Approaching Zero, Paul Mungo [good summer reads TXT] 📗

academia and institutionalized by the

Computer Virus Industry Association, the computer virus finally came of age on

September 26,1988, when it made the front cover of Time magazine.

 

Time was once derided as the publication “for those that can’t think” (its

sister publication, Life, was said to be “for those who can’t read”). It has

been accused of publishing middle-brow analyses and overwrought cover stories,

and its ability to be out of touch has been so noticeable that in show business

the offer of a Time cover story is considered a sure sign that the unfortunate

star’s career is on the wane. Not that anyone has ever turned down a cover

story—Time is still one of the most influential publications in America, and

for better or worse, what it says is often believed.

 

So, when Time headlined its cover about computer viruses “Invasion of the Data

Snatchers!” its readers were more than certain that data was indeed being

snatched. The magazine detailed an attack on a local newspaper office by the

Brain virus, and called it a “deliberate act of sabotage.” Brain, Time said,

was “pernicious,” “small but deadly,” and “only one of a swarm of infectious

programs that have descended on U.S. computer users

this year.” The magazine also announced, “In the past nine months, an estimated

250,000 computers have been hit with similar contagions.”

 

The article captured perfectly the hyperbole about viruses: Brain was far from

pernicious, and it certainly wasn’t deadly. There was no swarm of viruses: the

number then proven to have infected systems—as opposed to those conjured up in

the imaginations of virus researchers—was probably less than ten. And as for

the estimate that 250,000 computers had been hit by viruses, it was just that—

an estimate. No one at the time had any real idea how many computer sites had

been affected.

 

The Time writer also dug deep to unearth the Cookie Monster, which had appeared

during the 1970s at a number of American colleges. Inspired by a character on

the children’s television show Sesame Street, this joke program displayed a

message on a computer screen: I WANT A COOKIE. If the user typed in “cookie,”

it would disappear, but, if the message was ignored, it kept reappearing with

increasing frequency, becoming ever more insistent. But the Cookie Monster

wasn’t a virus, even in the broadest definition of the term: it was a joke

program introduced by a prankster on a single computer; it had no ability to

replicate and it couldn’t travel surreptitiously from machine to machine.

 

Time did recognize that “the alarm caused by these … viruses was amplified

by two groups with a vested interest in making the threat seem as dramatic as

possible”—the computer security specialists and the computer press, “a

collection of highly competitive weekly tabloids that have seized on the story

like pit bulls, covering every outbreak with breathless copy and splashy headlines.” It was an apt description of the exaggerated coverage of the virus

phenomenon. But the threat would soon become real.

 

On the evening of November 2, 1988, a little over five weeks after the Time

story appeared, events occurred that seemed to fulfill all of the doomsday

prophecies. Between 5:00 and 6:00 P.M., eastern standard time, on that

Wednesday night, a rogue program was loaded onto the ARPANET system. Three

hours later, across the continent at the Rand Corporation in Santa Monica,

operators noticed that their computers were running down. Something was taking

up computer space and slowing the machines to a crawl. At 10:54 P-M- managers

at the University of California at Berkeley discovered what they thought was a

hacker trying to break into their systems. As the attempts continued and the

attacks increased, they realized to their horror that it wasn’t a hacker. It

was a program, and it was multiplying.

 

By that time the same program was attacking the computer at MIT’s Artificial

Intelligence Laboratory as well as sites at Purdue, Princeton, and Stanford. It

was moving across networks, spreading from the ARPANET onto MILNET—the

Department of Defense computer network—and then onto Internet, which itself

links four hundred local area networks. It spread to the Lawrence Livermore

National Laboratory, then to the University of Maryland, then across the

country again to the University of California campus at San Diego, and then

into the NASA Ames Laboratory, and the Los Alamos National Laboratory in New

Mexico. Within a few hours the entire Internet system was under siege. Peter

Yee, at Ames, posted the first warning on the network’s electronic mail service

at 2:28 A.M.: “We are currently under attack from an Internet virus. It has hit

UC Berkeley, UC San Diego, Lawrence Livermore, Stanford, and NASA, Ames …”

 

Yee had earlier spotted what seemed to be an entire army of intruders

attempting to storm his computer. He counterattacked, killing off some of the

invaders. But then came another wave, and another, and he was soon overwhelmed.

 

His powerful computer had started to slow down noticeably, its energy drained

by the proliferation of vampire programs that were reproducing uncontrollably

and monopolizing its resources.

 

The same attackers hit the MIT Media Laboratory in Massachusetts. Pascal

Chesnais, a scientist who had been working late in the lab, thought he had

managed to kill off his mysterious intruders then went to grab a meal. When he

got back, he found

that more copies of the invaders were coming in with his electronic mail, so

he shut down his network connection for a few hours. Then, at 3:10 A.M., he

sent out his own warning: ‘ A virus has been detected at Media Lab. We suspect

that the whole Internet is infected by now. The virus is spread by [electronic]

mail … So mail will not be accepted or delivered.”

 

Just before midnight the rogue program had spread to the Ballistic Research

Laboratory, an army weapons center in Mary land. The managers at the lab feared

the worst: they could be under attack from hostile agents. Even if that proved

not to be the case, they didn’t know what the program was doing. It was certainly multiplying, that was clear, but it might also be destroying data. By

the next morning the lab had disconnected itself from the network and would

remain isolated for nearly a week. It wasn’t alone in disconnecting—so many

sites attempted to isolate themselves that electronic mail (the usual channel

of communication between computer operators) was hampered, creating even more

confusion about what was happening. At one point the entire MILNET system

severed all mailbridges—the transfer points for electronic mail—to ARPANET.

 

By midnight the electronic freeways between the sixty thousand or so

interconnected computers on Internet and ARPANET were so clogged with traffic

that computer specialists were roused from their sleep and summoned to their

offfices to help fight the attack. Most of them wouldn’t get back home until

the next night.

 

At 3:34 A.M. on November 3rd, shortly after Yee had sounded the first alarm,

another message about the virus was sent from Harvard. This message was much

more helpful: it wasn’t just a warning, but offered constructive suggestions

and outlined three steps that would stop the virus. The anonymous sender seemed

to be well informed about its mechanisms, but because of the chaos on the

network, the message wouldn’t get through for forty-nine hours.

 

At first the experts believed that all of the sixty thousand-plus computers on

the besieged networks were at risk. But it quickly became apparent that the

rogue program was attacking only particular models: Sun Microsystems, Series 3

machines, and VAX computers running variants of the UNIX operating system. On

infected machines unusual messages appeared in the files of some utilities,

particularly the electronic-mail handling agent, called Sendmail. But what was

most apparent was that the rogue program was multiplying at devastating speed,

spreading from computer to computer, reinfecting machines over and over. As the

reinfections multiplied, the systems became bogged down; then the machines ran

out of space and crashed.

 

On the morning of Thursday, November 3rd, Gene Spafford, a computer science

professor at Purdue University, sent the following message to his colleagues:

“All of our Vaxes and some of our Suns here were infected with the virus. The

virus made repeated copies of itself as it tried to spread, and the load

averages on the infected machines skyrocketed. In fact, it got to the point

that some of the machines ran out of space, preventing log-in to even see what

was going on!” Spafford did manage to capture part of the rogue program, but

only the half that controlled its spread. The other half, the main operating

system within the program, erased itself as it moved from computer to computer,

so as not to leave any evidence. The deviousness of the program lent weight to

the theory that it would also be damaging: that the rogue program could somehow

have been tampering with systems, altering files, or destroying information.

 

The rogue program, it was subsequently discovered, moved from computer to

computer by exploiting flaws in the Berkeley version of UNIX. The principal

flaw was in Sendmail, the program designed to send electronic mail between

computers in the interlinked networks. A trapdoor on Sendmail would allow commands (as opposed to actual mail) to be sent from computer to computer. Those

commands were the rogue program. Once it had entered one computer through

Sendmail, it would collect information about other machines in the system to

which it could jump, and then proceed to infect those machines.

 

In addition to exploiting the Sendmail flaw, the rogue program could try to

guess the passwords to jump to target computers. Its password routine used

three methods: it tried simple permutations of known users’ names, it tried a

list of 432 frequently used passwords, and it also tried names from the host

computer’s own dictionary. If one method didn’t work, it would try another and

then another until it had managed to prise open the door of the target

computer. An early analysis of the program made at four A.M. on the morning

after the initial attack described it as “high quality.” Some twelve hours

after its release, it was estimated that about 6,200 computers on Internet had

been infected; the costs, in downtime and personnel, were mounting.

 

In the meantime, three ad hoc response teams, at the University of California

at Berkeley, at MIT, and at Purdue, were attempting to put an end to the

attack. At five A.M. the Berkeley team sent out the first, interim set of

instructions designed to halt the spread. By that time the initial fears that

the rogue program might destroy information or systems had proved unfounded.

The program, it was discovered, was designed to do nothing more than propagate.

 

It contained no destructive elements apart from its ability to multiply and

reinfect to such an extent that it would take over all available space on a

target computer.

 

Later on Thursday the team at Purdue sent out an electronic bulletin that

catalogued methods to eradicate the virus. And at Berkeley they isolated the

trapdoors it had used and published procedures for closing them.

 

Once the commotion had died down and computer managers had cleared out the

memories on their machines and checked all the software, their thoughts turned

to the reasons for the attack. That it was deliberate was certain: the rogue

program had been a cleverly engineered code that had exploited little-known

flaws in UNIX; it had erased evidence of its intrusions on the computers it had

infected; and it was encrypted (written in code) to make it more difficult to

tear apart. There was little doubt in anyone’s mind that the program was the

work of a very clever virus writer, perhaps someone who had a grudge against

ARPANET or one of the universities, a computer freak outside of the mainstream

attempting