friedl@vsi.COM (Stephen J. Friedl) (11/11/88)
Hi folks,
I've a couple of worm questions. First, we all know that a
bug in the program caused it to propagate wildly. Does anybody
know what the bug was? No source code, just a general idea....
Second, if Mr. Morris had decided to hide himself, and
assuming nobody stumbled across his files on his home machine, is
there any chance that this whole thing could have gone one
without a clue as to where it came? How would you IP wizards
track this down had it been necessary?
Steve
--
Steve Friedl V-Systems, Inc. +1 714 545 6442 3B2-kind-of-guy
friedl@vsi.com {backbones}!vsi.com!friedl attmail!vsi!friedl
------------Nancy Reagan on the worm: "Just say OH NO!"------------gwyn@smoke.BRL.MIL (Doug Gwyn ) (11/12/88)
In article <935@vsi.COM> friedl@vsi.COM (Stephen J. Friedl) writes: > I've a couple of worm questions. First, we all know that a >bug in the program caused it to propagate wildly. Does anybody >know what the bug was? No source code, just a general idea.... This wasn't characterized quite correctly in the media reports. The biggest flaw in the design was that no provision was made to avoid propagation back to an already-infested host. > Second, if Mr. Morris had decided to hide himself, and >assuming nobody stumbled across his files on his home machine, is >there any chance that this whole thing could have gone one >without a clue as to where it came? It should be noted that Morris is only the ALLEGED perpetrator. I suggest that discussions should use "the perpetrator" until the perpetrator's identity has been legally established. Investigators made considerable progress in tracing the origin of the attacks without help from any alleged confession. I don't think it would be wise to explain publicly how this could be done.
chris@mimsy.UUCP (Chris Torek) (11/13/88)
>In article <935@vsi.COM> friedl@vsi.COM (Stephen J. Friedl) writes: >>... we all know that a bug in the program caused it to propagate wildly. >>Does anybody know what the bug was? No source code, just a general idea.... In article <8868@smoke.BRL.MIL> gwyn@smoke.BRL.MIL (Doug Gwyn ) writes: >This wasn't characterized quite correctly in the media reports. >The biggest flaw in the design was that no provision was made >to avoid propagation back to an already-infested host. Not quite: In a routine called checkother(), the program would look for a copy of itself running on the local machine. It had a 1/7 chance of not looking at all, and if it did look, it had a timeout that could fire off before the other copy could respond. If it did find one, it had a 1/2 chance of exiting (and, I think, if it did not, the other was supposed to). For whatever reasons, this did not work well. -- In-Real-Life: Chris Torek, Univ of MD Comp Sci Dept (+1 301 454 7163) Domain: chris@mimsy.umd.edu Path: uunet!mimsy!chris