Chronology of Virus from the MIT Perspective Jon Rochills jan@bitsy mi edu n7 The first posting mentioningthe virus was by PeterYee NasaAmes at 8 28pm est on Wednesday to the tcp ip iist Peter stated that UCB UCSD LLNL Stanford and NASA Ames had been attacked and described the use of sendmail to puli over the virus including the x les found in lusr tmp The virus was observed to send vex and sun binaries have DES tables built in and made some use cf rhosts and hostsequiv les A Berkeley extension was given and Phil Lapsley and Kurt Pires were listed as being knowledgable about the virus At 3 10am the first notice cf the virus at MIT was posted at AMT by Pascal Chesnais The motd on media-lab read lacsap Nov 3 1988 03 10am DO NOT CALL THE GARDEN IF YOU WANT TO PROTECT YOUR MACHINE TURN OFF SENDMAIL OR JUST TURN YOUR MACHINE OFF OR UNPLUG IT FROM THE DO NOT CALL THE I I Pascal had spotted the virus earlier but assumed it was just a locai run away program The group at AMT gured out after midnight that it was a virus and it was coming in via mail The response was to such down infected machines The network groups monitoring information shows the media lab gateway first went down at 11 40pm Wednesday but was back up by 3 00am Pascal requested that the Network group isolate the building during the Thursday 11 30pm and it remained so lsoiated until Friday at 2 30pm Pascal now reports that logs on media-lab show several scattered attempts ttIOOp peer died No such file or directory messages There were a few every couple of days several durning the Wednesday afternoon and many starting at 9 48pm These are caused by opening a telnet connection and immediately closing it speci cally inetd spawns a telnetd butwhen telnetd telnetd goes to read from the network it finds the connection has disappeared The virus did this in order to determine whether or not to try to infect a target machine The iogs on media-lab start on October 25th and the following log entries made before the swarm on Wednesday night Oct 26 15 01 57 mediaulab telnetd 23180 ttloop peer died No such file or Oct 28 11 26 55 media lab telnetdl23331 ttloop peer died No such file or Oct 28 17 36 51 media lab telnetdi12614 ttloop peer died No such file or Oct 31 16 24 41 media lab telnetd 18518 ttloop peer died No such file or Nov 1 16 08 24 media lab telnetdi16125 ttloop peer died No such file or Nov 1 18 02 43 media-lab telnetdizlsegl ttloop peer died No such file or Nov 1 18 58 30 media-lab telnetdi24644 ttloop peer died No such file or Nov 2 12 23 51 media lab telnetd 4721 ttloop peer died No such file or Nov 2 15 21 47 mediawlab ttloop peer died No such file or 1The assumption that machines not running a telnetd are not vulernabie to attack is quite interesting I allowed systems We the ijectAthena mailhub athenamftedu on which we perfered to use only karberos authentication to escape unscathed It is not clear whether these represent early testing of the virus or if they were just truely accidental premute ctosings of telnet connections With hindsight we can a telnetd that logged its peer address even for such error messages would have been quite usefui in tracing the progress arid origin of the virus At 3 34am est on Thursday Andy Sudduth from Harvard made his anonymous posting to top-lp The posting said that a virus might be lose on the internet and that there were three steps to take to prevent further transmission This inctuded not running ngerd or xing it not to overwrite the stack when reading its arguments from the netz be sure sendmail was compiled without debug and not to run rexecd The posting was make from an Annex terminat server at from Aiken Center at Harvard by teineting the SMTP port of in sbrownedu This is obvious since the message was from loo%bar apar and because the last line of the message was qun177 177 177 an attempt to get rubout processing out of the brown SMTP server a common mistakewhen faking Internet mail Etwas ironic that this posting did almost no good The path it took to get to athena was Received by ATHENA MIT EDU id 111129119 Sat 5 Nov 88 05 59 13 EST Received from RELAY CS NET by with 375 4 Nov 88 23 23 24 Received from ca brown edu by RELAY CS NET id a105627 3 Nov 88 3 47 EST Received from iris brown edu iris ARPA by cs brown edu 1 2 1 00 id Thu 3 Nov 88 03 47 19 est Received from 128 103 1 92 with SMTP via tcp ip by iris brown edu on Thu 3 Nov 88 03 34 46 EST There was a 20 hour delay before the message escaped from re ay cs net and got to srt-nlcarpa Another 6 hours went by before the message was recived by athenamitedu Other site have reported stmitar delays At 5 58am Thursday morning Keith Bostic made the virus bug x posting The message went to the tcp ip comp bugs 4bsd ucb fixes news announce and news sysadmin It supplied the compile without debug x to sendmail or patch the debug command to a garbage string as well as the very wise suggestionto rename cc and 'Id which was effective since the virus needed to compile and link itself Gene Spafford fonNarded this to nntp-managersGucbvax berkeley edu at 8 06am Ted Ts o Mso@athena mit edu forwarded this to an internal Project Athena hackers list watchmakers@athena mit edu at 10 07 He expressed disbelief it's not April thought we at Athena were safe Though no production Athena servers were infected serverai private workstations and developement machines were so this proved overly optimistic 'this was a level of detaii that only the originator of the virus could have know at that point To our knowledge nobody had yet identi ed the nger bug since it only affected certain vaxan and certainly nobody had discoveredits mechanism During Thursday morning Ray ray@math mit edu spotted the virus on the MIT math department suns and shut down the math gateway at 10 153m it remained down until 3 15pm Gene Spafford posted a message at 2 50pm Thursday to a large number of people and mailing lists include nntp managers which is howwe saw it quickly at itwamed the virus used and looked in hostsaquiv and rhosts for more hosts to attack Around this time the MIT group in E40 Project Athena and the Network Group salted Miio Medin medln@nsipo nasa gov and found out much of the above Many of us had not yet seen the messages He pointed out that the virus just ioved to attack gateways found via the routing tables and remarked that it must have not been effective at MIT were we run our own Gateway code not Unix Milo aiso informed use that DOA had shut down the mailbridges He pointed us to the group at Berkeley and Peter Yee speci cally At about 5pm on Thursday Ron Hoffmann hoffmann@bitsy mit edu observed the virus attempting to log into a standalone router using the Berkeley remote login protocol the remote login attempt originated from a machine previously believed immune3 The virus was running under the usertd nobody and it appeared that it had to be attacking through the nger sen ice the oniy network service running under that userid At that point we calied the group working at Berkeley they con rmed our suspicions that virus was spreading through ngerd On the surface it seemed that fingerd was too simple to have a protection bug similar to the one in sendmail it was a very short program and the onty exec it did involved a hard-coded pathname A check of the modi cation dates of both etortingerd and usr ucb finger showed that both had been untouched and both were identicaito known good copies located on a readonly lesystem Berkeley reported that the attack on nger involved shoving some garbage at it clearly some sort of overrun buffer wound up corrupting something Bill Sommerfelci wesommer@athena mit edu guessed that this bug might involve overwriting the saved program counter in the stack frame when he looked at the source for ngerd he found that the buffer it was using was located on the stack in addition the program used the iibrary gets function which assumes that the buffer it is given is iong enough for the line it is about to read To verify that this was a viable attack he then went on to write a programwhich exploited this hole in benign way 4 A risks digest came out at 6 52pm It included a message from Ciitf Stoll of Harvard Stoll@dockmaster arpa which described the spread of the virus on milnet and suggested that milnet 3It was running a mailer with debuggingturned off the test virus sent the string Bozol back out the network connection sights might want to remove themselves from the network Stoll also made the wonderful statement Ihisis bad news Other messages were from Spafford Peter Neumann and Matt Bishop They described the sendmail propagation mechanism In the o ice Starr Zanarotti sr2@lcs mit edu and Ted Ts o had managed to get a core dump from the virus running on a machine in the MIT Lab for Computer Science LCS as well as the vax binary Stan and Tim Sheppard been dealing with the virus from 11am Thursday over in Tech Square Their rst reaction was to Shut down the network by powering off By 1pm Tim had verified that no leshad been modified on had installed recompiled sendmail Tim also reloaded a root partition from tape just to ensure that he was running trusted software Ted and Stan started attacking the virus Pretty soon they had gured out the xor encoding cf the strings and were manually decoding strings By 9 00pm Ted had written a program to decode ail the strings and we had the list cf strings used by the program except for the built-in dictionary which was encoded in a different fashion by setting the meta bit of each character At the same time they discovered the ip address f and proceeded to take apart the send message routine to gure out what it was sending to emie how often and if a handshake was involved Stan told Jon Rochlis jon@bitsy mit edu in the Network Group of the group's progress The people in E40 called Berkeley and reported the nding of ernie s address Nobody seemed to have any idea why that was there About this time a camera crew from WNEV Channel 7 the Boston CBS af liate showed up at the of ce cf James D Bruce VP for Information Systems He called Jeff Schiller and headed over to E40 Jeff and were interviewed The 80 000 number of hosts was stated along with an estimate of 10% infection f the 2000 hosts at MIT The infection rate was a pure guess The virus was the lead story on the news and we were quite suprised that the real worid would pay that much attention Pieces of the footage shot then were shown on the CBS morning news but by that point were were too busy to watch Sheppard shows up in E40 then punts to Tech Square to check his netwatch data for ernie packets The machine with the data had been unplugged from the network Serious began at midnight Stan and Ted came to E40 John Kohl had the virus running by Sam and obseived many things They were confirmed by the decompiling which was almost done List times cf berkeley conversations and exchanges of source code Press conference in E40 at noon 7' camera crews tons of print media Total 200 until 3pm Bostic asks for our affilations and if we like the idea of posting bug xes to the virus we didl The Today show comes to the office Saturday to nd out about hackers MIT Cast of Characters Media Lab Pascal Chesnais VP information Services James D Bruce jdb@delphi mit edu Network Jeff Athena SIPB Mark Eichin eichin@athena mit edu PB Stan Zanarottl srz@lcs mit edu Athena Si PB Ted Ts o Apollo Athena S Wiliiam Sommerfeld wesommer@athena mit edu DEC Athena S John Kohl jtkohl@athena mit edu Athena SlPB Ken Raebum raeburn athenamitledu Network Jon Rochlis lon@bitsy mit edu Media Lab Hai Birkeland hkbirke@athena mit edu Network Group Ron Athena SIPB Richard Basch probe@athena mit edu LCS Tim Sheppard t This document is from the holdings of The National Security Archive Suite 701 Gelman Library The George Washington University 2130 H Street NW Washington D C 20037 Phone 202 994-7000 Fax 202 994-7005 nsarchiv@gwu edu