Page 037


Undergound. Go to Table of Contents.

   Perhaps, he thought, the code had once been nice and linear and it all

   made sense. Then the author chopped it to pieces, moved the middle to

   the top, the top to the bottom, scrambled up the chunks and strung

   them all together with a bunch of `GO TO' commands. Maybe the hacker

   who wrote the worm was in fact a very elegant DCL programmer who

   wanted the worm to be chaotic in order to protect it. Security through

   obscurity.

  

   Oberman maintained a different view. He believed the programming style

   varied so much in different parts that it had to be the product of a

   number of people. He knew that when computer programmers write code

   they don't make lots of odd little changes in style for no particular

   reason.

  

   Kevin Oberman and John McMahon bounced ideas off one another. Both had

   developed their own analyses. Oberman also brought Mark Kaletka, who

   managed internal networking at Fermilab, one of HEPNET's largest

   sites, into the cross-checking process. The worm had a number of

   serious vulnerabilities, but the problem was finding one, and quickly,

   which could be used to wipe it out with minimum impact on the besieged

   computers.

  

   Whenever a VMS machine starts up an activity, the computer gives it a

   unique process name. When the worm burrowed into a computer site, one

   of the first things it did was check that another copy of itself was

   not already running on that computer. It did this by checking for its

   own process names. The worm's processes were all called NETW_ followed

   by a random, four-digit number. If the incoming worm found this

   process name, it assumed another copy of itself was already running on

   the computer, so it destroyed itself.

  

   The answer seemed to be a decoy duck. Write a program which pretended

   to be the worm and install it across all of NASA's vulnerable

   computers. The first anti-WANK program did just that. It quietly sat

   on the SPAN computers all day long, posing as a NETW_ process, faking

   out any real version of the WANK worm which should come along.

  

   Oberman completed an anti-WANK program first and ran it by McMahon. It

   worked well, but McMahon noticed one large flaw. Oberman's program

   checked for the NETW_ process name, but it assumed that the worm was

   running under the SYSTEM group. In most cases, this was true, but it

   didn't have to be. If the worm was running in another group, Oberman's

   program would be useless. When McMahon pointed out the flaw, Oberman

   thought, God, how did I miss that?

  

   McMahon worked up his own version of an anti-WANK

   program, based on Oberman's program, in preparation for releasing it

   to NASA.

  

   At the same time, Oberman revised his anti-WANK program for DOE. By

   Monday night US Eastern Standard Time, Oberman was able to send out an

   early copy of a vaccine designed to protect computers which hadn't

   been infected yet, along with an electronic warning about the worm.

   His first electronic warning, distributed by CIAC, said in part:

 

   /////////////////////////////////////////////////////////////////////////

   THE COMPUTER INCIDENT ADVISORY CAPABILITY C I A C

  

   ADVISORY NOTICE