex molecules capable of growth and multiplication only in living cells 302 31 3 Nov 8 07 58 45 EST 1988 GLOBAL OUTLINE BRL History of Events The People Involved The BRL Approach Attack 85 Propagation Modes Network Sweep Tools Fixes BRL Stat-us 103 Tue Nov 8 08 02 54 EST 1988 What is U S Army Ballistic Research Laboratory One of America's foremost research and development labs 700 Scientists 8 Engineers pursuing in house research programs 5 Scientific Divisions 3 Support Divisions Networked Computers are all pervasive throughout research and administrative staffs 200 systems UNIX Cray and Cray 2 310 Tue Nov 8 07 58 51 EST 1988 History Part 1 1800 PST Wed Virus seen at Rand Corp 2345 EST Wed Virus enters VGR BRL MIL 0300 Thu VGR was seen attacking other machines 1000 Thu BRL disconnected from MILNET DISNET VGR totally isolated 1200 Thu BRLXET checking complete no Virus on inside 1600 Thu Coordinating w other researchers CA orders MILNET hosts shutdown blows gws 2200 Thu Virus was Lead story on CNN 2300 Thu VGR Test Cell prepared connected to MILNET ail Nov 8 07 58 53 EST 1988 History Part 2 0645 Fri MIL gateways restored 0030 Sat Virus trapped in Test Cell UCB sre rcvd 0630 Sat BRL wide power outage sigh 0600 Mon 2 Additional attack modules rev eng 1200 Mon BRL 'Vulnerability Sweep programs operating 1600 Mon Patched servers installed 1200 Tue reattaeh BRL to network am '12 Nov 8 07 58 54 EST 1988 Who BRL Worked With Through the Night Tim Smith US Naval Academy Cliff Stoll Harvard Keith Bostie Berkeley Rick Adams Seismo Jenny CONUS Monitoring Bob Fields CONUS Monitoring CPT Bill Arbaugh Pentagon Peter Yee NASA Berkeley a16 Tue NOV 8 07 58 57 EST 1988 BRL Approach 0 Use instrumented Test Cell 9 Analyze attack modes Coordinate community efforts Via telephone Assist with reverse engineering 0 Relay info on attack modes incl flukes 2nd priv inetd 3 sites Ingres lock daemon System accounting a20 Tue Nov 8 07 58 59 EST 1988 a BM Attack Modes Sendmail SMTP Server Finger Daemon fer 1 Password attack word list rhosts etc hosts equiv forward 3 30 Tue Nov 8 07 59 00 EST 1988 After Penetration Gorch Attack sends ll c sources compiles and run Ll Loading gets Sun and VAX obj from network Ll Shell Links 2nd stage Attack Crack Propagate NOV 8 07 59 02 EST 1933 Network Sweep Tool Finger Daemon buffer over run FTP bugs TFTP bugs passwd rsh SMTP Sendmail Niz Debug 340 Tue NOV 8 07 59 04 EST 1988 Fixes Improved fingerd with logging FTPD xes xes Code installed on Suns Goulds In progress on Grays Alliant Convex BRL has source code licenses Tue Nov 8 07 59 06 EST 1988 Books News Adolescense of Sole on Saphire Press Coverage was remarkable good My congratulations to the Public Relations folks My fear these headlines Computer Virus Spreads to Humans 96 Left 350 TIE Nov 8 07 59 08 EST 1988 BRL Status 0 NO information lost 9 Minor disruption of work schedules due to network disconnection BRL Computers now secure against this threat 0 Anti-Viral Team used 500 man hours Incidental people used 1000 man hours Copy of Virus still captive in test cell 2550 Tue Nov 8 08 02 58 EST 1988 Who is This MUUSS Fellow AnyWay Michael Muuss Leader Adv Computer Systems Team Ballistic Research Laboratory APG MD 21005 5066 USA AV 283 6678 ArpaNet Mike BRLMIL 01 Tue Nov 8 07 59 11 EST 1988 BRL WanBusters Mike Muuss Phil Doug Terry Slattery Bob Sue Muuss Lee Butler 315 Tue Nov 8 07 58 56 EST 1988 SITE EXPERIENCE MIT D ALVAREZ M J ROCHLIS NOU 83 180338 38W CINVEI OOZL 0 839VNVW WELLSAS 0 880883 EEIA 8313c 380038 OJ sanOH sanwwoo OJ sanOH 9L 0 NSCII - A08 110 smvmoo SNIHO8VEISE8 9N LLVNICI8000 NMOCIMVEI88 0 0 9 OJ 9 Sdnoae TIVWS 0 SEI SSI mxvamzomm xmxmo umowm 0253 320mm omwcm Ncm $305 2me WCZ 50 22 mI mx 1 NIHOIE l 3 886L 9 HEIEINEIAON snumJaNaaiNI 8V1 VIGEW MIN 0 EONEIOS HalndWOO 8V1 LIW 0 VNEIHLV 0 GHVOE NOILVINEIOJNI 0 anHB I IIN EIJJS J IIN MHVW CIHVMHOA AHVNOILOIG Nl'l'll a SEWVN 10 EINVN is f ELIS J IIN Don Lin-area bonnet-Wait Nu MIT Center mi- Space 12mm 233-7137 Observations on to man Virus at MIT 1 Work was performed primarily by small isolated groups Three to five members seems Erwin-a 2 eni to form first physical proximity Ellen fit-nne-rf inner groups Enron ng old boy network Groups seem to break along functional lines Coordinating and communicating mermation Protecting and lismr'ectmg machines Researching and disassembling Exit-st sites were able to isolate and secure their machines 11 about three hours site-r receipt-711' Peter Yeewarm-anc- mw -n ml 7- -- bk'JtJ' Inbl'uufvv vv'uw oa'vp'l 44$ e little effortto not governments-tonntil 1m 2133 inter gronn coznznunicnnons own-amt over telephones sessile 37 computer mail r'r avian w 7 vacuum I 9 I e mam - coaa-a did not try stinger '2 I 1-3 hours before any command post set no zit Bell Post About larger-r were - 3 3 1351 9111 grooms began working on disassemble OI V1113 one needed to pool resources si seomeo to nve expected and emotion-tee I relapses to inoo iple ino-snlation but were not concerned by this i l Gi lli'UEZ' members to hit by fear only omen the torus reinleoted supposedly safe machines long after the tire-1t believed over as with the finger daemon lentil-sits The illusion of seam was shattered Don Alma Center for Spam Research um u boomer Juneau 439m 617 2534557 'ons Safe use of telephones is essential Information on the virus could not have been between workers without Mixed voice data wereme make cleanup much more difficult and dangerous Greater mixing between system managers and government secunty professmnal is necessary If a nationally coordinated response as to be possible the future Most system manager's- rion't Know any secunt profesaonals and hence can not them their old boyl network A bee-bronged time delayed attacx would be extremely particularly 11 me second attack was me-ii $1 13 groups were disbanding and felt a senee of confidence and 39 31le from their work I Df I-ba ane ezngie decisive fewer in a timely 21 22 Enema-e UUNET had zen- 9 down The enterzea-t-f' rrzj - - 5 - HUI- 1 3 wall -- f'l 's 0 I r- tape recorder - Nun-H 1 'r 31 4 - Wev d o menu- modem 9 13 to back Users- woum be able to upbeat 'Ejf ifv- fll patches and cede from this clearing house In 1 Um Z-Tlff manner n4 1 I a a SITE EXPERIENCE SRI D EDWARDS HAVU A8 WELSAS ma mx_um_ _mzomm cm om w cm om 3 w mmoomomu 4o cm 0m OUC cm 0m RF U m fl 1 A VG lElzl WV003 NMOCI M9 133 INVOO36 WV 0038 SNOLLOEHNI HEHLO SV30L 8183 SLOEHNI SITE EXPERIENCE LOS ALAMOS AHCE BAKER HEMVH 8 01 NOI MEIONLLEIN aaindwoa aawaeaml ALIHHOES EELNHO 300 8V1 kuw-n NO NO SitlEldXEl H LIM MEIOM SELLIS EOCI OJ OH NONI SEJJS EIOG 9 HEEHNEIAON LSIN 001 0 OH INOEH LSEIH HJHVU JJI IV MIHHOES 80d 831N510 EIOCI HRXVE 8 01 12 10 33 9 mkuNa 01mg- snum 13ch can nidVO NI XVA NI LON snam N338 CIVH NEIHM MHOMLEIN ElaindINOO GELVHOEILNI - Mun--4 HEDWB EDHV 10 01 Ei'ldOEId A8 0333ch EIHJ NI snam 333m at oa OHM 2 10 33v HOIHM NEIEIS SITE EXPERIENCE FIXES AN PATCHES P LAPSLEY FIXES 81 PATCHES 0 NIGHT PLAN 0 BUG 0 BACK UPS 0 NET EXCLUSIONS o ITOR 0C LASSIFIED CONTROL SIGNATU RE II RI DGES ADMINISTRATOR COOPERATION QUESTIONS OTHERS SOURCE DESTINATION i FIND A VICTIM EXAMINE NETWORK TABLES SOURCE DESTINATION 9 GET VICTIM TO OPEN DOOR PASSWORD ATTACK FOR rLogin sh 3018001054 SOURCE DESTINATION 9 THROW GRAPPLING HOOK IN A TRANSFER HELPER PROGRAM TO DESTINATION B COMPILE EXECUTE HELPER ON DESTINATION C ESTABLISH CONNECTION WITH SOURCE CD 18001652 SOURCE DESTINATION ULL ACROSS VIRUS CODE A OBJECT MODULES B COMPILE EXECUTE C01600105 1 DEFENSE ADVANCED RESEARCH PROJECTS AGENCY 1400 WILSON BOULEVARD ARLINGTON VA 22209-2308 8 November 1988 MEMORANDUM FOR THE DIRECTOR SUBJECT Account of the 2 November 1988 internet Virus updated The swiftness of onset and scale of infection of the recent Internet Virus reinforce the need to make more aggressive steps in developing appropriate technology and policy for computer security The attached memorandum provides details concerning the technical characteristics of the virus and it makes preliminary recommendations concerning associated policy issues and areas for accelerated research an M William L Scherlis Information Science and Technology Of ce EL Ste hen L Information Science and Technology Office I 1 THE VIRUS 1 1 ONSET The virus appeared on computers by the ARPANET MILNET and associated regional and local networks These are unclassified networks linking tens of thousands of users and supporting a wide range of research and military applications The onset of the virus was extremely rapid There was an initial report from Cornell at 1700 EST Wednesday 2 November 1988 but the first reports outside Cornell occurred four hours later at approximately 2100 EST when the virus appeared at more than a dozen major sites Sites affected include UC Berkeley University of Maryland Cornell Carnegie Mellon NASA Ames MIT University Of Southern California UCLA Livermore Laboratories BRL and many others By midnight the virus had spread through more than a thousand computers workstations minis and mainframes on both the ARPANET and MTLNET and on connected local networks The virus rst appeared on computers just before midnight 1 2 AND BEHAVIOR The principal of the virus as perceived by computer users are degradation of system response and loss of available space in the le system These are benign in the sense that 1 the virus does not delete or alter esisting files and 2 it does not compromise files by transmitting them to remote sites or by altering protections The principal activity of the virus is to replicate itself and spread to other machines The virus runs as a background process on its host SO its presence is not immediately obvious to a user In many cases large numbers of multiple independent instances of the virus appear on single machines with resultant degradation of performance 1 3 METHODS OF ATTACK The virus attempts to propagate itself using four methods of attack Two of the four methods SENDMAIL and FINGERD relied on implementation errors now xed and distributed to most major sites in network protocol server programs A third method PASSWORD is a brute force method The last method RSH exploits security assumptions in local networks that are violated as a result of successful attack on the external local net security perimeter using one of the other three propagation methods It must be emphasized that the implementation errors that permit spread of this particular kind of virus are NOT in the network protocols themselves or in the host operating system designs or their implementations or in the computer or network hardware They are in speci c implementations of programs running on hosts that provide speci c network services SENDMAIL ATTACK In most cases the virus propagates itself to a remote machine by exploiting an error in a server program called SENDMAIL that handles the sending and receiving of computer mail The program implements a network mail protocol called SMTP There is nothing wrong with the protocol in this case The error was that the program that uses this protocol adds a new feature Ordinarily the program receives a block of text along with header information indicating which user is the recipient of the message The block of text is inserted at the end of the user's mail le and a record is added to a log file Erroneous messages are logged and returned to the sender and possibly a postmaster mailbox as well The developer of the SENDMAIL program had included a special feature however to facilitate his debugging Mail messages whose headers contain a special DEBUG flag are interpreted not as text but as programs to be executed It must be emphasized that this feature is not part of the protocol but was included by the developer for his own convenience It transpired that when the program went into formal distribution the feature was not disabled The virus propagates itself by exploiting this feature to create a running process on a remote machine with whatever access and privileges were available to the SENDMAIL process In most cases because of file protections and operating system safeguards these privileges are sufficient to do moderate damage at most in some cases usually involving poor systems configuration the potential for damage is much grearer But as indicated above the virus does not remove les even when it is possible for it to do so In this sense it is benign PASSWORD ATTACK The virus tries to establish itself as a legitimate user rather than remaining a system process wih few privileges on the infected host and other local machines by guessing passwords It does this by trying as passwords I the words in the standard online spelling dictionary 2 various transformations on the users name and 3 words in a Special list of possible passwords included in the virus itself Ordinary login attempts cannot use this technique because time delays are generally inserted on all password failures In this case the virus uses its own implementation of the DES algorithm to generate the encoded password representation used in Unix password files This could imply that the virus is subject to export control in the same way that Uni-x With DES is currently subject to export control There were cases in which this guessing of passwords by the virus was successful and the virus often appeared running as if it were a legitimate user The attacking program contained no indication of any intent to exploit special access it might acquire as a result of this attack RSN ATTACK Once established on a local network the virus could propagate itself by exploiting a feature called RSH that enables local machines to authenticate users for each other This feature is convenient when a local network is itself well' protected and when users on that network must interact frequently If the feature is enabled in a local network and if the virus had succeeded as masquerading as a legitimate user then it could spread quickly in a local net since the machines in the net would assume that the virus had already been authenticated FINGERD ATTACK A fourth method of entry was to exploit an error in a different protocol server program for locating users on remote machines This program error is exploited by the virus to establish a running process on the remote machine 1 4 ESTABLISHING THE INFECTION After a successful attack the first stage of infection is the infiltration of a small bootstrap program onto the remote machine The bootstrap program then retrieves from the previous point of infection a much - larger main program Both the bootstrap program and the main program were designed to evade detection by masquerading as system or user processes and by removing the programs from the disk once they are running in memory The bootstrap program is transmitted in source form and it compiles and loads itself on the remote machine Its main function is to retrieve the main program As the virus propagates the bootstrap program is adapted by the main program that propagates it so that it refers only to the most immediate infected source The main program which contains the actual code for assaulting remote machines using the four methods detailed above is transmitted in object form Actually two versions of the program are transmitted for two different instruction set architectures A portion of the data of the main program is using a simple XOR code When the program starts it most of its data area that is the main memory of the newly infected host The disk version remains in form and is eventually deleted as the virus covers its tracks Once the main program is running the machine is in an infectious state In many cases multiple instances of the program were running simultaneously each attempting to infect other machines on the network Randomization techniqu are used to ensure that the multiple instances did not overly interfere with each other The virus would also occasionally spawn a clone of itself and then terminate with the effect that no large accumulations of CPU time would be evident 011 casual browsing of process status information 1 5 DETECTION AND DIAGNOSIS The presence of a large scale virus infection is readily detectable by casual users due to its effect on machine performance Small scale infections are not as easily noticed and indeed it is easy to imagine that the virus could have been tuned to be less readily detectable by decreasing the extent of denied service Expert users generally could spot the spurious running processes and remove them as they appeared This provides fast relief but not immunization When detection first occured Wednesday night many sites disconnected themselves from the network and powered down critical machines Both Livermore Labs and NASA Ames disconnected themselves from the network Bridges between and ARPANET were closed but only after the infection had already spread to MILNET Many sites left one or two machines running in order to enable communication with other sites and to permit study of the virus activity In the local network for example infection occur-ed around midnight Wednesday The other DARPA offices were unaffected because the are not on the network The network connections were disabled during the night and machines were powered down Thursday morning As the virus spread systems programmers at the various network sires esrabiished close communication and were able to share observations and results on an hourly basis By continually killing spurious processes as they appeared on computers most of the systems programmers were able to stay online and share results using network mail and bulletin boards The virus did however have the effect of slowing communications on the network as it spi'eaerednesday night and Thursday morning Becuase of the close working relationship DARPA has with the research community affected it was able to facilitate communication among groups track the situation and keep appropriate people advised Many of the procedures followed at DARPA were based-on a prior experience with the 13 May 1988 virus hoax Monitoring of the virus process activities revealed the various methods of attack that were used which led to the development of immunization techniques and implementation of preventive measures 1 6 IMMUNIZATION AND PREVENTION For each of the four methods of attack immunization and or prevention measures were developed Many major sites had already eradicated the virus and were immunized by Thursday evening or early Friday morning DARPA machines were running and connected to the network within 18 hours of appearance of the virus at DARPA SENDMAIL IMMUNIZATION This method of attack was permitted due to an error in a widely distributed mail protocol server program Within hours of discovery of the virus fixes were in general distribution The first posting was made at 0600 EST Thursday with corrections that followed The fixes were suf ciently simple that they could be carried out by instructions given over the telephone These fixes generally prevented infection of a site if it was not infected already PASSWORD PREVENTION This method of attack works only in cases where users fail to follow conventional password guidance which is not to use dictionary words or their own names Affected users and potentially affected users were instructed to change their passwords RSH PREVENTION This method of attack works only because of a failure of the external security perimeter of a local network In most cases the level of trust among machines in local networks was temporarily reduced by disabling RSH pending full eradication and immunization FINGERD mm IMMUNIZATION A day after discovery of the virus fixes for FINGERD were in general circulation The error was a common programming error Input to FINGERD that was too long resulted in certain unrelated internal data areas being overwritten by portions of the input The virus exploited this by using overlong input values that overwrote the unrelated data areas with data that resulted in the virus being able to start a new process The fix to FINGERD is to insert a check for incorrect input 1 7 ASSESSMENT AND RECOVERY Other than denial of service and lost time no speci c unrecoverable damage was caused by the virus As indicated above no files are known to be lost and no information is known to be compromised Ill Once eradication and immunization were underway the systems programmers at Berkeley and MIT embarked on a project to analyze the 60000 bytes of object code and data for the main program A special program was written to the data for the main program The dictionary of common passwords stored in the virus was extracted and distributed to many sites The major challenge of the analysis project was reverse engineering the object code into source programs A preliminary version was completed on Saturday 5 November has released a preliminary document describing the actions of the object code The derived source code itself is not being released however since many systems are not yet fully immunized and the code exposes specific vulnerabilities The program is sophisticated and was written by someone with considerable systems expertise The smaller bootstrap program used upon initial penetration is propagated in source form Copies of the messages were obtained when mail to remote sites not running the bad SENDMAIL program returned the message back to the Postmaster mailbox of the originating previously infected site These intercepted mail messages contain the source text 2 PRELIMINARY OBSERVATIONS 3 2 1 RISKS The ARPANET is a dual use network It serves as a laboratory for performing experiments in large scale networking while providing services for the research community Because of the leverage it provides this dual use approach is common in the computing research community and applies to other large scale technologies such as operating systems parallel computers user interaction systems experimental expert systems shells and the like Historically the research community has been willing to sustain the additional risk in order to obtain functionalty beyond the state of the art Policy requires that no classi ed data be accessible on the ARPANET and interconnected networks except through NSA certi ed private line interfaces Messages using approved devices are unclassified The Internet community consists of 300 or more sites some of which have hundreds and in some cases thousands of computers attached to local networks A common set of protocols called enables communication in the net despite the wide range of computers and operating systems employed A key issue is the extent to which improved security safeguards are required by the Internet community 2 2 COSTS Current systems that have high security requirements generally achieve this through 1 physical isolation of the network or computing installation an exception is the use of NSA approved private line interfaces 2 provision of access only to cleared personnel and 3 use of design and engineering principles including 51 redundancy tagging and precise speci cations Satisfying these requirements generally means making sacri ces in functionality performance and cost Interoperability and open interfaces are also often sacrificed making it dif cult to incrementally improve the capabilities of the systems after deployment In research systems on the other hand security is often sacrificed in order to maximize functionality performance and exibility In general however there are tradeoffs among these characteristics with security currently exacting a very high cost 2 3 WINERABILITIES The virus exploited errors in the implementation of two protocol server programs Installation of correct versions of the programs as was done as part of the response to this virus resulted in immunization The virus exploited implementation errors The vulnerabilities exploited by the virus are NOT in the network protocol design the operating system design or the underlying hardware design This is in distinction with the PC community in which viruses are able to propagate and cause damage as a result of speci c shortcomings of design of the PC operating systems In the PC community virus detection and eradication are often quite dif cult and immunization is often impossible It should be noted that if the authon of this virus had chosen to be destructive wanton destruction of user les would nonetheless have been preVented by a properly implemented and configured operating system Errors in implementation can result in vulnerabilities of course For this reason formal security guidelines such as those articulated in the Orange Book emphasize good implementation practice B1 secure implementations of Unix now exist and implementations at higher levels of security arebeing developed for B3 level and for Mach A level and beyond Confidence in security in these cases is achieved through a social process involving attention t0 design principles and inspection of code Higher confidence can be obtained using the formal methods approaches that now being developed It is probably fair to conjecture however that even if the operating system kernel was trusted at B3 or A level a virus would still be able to propagate itself by exploiting server errors in cases where servers are outside the kernel Of course this hypothetical virus would not be able to damage or compromise protected data 3 TECHNOLOGY AND POLICY ISSUES 3 1 GOALS In the near term effective procedures must be developed that can provide suitable response to viruseszthat can spread to thousands of computers across the country in a matter of hours as this one did In the longer term policies and technology solutions must be developed to reduce vulnerability of both classified and unclassi ed networks and systems while not sacri cing functiOnality and performance Al 3 2 RESPONSE PROCEDURES We recommend the formation of a National Computer Infection Action Team NCIAT to work in the Defense and national research communities FUNCTION The NCIAT would have three functions 1 It would provide a mechanism for coordinating response in acute situations As the recent virus episode demonstrates extremely rapid mobilization and coordination with the community is essential 2 It would provide a coordination point for rumors of viruses In the recent virus episode there was no advance warning the virus simply appeared Several months earlier however there was a case in which there were rumors of a virus about to strike with tremendous resulting defensive activity in the community The virus was a hoax 3 It would provide a focal point for discussion of prevention coordination and awareness in the community perhaps through publications ORGANIZATION The NCIAT would operate at three organizational levels 1 The top level would consist of an Executive Group at the level of flag officers who would empower the group and have suf cient authority and access to permit fast response when required 2 The middle level Action Group would provide working level support in the government 3 The operating level Associates Group would include elite systems programmers from industry government and the research community This group is the heart of the NCIAT These positions would be assigned in such a way that appointment as an Associate is a mark of signi cant recognition and accomplishment as a senior systems programmer Rotating terms of appointment would enable a new set of Associates toibe designated each year after a formal selection process This would ensure effective community representation Retired Associates remain a source of expertise though they are not expected to provide the same rapid response as Associates Associates would become a primary means of access for the community to NCIAT both for routine and emergency operations Membership in NCIAT Executive and Action groups would include Services and Agencies in DOD NSA NCSC NIST NSF the FBI and other appropriate organizations Close coordination contacts would be developed with industry and with major research laboratories including the National Labs A database of key experts and industry and government contacts would be maintained NCIAT would have a small core staff to support routine operations data collection and dissemination and in acute situations communications with NCIAT group members and others The NCIAT would focus its initial efforts in the Internet community NCIAT would have a well known network mailbox an 800 number and a computer facility to provide database service and to enabie emergency data and authentication communications The computer facility would consist of a primary system that is connected to the Internet and a secondary system that is not connected to the network but only to the first system and through a protected interface The primary system would serve as a database platform and would supprt routine operations The second system through provision of dial up or other special access support would provide NCIAT members and others in the community with a known communications point to be used in an emergency even if the Internet should become damaged or unavailable Community support for NCIAT is essential since discussion of local viruses and vulnerabilities can require a high level of trust and respect for privacy It is anticipated that much coordination with the user and systems support community would occur at the Associates level 3 3 TECHNOLOGY CHALLENGES We recommend that security assessments should be done for existing nonclassified systems in order to determine 1 what are appropriate natural levels of security that can be achieved with reasonable impact checksums for configuration management validation viruses server and gateways audits audit trails authentication service and 2 what mid term technology steps can be made that will provide significant improvements For the longer term we recommend acceleration of investment in technology for the development of trusted and secure systems The challenges are 1 to increase the absolute level of security attainable and 2 to reduce drastically the functionality and performance premium for security and trust The first challenge must be met if we are to build systems that provide the very high levels of security assurance and trust that are required in highly sensitive applications and in life critical systems A basic technology in this area is formal methods which also has applications to parallel programming and program optimization The European defense community is already moving towards use of formal methods for systems acquisitions in which safety and security are critical A verified microprocessor chip design has already been produced by RSRE Major areas for development with more immediate payoff include 1 operating systems security particularly for parallel operating systems 2 secure network technology 3 trusted servers including authentication service and network le service and 4 trusted hardware designs such as for embedded 32 bit RISC processors 3 4 POLICY AND BALANCE We recommend that closer working relationships be developed among the various organizations involved in computer security and trust At a minimum this includes NSA as a user NCSC as a policy and certi cation organization NIST as a policy and certi cation organization DARPA as a technology developer DCA as a network operator and Service agencies In the recent episode an informal open process in the community led to fast eradication and immunization It is obvious that any formalized response mechanism must be at least as efficient as the current process This requires clear channels of communication trust and cooperation among the parties involved effective two way information flow and most importantly the empowerment of the best technical people available in the community to work together to detect diagnose and resolve acute problems when they occur OFFICE Of SECRETARY 0r earners 5 BBDEC -5 PH 2 37 THE UNDER SECRETARY OF DEFENSE WASHINGTON DC 20301 ACQUISITION MEMORANDUM FOR SECRETARY OF DEFENSE SUBJECT Summary Report of the Executive After Action Assessment Team on the Computer Virus of November 1988 - - ACTION MEMORANDUM An Executive After Action Assessment Team_met on November 14 to assess the Internet computer virus attack which was first detected on November 2 The review team was composed of senior representatives from DCA DARPA NBA and Tab H The team reviewed the events and actions taken after the detection of the virus on ARPANET and MILNET on November 2 reviewed the DARPA report on the technical characteristics of the virus Tar G reviewed the report by the National Computer Security Center of the Proceedings of the Virus Post MorteH1Meeting held November 8 Tat F and concluded with recommendations for improving the Department's responsiveness to future attacks The team generally recognized that due to the extraordinary efforts of a few talented people and the specific nature of this virus the Department of Defense did not experience a major catastrophe However preventive actions should now be taken to reduce the DoD's exposure to future potentially more destructive viruses The team concluded that improvements at the national level and within the Department of Defense and other Federal Agencies are advisable and could be grouped in two general categories--response organization and improved awareness In order to provide a rapid response capability there should be a central coordination center established as quickly as possible with the following characteristics - national level center - manned 24 hours day 7 days week could be an extension to an existing center like the NCC under the NCS emergency alerting procedures including key personnel recall to include key network operations centers and investigative poc s access to executive level decision makers if necessary u Sq-'1 J - establish contact to technical experts both in industry and academia - focal point when major problems viruses as well as other computer security related vulnerabilities are identified receive problem reports coordinate solutions able to authenticate source of corrections emergency communications capability - available as the single interface point to press - archival repository This central coordination center should be designed under the joint auspices of the National Computer Security Center NCSC under NSA and the National Institute of Standards and 'Technology NIST formerly NBS under Commerce with technical assistance from DARDA Its primary focus would be in the unclassified domain but extensions to the procedures should be developed to deal with classified network computer events The Joint Staff is aware of the potential impact on DoD s classified networks and is working that issue in parallel Current prototype coordination center efforts being initiated by the Software Engineering Institute for DARPA provide conceptual demonstrations and should be the design model for the center There is also a need for increased security awareness relating for example to passwords and file backups Lessons learned from this particular virus attack should be documented jointly by the NCSC and NIST and then widely published Additionally the Office of Personnel Management 0PM should be provided with a copy of this report for use in their future training endeavors In addition to the general recommendations above there were events that occurred during the virus that warrant further specific actions Due to the limited information available and the rapid changes that have occurred in all local and wide area data networks in the past several years a current vulnerability assessment of all major networked systems This action nmy well uncover additional actions which should be taken to reduce the risk of or the effect of future virus attacks Consideration should be given to assembling a minimum set of virus analysis tools The memoran Tab B includes both or these requirements The need for intensified research and development in this particular computer security area is also stressed to both NSA and DARPA in the memorandum Further responsibilities for the security management and operation of the Defense Data Network and ARPANET should be more clearly defined coordinated and documented The memorandum to DCA and DARPA also'Tab B includes this requirement Recommendations Because of the joint effort required from Commerce and NSA recommend that you sign the letter to Mr Verity Secretary of Commerce requesting their collaboration in the development of the response organization and improved awareness Recommend you sign the memorandum at Tab asking NSA DCA and DARPA to support the findings of the After Action Assessment Team Recommend you sign the letter at Tab to the Department of Justice asking for their support in the development of the central coordinating center Recommend you sign the letter at Tab to 0PM forwarding the findings and recommendations to them for their consideration in future computer security training Once these actions are complete the press release prepared by OASD Publir Affairs Tab E is recommended for immediate releaseCoordination Bracher via phone 18 Nov88 Fields via phone 18 Nov88 Gallagher- fyia phone 18 Noy88 Joint Staff J6 Dr Bialick via phone 18 Nov88 signature copies will be added as soon as available Coord asmmap Gm 3 Green Jr Prepared by DFountain IS 7181 I am Jam 050151999 Fred a Hoffman Much-I Deputy mm Secretary THE UNDER SECRETARY OF DEFENSE 8 20301 ACQUISITION wt MEMORANDUM FOR SECRETARY OF DEFENSE SUBJECT Summary Report of the Executive After Action Assessment Team on the Computer Virus of November 1988 -- ACTION MEMORANDUM An Executive After Action Assessment Team met on November 14 to assess the Internet computer virus attack which was first detected on November 2 The review team was composed of senior representatives DCA DARPA NSA and Tabi The team reviewed the events and actions taken after the detection of the virus on ARPANET and MILNET on November 2 reviewed the DARPA report on the technical characteristics of the virus TatiG reviewed the report by the National Computer Security Center of the Proceedings of the Virus Post MorteNtMeeting held November 8 Tab and concluded with recommendations for improving the Department's responsiveness to future attacks The team generally recognized that due to the extraordinary efforts of a few talented people and the specific nature of this virus the Department of Defense did not experience a major catastrophe However preventive actions should now be taken to reduce the DoD's exposure to future potentially more destructive viruses The team concluded that improvements at the national level and within the Department of Defense and other Federal Agencies are advisable and could be grouped in two general categories response organization and improved awareness In order to provide a rapid response capability there should be a central coordination center established as quickly as possible with the following characteristics - national level center - manned 24 hours day 7 days week coulclbe an extension to an existing center like the NCC under the NCS - emergency alerting procedures including key personnel recall to include key network operations centers and investigative poc's access to executive level decision makers if necessary I In I I J 14 5555 establish contact to technical experts both in industry and academia - focal point when major problems viruses as well as other computer security related vulnerabilities are identified - receive problem reports - coordinate solutions able to authenticate source of corrections - emergency communications capability available as the single interface point to press archival repository This central coordination center should be designed under the joint auspices of the National Computer Security Center NCSC under NSA and the National Institute of Standards and 'iTechnology formerly NBS under Commerce with technical assistance from DARPA Its primary focus would be in the unclassified domain but extensions to the procedures should be developed to deal with classified network computer events The Joint Staff is aware of the potential impact on DoD's classified networks and is working that issue in parallel Current prototype coordination center efforts being initiated by the Software Engineering Institute for DARPA provide conceptual demonstrations and should be the design model for the center There is also a need for increased security awareness relating for example to passwords and file backups Lessons learned from this particular virus attack should be documented jointly by the NCSC and NIST and then widely published Additionally the Office of Personnel Management OEWU should be provided with a copy of this report for use in their future training endeavors In addition to the general recommendations above there were events that occurred during the virus that warrant further specific actions Due to the limited information available and the rapid changes that have occurred in all local and wide area data networks in the past several years a current vulnerability assessment of all ma'or stems ed This action may well uncover additional actions which should be taken to reduce the risk of or the effect of future virus attacks Consideration should be given to assembling a minimum set of virus analysis tools The of these requirements The need for 1 en31 led research and oeverop g fiT 'f fs particular computer security area is also stressed to both NSA and DARPA in the memorandum Further responsibilities for the security management and operation of the Defense Data Network and ARPANET should be more clearly defined coordinated and documented The memorandum to DCA and DARPA also'Tab B includes this requirement Recommendations Because of the joint effort required from Commerce and NSA recommend that you sign the letter Tab A to Mr Verity Secretary of Commerce requesting their collaboration in the development of the response organization and improved awareness Recommend you sign the memorandum at Tab asking NSA DCA and DARPA to support the findings of the After Action Assessment Team Recommend you sign the letter at Tab to the Department of Justice asking for their support in the development of the central coordinating center Recommend you sign the letter at Tab to 0PM forwarding the findings and recommendations to them for their consideration in future computer security training Once these actions are complete the press release prepared by OASD Publir Affairs Tab E is recommended for immediate release if I L2 g 1 Coordination Bracher via phone 18 Nov88 Fields via phone 18 Nov88 Gallagher Via phone 18 Noy88 Joint Staff J6 Dr Bialick via phone 18 Nov88 signature copies will be added as soon as available @ul Coord Gram 3 Green Jr Fred 5 Hoffman Principal naputy Assistant Secretary MEMORANDUM J Office of the Deputy Secretary of Defense December 12 1988 MEMORANDUM FOR Assistant Secretary of Defense PA Please see comment on attached from Mr Taft which reads Dan Howard should look over the press release here We should probably have a briefer available on it WHT respectfully framdc rt T71 Mil tary Assistant c Attachment OFFICE OF THE SECRETARY OF DEFENSE MEMO FOR Q363wa 5 M waW-Sum 3G qwcz l HQ 4% Beveriy C Staff Ass ct arit I Barres Directives mom 14 November 1988 The Center would appreciate knowing of any errors in the enclosed Proceedings of the Virus Post Mortem Meeting please provide corrections to National Computer Security Center Attn C34 9800 Savage Road FT George G Meade MD 20755 6000 If comments are received before 10 December 1988 we will publish a set of corrections to be mailed by 17 January 1989 DRAFT PRESS RELEASE No 202 695 0192 info 202 697-3189 Copies IMMEDIATE RELEASE 202 697 5737 Public Industry IMPROVEMENTS IN COMPUTER SECURITY PROCEDURES Secretary of Defense Frank C Carlucci has authorized several measures to improve computer security procedures within the Department of Defense These steps resulted from an internal assessment of the Internet computer virus attack that vas first detected on November 2 1988 The preventive measures are designed to reduce DoD s exposure to future potentially more destructive viruses and to provide fast effective response should unauthorized intrusions happen again in government computer networks Essentially these initiatives call for greater awareness of the dangers of virus attacks and the establishment of a central response organization Implementation will require cooperation from other Government Agencies to that end the Department of Commerce through its National Institute of Standards and Technology NIST the Department of Justice and the Office of Personnel Management have been asked to join in combatting the problem of computer viruses To increase awareness the National Computer Security Center NCSC under the National Security Agency NSA and Commerce's NIST will develop a report on the lessons learned from the early November attack Among the lessons already identified are requirements for frequent backup procedures to prevent loss of data and the need to discourage the use of common passwords such as proper names or words found in the dictionary This report will be available to users and training officials throughout the government The 000 is proposing the establishment of a 'central nationally-based coordination center to handle emergency situatiods involving computers and netvorks This center would be in operation 24 hours a day have contact with technical experts both in industry and academia and be the focal point for operating and investigative personnel--uhen major problems are identified The center vould receive problem reports coordinate solutions be able to authenticate sources of corrections and ptovide information to the public on the attack Secretary Carlucci has also directed NSA to undertake a current vulnerability assessment oE all major networked computers In addition 000 will be revieving the need for intensified research and development against virus attacks DARPA is implementing a coordination center at the Softvare Engineering Institute to provide 4 rect support to the Internet community which consists primarily of research institutions This center will be developed in close coordination vith NCSC and NIST and will provide a prototype for the operational systems of broader scope that they will be developing ai_xr_ RECOMMENDATIONS FROM THE 8 NOVEHBER 1988 OF THE VIRUS PROPAGATION 1 Establish a centralized coordination center This center supported jointly by NIST and NSA would also function as a clearinghouse and repository Computer site managers need a place to report problems and to obtain solutions This center might evolve into a national level command center supporting the government and private sector networks The center needs to provide 24 hour service but not necessarily be manned 24 hours a day responding via beeper after hours might be acceptable 2 Establish an emergency broadcast network In the case the network was used to disseminate the patches antidote at the same time the virus was still actively propagating If the net had gone down there would have been no way to coordinate efforts and disseminate patches It is recommended that a bank of telephone lines be designated as an emergency broadcast network The phones would be connected to digital tape recorders and operate in a continuous broadcast mode or a recorded binary announcement mode to disseminate network status patches etc 3 Establish a response team The technical skills required to quickly analyze virus code and develop antidotes or system patches are highly specialized The skills required are system specific UNIX 4 3 in this case and in many cases exist only at vendor development facilities the majority of commercial operating systems are proprietary and source code is not provided to users The concept of a response team would require advance coordination so that personnel with the requisite skills can be quickly mobilized 4 Maintain technical relationships with the computer science old boy network The virus was analyzed and eradicated through the services of this old boy network not by U13 Government USG personnel This old boy network is willing to participate in supporting USG initiatives however their consensus support and trust is required 5 Centrally orchestrate press relations An inordinate amount of time at virtually every site was spent responding to the news media Multiple press reporting from geographically dispersed sites has the potential for circular reporting of incorrect and misleading data A single USG focal point at the national level to interact with the press is recommended ENCLOSURE