home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.85
< prev
next >
Wrap
Text File
|
1995-01-03
|
16KB
|
357 lines
VIRUS-L Digest Monday, 10 Apr 1989 Volume 2 : Issue 85
Today's Topics:
Re: Hardware write protection
Re: VIRUS-L Digest V2 #84
Re: Copyrighting a virus
HEADACHE EXEC (VM/CMS)
RE WORM REPORTS WAS CORNELL RTM WORM REPORT
Cornell's report on the Morris Worm (long)
---------------------------------------------------------------------------
Date: Sat, 8 Apr 1989 15:34 EST
From: Bruce Ide <xd2w@PURCCVM.BITNET>
Subject: Re: Hardware write protection
If you do figgure out how to do this, you could probably set up a
toggle switch or key thing to alllow you to write to your disk
when it's switched one way and keep write protection on when it's
switched the other. If you want to keep users out, set it up with the
key. If it's to keep viri out, set it up with the switch. It'll take
a bit of soldering, and a few thirty nine cent swtiches from radio
shack. I did something similiar on my modem to switch pins two and
three with the flick of a switch.
------------------------------
Date: Sat, 08 Apr 89 16:17:55 EST
From: Gene Spafford <spaf@cs.purdue.edu>
Subject: Re: VIRUS-L Digest V2 #84
>> Date: Sat, 8 Apr 89 14:16:23 EDT
>> From: A. M. Boardman <ab4@cunixb.cc.columbia.edu>
>> Subject: Cornell RTM Worm Report
>>
>> >Just read in the April 3 _Unix Today_ that Cornell is releasing a report
>> >today on the Internet Worm. Does anyone know where I can get a copy?
>>
>> A general report was released from the Purdue Provost's office
>> recently, although for a technical report you should look at "The
>> Internet Worm Program: An Analysis",(Gene Spafford) Purdue Technical
>> report CSD-TSR-823, which can be FTP'd from arthur.cs.cpurdue.edu.
Correction: the report is from the Cornell Provost's office, not
Purdue's.
My tech report has also appeared in "ACM Computer Communication
Review" (the SIGCOMM newsletter), and those of you without FTP access
can get a copy from there. It was v19, #1 (Jan. 1989).
Further, the June or July issue of Communications of the ACM will have
a number of special articles on the Morris Worm, including one by me.
- --spaf
------------------------------
Date: Sat, 08 Apr 89 16:24:12 EST
From: Gene Spafford <spaf@cs.purdue.edu>
Subject: Re: Copyrighting a virus
A copyright on a particular virus wouldn't help much. Writing a virus
from scratch would be an original work and would not infringe the
copyright unless it included portions of the copyrighted work. There
is also legal precedent for denying copyright on items you do not
intend to publish. Copyrighting something and keeping it "secret" can
be grounds for voiding a copyright, in some cases, I believe.
A patent would provide more protection, but you would have to prove
that you had the original idea for it, and we're well over the time
limit that would allowed for filing for a patent, so either of those
approaches is also right out.
The real problem with either approach is that it only gives you
standing in civil court to sue for loss of revenue. You would have to
identify the infringer and schedule a court case. Then you'd have to
prove the infringement. Not only would this be difficult to do, but
it would take a very long time and likely not result in anything you
could gain. It would not prevent someone from writing or running a
virus.
Now if you want to indulge in the kind of short-sighted stupidity that
Apple is pursuing, you might try to copyright a virus "look-and-feel"
:-)
- --spaf
------------------------------
Date: Sat, 08 Apr 89 20:10:47 EDT
From: Ron Dawson <053330@UOTTAWA.BITNET>
Subject: HEADACHE EXEC (VM/CMS)
A new REXX program similar to the infamous XMAS EXEC is making the
rounds. It appeared here at UOTTAWA on April 8. It is called
HEADACHE EXEC and it pretends to be a chat program. However, embedded
about 750 lines down in the code, it sends itself to everyone on your
names list.
Do not run this program......
- - Ron
------------------------------
Date: Sun 09 Apr 1989 05:07 CDT
From: GREENY <MISS026@ECNCDC.BITNET>
Subject: RE WORM REPORTS WAS CORNELL RTM WORM REPORT
> ...ALL THREE OF THESE WERE AVAILABLE FOR ANONYMOUS FTP FROM
> ATHENA.AI.MIT.EDU [ED. THE ABOVE REPORTS ARE ALSO AVAILABLE FOR
> ANONYMOUS FTP FROM LLL-WINKEN.LLNL.GOV]
ALTHOUGH SEVERAL GRACIOUS SOULS HAVE SENT ME COPIES OF TWO OF THE
ABOVE PAPERS, WHAT WOULD BE THE POSSIBILITY OF SOMEONE ON THE INTERNET
SENDING A COPY OF EACH PAPER FOR POSTING TO THE LISTSERV?
THIS WOULD PROVIDE EASY ACCESS TO SOME INTERESTING, AND MUCH NEEDED
INFORMATION TO PERSONS ON THE BITNET...
BYE FOR NOW BUT NOT FOR LONG
GREENY
BITNET: MISS026
INTERNET: MISS026%ECNCDC.BITNET
[Ed. I'm working on that...]
------------------------------
Date: Sun, 09 Apr 89 18:06:39 EST
From: Gene Spafford <spaf@cs.purdue.edu>
Subject: Cornell's report on the Morris Worm (long)
------- Forwarded Message
Original-Date: Sun, 09 Apr 89 17:19:16 -0500
Original-From: comer (Douglas Comer)
Original-Subject: a nice summary of the Cornell report
Summary by Manny Farber <G47Y@cornella.cit.cornell.edu>
The Cornell Chronicle is the Administration's organ. As such, their
coverage of the Bob Morris report may be relatively one-sided, but
since they got the report in advance, they summarized it. I'll put
the last paragraph right here: Copies of the report are available from
the Office of the Vice President for Information Technologies, 308 Day
Hall, [area code 607] 255-3324.
CORNELL PANEL CONCLUDES MORRIS RESPONSIBLE FOR COMPUTER WORM
(By Dennis Meredith, Cornell Chronicle, 4/6/89)
Graduate student Robert Tappan Morris Jr., working alone, created
and spread the "worm" computer program that infected computers
nationwide last November, concluded an internal investigative
commission appointed by Provost Robert Barker.
The commission said the program was not technically a "virus"--a
program that inserts itself into a host program to propagate--as it
has been referred to in popular reports. The commission described the
program as a "worm," an independent program that propagates itself
throughout a computer system.
In its report, "The Computer Worm," the commission termed Morris's
behavior "a juvenile act that ignored the clear potential
consequences." This failure constituted "reckless disregard of those
probable consequences," the commission stated.
Barker, who had delayed release of the report for six weeks at the
request of both federal prosecutors and Morris's defense attorney,
said, "We feel an overriding obligation to our colleagues and to the
public to reveal what we know about this profoundly disturbing
incident."
The commission had sought to determine the involvement of Morris or
other members of the Cornell community in the worm attack. It also
studied the motivation and ethical issues underlying the release of
the worm.
Evidence was gathered by interviewing Cornell faculty, staff, and
graduate students and staff and former students at Harvard University,
where Morris had done undergraduate work.
Morris declined to be interviewed on advice of counsel. Morris had
requested and has received a leave of absence from Cornell, and the
university is prohibited by federal law from commenting further on his
status as a student.
The commission also was unable to reach Paul Graham, a Harvard
graduate student who knew Morris well. Morris reportedly contacted
Graham on Nov. 2., the day the worm was released, and several times
before and after that.
Relying on files from Morris's computer account, Cornell Computer
Science Department documents, telephone records, media reports, and
technical reports from other universities, the commission found that:
- Morris violated the Computer Sciences Department's expressed
policies against computer abuse. Although he apparently chose not to
attend orientation meetings at which the policies were explained,
Morris had been given a copy of them. Also, Cornell's policies are
similar to those at Harvard, with which he should have been familiar.
- No member of the Cornell community knew Morris was working on the
worm. Although he had discussed computer security with fellow
graduate students, he did not confide his plans to them. Cornell
first became aware of Morris's involvement through a telephone call
from the Washington Post to the science editor at Cornell's News
Service.
- Morris made only minimal efforts to halt the worm once it had
propagated, and did not inform any person in a position of
responsibility about the existence or content of the worm.
- Morris probably did not indent for the worm to destroy data or
files, but he probably did intend for it to spread widely. There is
no evidence that he intended for the worm to replicate uncontrollably.
- Media reports that 6,000 computers had been infected were based on
an initial rough estimate that could not be confirmed. "The total
number of affected computers was surely in the thousands," the
commission concluded.
- A computer security industry association's estimate that the worm
caused about $96 million in damage is "grossly exaggerated" and "self-
serving."
- Although it was technically sophisticated, "the worm could have
been created by many students, graduate or undergraduate ...
particularly if forearmed with knowledge of the security flaws
exploited or of similar flaws."
The commission was led by Cornell's vice president for information
technologies, M. Stuart Lynn. Other members were law professor
Theodore Eisenberg, computer science Professor David Gries,
engineering and computer science Professor Juris Hartmanis, physics
professor Donald Holcomb, and Associate University Counsel Thomas
Santoro.
Release of the worm was not "an heroic event that pointed up the
weaknesses of operating systems," the report said. "The fact that
UNIX ... has many security flaws has been generally well known, as
indeed are the potential dangers of viruses and worms."
The worm attacked only computers that were attached to Internet, a
national research computer network and that used certain versions of
the UNIX operating system. An operating system is the basic program
that controls the operation of a computer.
"It is no act of genius or heroism to exploit such weaknesses," the
commission said.
The commission also did not accept arguments that one intended
benefit of the worm was a heightened public awareness of computer
security.
"This was an accidental byproduct of the event and the resulting
display of media interest," the report asserted. "Society does not
condone burglary on the grounds that it heightens concern about safety
and security."
In characterizing the action, the commission said, "It may simply
have been the unfocused intellectual meanderings of a hacker
completely absorbed with his creation and unharnessed by
considerations of explicit purpose or potential effect."
Because the commission was unable to contact Graham, it could not
determine whether Graham discussed the worm with Morris when Morris
visited Harvard about two weeks before the worm was launched. "It
would be interesting to know, for example, to what Graham was
referring to in an Oct. 26 electronic mail message to Morris when he
inquired as to whether there was 'Any news on the brilliant
project?'" said the report.
Many in the computer science community seem to favor disciplinary
measures for Morris, the commission reported.
"However, the general sentiment also seems to be prevalent that such
disciplinary measures should allow for redemption and as such not be
so harsh as to permanently damage the perpetrator's career," the
report said.
The commission emphasized, that this conclusion was only an
impression from its investigations and not the result of a systematic
poll of computer scientists.
"Although the act was reckless and impetuous, it appears to have
been an uncharacteristic act for Morris" because of his past efforts
at Harvard and elsewhere to improve computer security, the commission
report said.
Of the need for increased security on research computers, the
commission wrote, "A community of scholars should not have to build
walls as high as the sky to protect a reasonable expectation of
privacy, particularly when such walls will equally impede the free
flow of information."
The trust between scholars has yielded benefits to computer science
and to the world at large, the commission report pointed out.
"Violations of that trust cannot be condoned. Even if there are
unintended side benefits, which is arguable, there is a greater loss
to the community as a whole."
The commission did not suggest any specific changes in the policies
of the Cornell Department of Computer Science and noted that policies
against computer abuse are in place for centralized computer
facilities. However, the commission urged the appointment of a
committee to develop a university- wide policy on computer abuse that
would recognize the pervasive use of computers distributed throughout
the campus.
The commission also noted the "ambivalent attitude towards reporting
UNIX security flaws" among universities and commercial vendors. While
some computer users advocate reporting flaws, others worry that such
information might highlight the vulnerability of the system.
"Morris explored UNIX security amid this atmosphere of uncertainty,
where there were no clear ground rules and where his peers and mentors
gave no clear guidance," the report said.
"It is hard to fault him for not reporting flaws that he discovered.
>From his viewpoint, that may have been the most responsible course of
action, and one that was supported by his colleagues."
The commission report also included a brief account of the worm's
course through Internet. After its release shortly after 7:26 p.m. on
Nov 2, the worm spread to computers at the Massachusetts Institute of
Technology, the Rand Corporation, the University of California at
Berkeley and others, the commission report said.
The worm consisted of two parts--a short "probe" and a much larger
"corpus." The probe would attempt to penetrate a computer, and if
successful, send for the corpus.
The program had four main methods of attack and several methods of
defense to avoid discovery and elimination. The attack methods
exploited various flaws and features int he UNIX operating systems of
the target computers. The worm also attempted entry by "guessing" at
passwords by such techniques as exploiting computer users'
predilections for using common words as passwords.
The study's authors acknowledged computer scientists at the
University of California at Berkeley for providing a "decompiled"
version of the worm and other technical information. The Cornell
commission also drew on analyses of the worm by Eugene H. Spafford of
Purdue University and Donn Seeley of the University of Utah.
------- End of Forwarded Message
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253