Page 043

Undergound. Go to Table of Contents.

   Ron Tencati and Todd Butler had a copy of the new WANK worm ready for

   McMahon. This version of the worm was far more virulent. It copied

   itself more effectively and therefore moved through the network much

   faster. The revised worm's penetration rate was much higher--more than

   four times greater than the version of WANK released in the first

   attack. The phone was ringing off the hook again. John took a call

   from one irate manager who launched into a tirade. `I ran your

   anti-WANK program, followed your instructions to the letter, and look

   what happened!'


   The worm had changed its process name. It was also designed to hunt down

   and kill the decoy-duck program. In fact, the SPAN network was going to

   turn into a rather bloody battlefield. This worm didn't just kill the

   decoy, it also killed any other copy of the WANK worm. Even if McMahon

   changed the process name used by his program, the decoy-duck strategy

   was not going to work any longer.


   There were other disturbing improvements to the new version of the

   WANK worm. Preliminary information suggested it changed the password

   on any account it got into. This was a problem. But not nearly as big

   a problem as if the passwords it changed were for the only privileged

   accounts on the system. The new worm was capable of locking a system

   manager out of his or her own system.


   Prevented from getting into his own account, the computer manager

   might try borrowing the account of an average user, call him Edwin.

   Unfortunately, Edwin's account probably only had low-level privileges.

   Even in the hands of a skilful computer manager, the powers granted to

   Edwin's account were likely too limited to eradicate the worm from its

   newly elevated status as computer manager. The manager might spend his

   whole morning matching wits with the worm from the disadvantaged

   position of a normal user's account. At some point he would have to

   make the tough decision of last resort: turn the entire computer

   system off.


   The manager would have to conduct a forced reboot of the machine. Take

   it down, then bring it back up on minimum configuration. Break back

   into it. Fix the password which the worm had changed. Logout. Reset

   some variables. Reboot the machine again. Close up any underlying

   security holes left behind by the worm. Change any passwords which

   matched users' names. A cold start of a large VMS machine took time.

   All the while, the astronomers, physicists and engineers who worked in

   this NASA office wouldn't be able to work on their computers.


   At least the SPAN team was better prepared for the worm this time.

   They had braced themselves psychologically for a possible return

   attack. Contact information for the network had been updated. And the

   general DECNET internet community was aware of the worm and was

   lending a hand wherever possible.


   Help came from a system manager in France, a country which seemed to

   be of special interest to the worm's author. The manager, Bernard

   Perrot of Institut de Physique Nucleaire in Orsay, had obtained a copy

   of the worm, inspected it and took special notice of the creature's

   poor error checking ability. This was the worm's true Achilles' heel.


   The worm was trained to go after the RIGHTSLIST database, the list of

   all the people who have accounts on the computer. What if someone

   moved the database by renaming it and put a dummy database in its