Page 032

Undergound. Go to Table of Contents.

   First, it tried to copy the list of computer users from a system it

   had not yet penetrated. It wasn't always able to do this, but often

   the system security was lax enough for it to be successful. The worm

   then compared that list to the list of users on its current host. When

   it found a match--an account name common to both lists--the worm added

   that name to the masterlist it carried around inside it, making a note

   to try that account when breaking into a new system in future.


   It was a clever method of attack, for the worm's creator knew that

   certain accounts with the highest privileges were likely to have

   standard names, common across different machines. Accounts with names

   such as `SYSTEM', `DECNET' and `FIELD' with standard passwords such as

   `SYSTEM' and `DECNET' were often built into a computer before it was

   shipped from the manufacturer. If the receiving computer manager

   didn't change the pre-programmed account and password, then his

   computer would have a large security hole waiting to be exploited.


   The worm's creator could guess some of the names of these

   manufacturer's accounts, but not all of them. By endowing the worm

   with an ability to learn, he gave it far more power. As the worm

   spread, it became more and more intelligent. As it reproduced, its

   offspring evolved into ever more advanced creatures, increasingly

   successful at breaking into new systems.


   When McMahon performed an autopsy on one of the worm's progeny, he was

   impressed with what he found. Slicing the worm open and inspecting its

   entrails, he discovered an extensive collection of generic privileged

   accounts across the SPAN network. In fact, the worm wasn't only picking

   up the standard VMS privileged accounts; it had learned accounts common

   to NASA but not necessarily to other VMS computers. For example, a lot

   of NASA sites which ran a type of TCP/IP mailer that needed either a

   POSTMASTER or a MAILER account. John saw those names turn up inside the

   worm's progeny.


   Even if it only managed to break into an unprivileged account, the

   worm would use the account as an incubator. The worm replicated and

   then attacked other computers in the network. As McMahon and the rest

   of the SPAN team continued to pick apart the rest of the worm's code

   to figure out exactly what the creature would do if it got into a

   fully privileged account, they found more evidence of the dark sense

   of humour harboured by the hacker behind the worm. Part of the worm, a

   subroutine, was named `find fucked'.


   The SPAN team tried to give NASA managers calling in as much

   information as they could about the worm. It was the best way to help

   computer managers, isolated in their offices around the country, to

   regain a sense of control over the crisis.


   Like all the SPAN team, McMahon tried to calm the callers down and

   walk them through a set a questions designed to determine the extent

   of the worm's control over their systems. First, he asked them what

   symptoms their systems were showing. In a crisis situation, when

   you're holding a hammer, everything looks like a nail. McMahon wanted

   to make sure that the problems on the system were in fact caused by

   the worm and not something else entirely.


   If the only problem seemed to be mysterious comments flashing across

   the screen, McMahon concluded that the worm was probably harassing the

   staff on that computer from a neighbouring system which it had

   successfully invaded. The messages suggested that the recipients'