Approaching Zero, Paul Mungo [good summer reads TXT] 📗
- Author: Paul Mungo
- Performer: -
Book online «Approaching Zero, Paul Mungo [good summer reads TXT] 📗». Author Paul Mungo
Computer Virus Industry Association, the computer virus finally came of age on
September 26,1988, when it made the front cover of Time magazine.
Time was once derided as the publication “for those that can’t think” (its
sister publication, Life, was said to be “for those who can’t read”). It has
been accused of publishing middle-brow analyses and overwrought cover stories,
and its ability to be out of touch has been so noticeable that in show business
the offer of a Time cover story is considered a sure sign that the unfortunate
star’s career is on the wane. Not that anyone has ever turned down a cover
story—Time is still one of the most influential publications in America, and
for better or worse, what it says is often believed.
So, when Time headlined its cover about computer viruses “Invasion of the Data
Snatchers!” its readers were more than certain that data was indeed being
snatched. The magazine detailed an attack on a local newspaper office by the
Brain virus, and called it a “deliberate act of sabotage.” Brain, Time said,
was “pernicious,” “small but deadly,” and “only one of a swarm of infectious
programs that have descended on U.S. computer users
this year.” The magazine also announced, “In the past nine months, an estimated
250,000 computers have been hit with similar contagions.”
The article captured perfectly the hyperbole about viruses: Brain was far from
pernicious, and it certainly wasn’t deadly. There was no swarm of viruses: the
number then proven to have infected systems—as opposed to those conjured up in
the imaginations of virus researchers—was probably less than ten. And as for
the estimate that 250,000 computers had been hit by viruses, it was just that—
an estimate. No one at the time had any real idea how many computer sites had
been affected.
The Time writer also dug deep to unearth the Cookie Monster, which had appeared
during the 1970s at a number of American colleges. Inspired by a character on
the children’s television show Sesame Street, this joke program displayed a
message on a computer screen: I WANT A COOKIE. If the user typed in “cookie,”
it would disappear, but, if the message was ignored, it kept reappearing with
increasing frequency, becoming ever more insistent. But the Cookie Monster
wasn’t a virus, even in the broadest definition of the term: it was a joke
program introduced by a prankster on a single computer; it had no ability to
replicate and it couldn’t travel surreptitiously from machine to machine.
Time did recognize that “the alarm caused by these … viruses was amplified
by two groups with a vested interest in making the threat seem as dramatic as
possible”—the computer security specialists and the computer press, “a
collection of highly competitive weekly tabloids that have seized on the story
like pit bulls, covering every outbreak with breathless copy and splashy headlines.” It was an apt description of the exaggerated coverage of the virus
phenomenon. But the threat would soon become real.
On the evening of November 2, 1988, a little over five weeks after the Time
story appeared, events occurred that seemed to fulfill all of the doomsday
prophecies. Between 5:00 and 6:00 P.M., eastern standard time, on that
Wednesday night, a rogue program was loaded onto the ARPANET system. Three
hours later, across the continent at the Rand Corporation in Santa Monica,
operators noticed that their computers were running down. Something was taking
up computer space and slowing the machines to a crawl. At 10:54 P-M- managers
at the University of California at Berkeley discovered what they thought was a
hacker trying to break into their systems. As the attempts continued and the
attacks increased, they realized to their horror that it wasn’t a hacker. It
was a program, and it was multiplying.
By that time the same program was attacking the computer at MIT’s Artificial
Intelligence Laboratory as well as sites at Purdue, Princeton, and Stanford. It
was moving across networks, spreading from the ARPANET onto MILNET—the
Department of Defense computer network—and then onto Internet, which itself
links four hundred local area networks. It spread to the Lawrence Livermore
National Laboratory, then to the University of Maryland, then across the
country again to the University of California campus at San Diego, and then
into the NASA Ames Laboratory, and the Los Alamos National Laboratory in New
Mexico. Within a few hours the entire Internet system was under siege. Peter
Yee, at Ames, posted the first warning on the network’s electronic mail service
at 2:28 A.M.: “We are currently under attack from an Internet virus. It has hit
UC Berkeley, UC San Diego, Lawrence Livermore, Stanford, and NASA, Ames …”
Yee had earlier spotted what seemed to be an entire army of intruders
attempting to storm his computer. He counterattacked, killing off some of the
invaders. But then came another wave, and another, and he was soon overwhelmed.
His powerful computer had started to slow down noticeably, its energy drained
by the proliferation of vampire programs that were reproducing uncontrollably
and monopolizing its resources.
The same attackers hit the MIT Media Laboratory in Massachusetts. Pascal
Chesnais, a scientist who had been working late in the lab, thought he had
managed to kill off his mysterious intruders then went to grab a meal. When he
got back, he found
that more copies of the invaders were coming in with his electronic mail, so
he shut down his network connection for a few hours. Then, at 3:10 A.M., he
sent out his own warning: ‘ A virus has been detected at Media Lab. We suspect
that the whole Internet is infected by now. The virus is spread by [electronic]
mail … So mail will not be accepted or delivered.”
Just before midnight the rogue program had spread to the Ballistic Research
Laboratory, an army weapons center in Mary land. The managers at the lab feared
the worst: they could be under attack from hostile agents. Even if that proved
not to be the case, they didn’t know what the program was doing. It was certainly multiplying, that was clear, but it might also be destroying data. By
the next morning the lab had disconnected itself from the network and would
remain isolated for nearly a week. It wasn’t alone in disconnecting—so many
sites attempted to isolate themselves that electronic mail (the usual channel
of communication between computer operators) was hampered, creating even more
confusion about what was happening. At one point the entire MILNET system
severed all mailbridges—the transfer points for electronic mail—to ARPANET.
By midnight the electronic freeways between the sixty thousand or so
interconnected computers on Internet and ARPANET were so clogged with traffic
that computer specialists were roused from their sleep and summoned to their
offfices to help fight the attack. Most of them wouldn’t get back home until
the next night.
At 3:34 A.M. on November 3rd, shortly after Yee had sounded the first alarm,
another message about the virus was sent from Harvard. This message was much
more helpful: it wasn’t just a warning, but offered constructive suggestions
and outlined three steps that would stop the virus. The anonymous sender seemed
to be well informed about its mechanisms, but because of the chaos on the
network, the message wouldn’t get through for forty-nine hours.
At first the experts believed that all of the sixty thousand-plus computers on
the besieged networks were at risk. But it quickly became apparent that the
rogue program was attacking only particular models: Sun Microsystems, Series 3
machines, and VAX computers running variants of the UNIX operating system. On
infected machines unusual messages appeared in the files of some utilities,
particularly the electronic-mail handling agent, called Sendmail. But what was
most apparent was that the rogue program was multiplying at devastating speed,
spreading from computer to computer, reinfecting machines over and over. As the
reinfections multiplied, the systems became bogged down; then the machines ran
out of space and crashed.
On the morning of Thursday, November 3rd, Gene Spafford, a computer science
professor at Purdue University, sent the following message to his colleagues:
“All of our Vaxes and some of our Suns here were infected with the virus. The
virus made repeated copies of itself as it tried to spread, and the load
averages on the infected machines skyrocketed. In fact, it got to the point
that some of the machines ran out of space, preventing log-in to even see what
was going on!” Spafford did manage to capture part of the rogue program, but
only the half that controlled its spread. The other half, the main operating
system within the program, erased itself as it moved from computer to computer,
so as not to leave any evidence. The deviousness of the program lent weight to
the theory that it would also be damaging: that the rogue program could somehow
have been tampering with systems, altering files, or destroying information.
The rogue program, it was subsequently discovered, moved from computer to
computer by exploiting flaws in the Berkeley version of UNIX. The principal
flaw was in Sendmail, the program designed to send electronic mail between
computers in the interlinked networks. A trapdoor on Sendmail would allow commands (as opposed to actual mail) to be sent from computer to computer. Those
commands were the rogue program. Once it had entered one computer through
Sendmail, it would collect information about other machines in the system to
which it could jump, and then proceed to infect those machines.
In addition to exploiting the Sendmail flaw, the rogue program could try to
guess the passwords to jump to target computers. Its password routine used
three methods: it tried simple permutations of known users’ names, it tried a
list of 432 frequently used passwords, and it also tried names from the host
computer’s own dictionary. If one method didn’t work, it would try another and
then another until it had managed to prise open the door of the target
computer. An early analysis of the program made at four A.M. on the morning
after the initial attack described it as “high quality.” Some twelve hours
after its release, it was estimated that about 6,200 computers on Internet had
been infected; the costs, in downtime and personnel, were mounting.
In the meantime, three ad hoc response teams, at the University of California
at Berkeley, at MIT, and at Purdue, were attempting to put an end to the
attack. At five A.M. the Berkeley team sent out the first, interim set of
instructions designed to halt the spread. By that time the initial fears that
the rogue program might destroy information or systems had proved unfounded.
The program, it was discovered, was designed to do nothing more than propagate.
It contained no destructive elements apart from its ability to multiply and
reinfect to such an extent that it would take over all available space on a
target computer.
Later on Thursday the team at Purdue sent out an electronic bulletin that
catalogued methods to eradicate the virus. And at Berkeley they isolated the
trapdoors it had used and published procedures for closing them.
Once the commotion had died down and computer managers had cleared out the
memories on their machines and checked all the software, their thoughts turned
to the reasons for the attack. That it was deliberate was certain: the rogue
program had been a cleverly engineered code that had exploited little-known
flaws in UNIX; it had erased evidence of its intrusions on the computers it had
infected; and it was encrypted (written in code) to make it more difficult to
tear apart. There was little doubt in anyone’s mind that the program was the
work of a very clever virus writer, perhaps someone who had a grudge against
ARPANET or one of the universities, a computer freak outside of the mainstream
attempting
Comments (0)