spaf@cs.purdue.EDU (Gene Spafford) (11/19/88)
On Monday, the printers should be getting an order to print copies of a
joint Purdue CS/SERC technical report entitled "The Internet Worm
Program: An Analysis," authored by yours truly. I have enclosed an
abstract of that report below.
In order to get an idea of how many copies to order for the first
printing run, I'm posting this announcing its availability. If you
would like to order one or more copies of the report, please send me
e-mail with your SURFACE mail address ASAP. Purdue and SERC have a
tradition of not charging for copies of our technical reports, so just
your address is all you need to order; we may make an exception if any
one person or organization orders multiple copies. Copies should be
mailed starting the week of the 28th, and orders will be filled FIFO.
This is the first in a planned set of reports on the incident. The
others will be announced as they become available. One will have to do
with the spread of both the program and the fixes. If you have not yet
sent in your local experiences with the worm to either Cliff Stoll or
myself, please do -- it will help us put together one or more such
papers!
--spaf
The Internet Worm Program: An Analysis
Eugene H. Spafford
On the evening of 2 November 1988, someone infected the
Internet with a worm program. That program used a number of
methods to break into other machines and copy itself, thus
infecting those systems. The infection eventually spread to
thousands of machines, and disrupted normal activities
and Internet connectivity for many days.
This report gives a fairly detailed description of the
components of the worm program -- data and functions. It is
based on two completely independent reverse-compilations of
the worm, along with a disassembled version. Almost no
source code is given in the paper due to current concerns about
the state of the "immune system" on the Internet, but the
description should be complete enough to allow the reader to
completely understand the nature of the attacks used by the
program.
The paper contains a list of the security flaws
exploited by the worm program, and gives some recommendations
on how to eliminate or mitigate their future use. The
report also includes an analysis of the coding style and
methods used by the author(s) of the worm, and draws some
conclusions about both their abilities and intent.
--
Gene Spafford
NSF/Purdue/U of Florida Software Engineering Research Center,
Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004
Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf