Page 029

Undergound. Go to Table of Contents.

   Oberman began his own analysis of the worm, oblivious to the fact that

   3200 kilometres away, on the other side of the continent, his colleague

   and acquaintance John McMahon was doing exactly the same thing.


   Every time McMahon answered a phone call from an irate NASA system or

   network manager, he tried to get a copy of the worm from the infected

   machine. He also asked for the logs from their computer systems. Which

   computer had the worm come from? Which systems was it attacking from

   the infected site? In theory, the logs would allow the NASA team to

   map the worm's trail. If the team could find the managers of those

   systems in the worm's path, it could warn them of the impending

   danger. It could also alert the people who ran recently infected

   systems which had become launchpads for new worm attacks.


   This wasn't always possible. If the worm had taken over a computer and

   was still running on it, then the manager would only be able to trace

   the worm backward, not forward. More importantly, a lot of the

   managers didn't keep extensive logs on their computers.


   McMahon had always felt it was important to gather lots of information

   about who was connecting to a computer. In his previous job, he had

   modified his machines so they collected as much security information

   as possible about their connections to other computers.


   VMS computers came with a standard set of alarms, but McMahon didn't

   think they were thorough enough. The VMS alarms tended to send a

   message to the computer managers which amounted to, `Hi! You just got

   a network connection from here'. The modified alarm system said, `Hi!

   You just got a network connection from here. The person at the other

   end is doing a file transfer' and any other bits and pieces of

   information that McMahon's computer could squeeze out of the other

   computer. Unfortunately, a lot of other NASA computer and network

   managers didn't share this enthusiasm for audit logs. Many did not

   keep extensive records of who had been accessing their machines and

   when, which made the job of chasing the worm much tougher.


   The SPAN office was, however, trying to keep very good logs on which

   NASA computers had succumbed to the worm. Every time a NASA manager

   called to report a worm disturbance, one of the team members wrote

   down the details with paper and pen. The list, outlining the addresses

   of the affected computers and detailed notations of the degree of

   infection, would also be recorded on a computer. But handwritten lists

   were a good safeguard. The worm couldn't delete sheets of paper.


   When McMahon learned DOE was also under attack, he began checking in

   with them every three hours or so. The two groups swapped lists of

   infected computers by telephone because voice, like the handwritten

   word, was a worm-free medium. `It was a kind of archaic system, but on

   the other hand we didn't have to depend on the network being up,'

   McMahon said. `We needed to have some chain of communications which

   was not the same as the network being attacked.'


   A number of the NASA SPAN team members had developed contacts within

   different parts of DEC through the company's users' society, DECUS.

   These contacts were to prove very helpful. It was easy to get lost in

   the bureaucracy of DEC, which employed more than 125000 people, posted

   a billion-dollar profit and declared revenues in excess of $12 billion

   in 1989.10 Such an enormous and prestigious company would not want

   to face a crisis such as the WANK worm, particularly in such a