glr@WHEATIES.AI.MIT.EDU (Jerry Roylance) (11/05/88)
A method of finding the culprit: NYT implies the user is a CS student. The files that compose his system were stored on disk in his directory; the program is complicated, so the development probably took a long time; the files were probably stored on a public machine. So the first step might be to (quietly) grep unix filesystems for some appropriate (cleartext) substrings that would appear in his files (ie, pieces of the infecting shell script). Anyone who owned such files before the infection would be suspect. The internet reaction has probably scared the author, so he has presumably deleted the relevant online files, but probably does not have access to his system's backup tapes. Scanning those tapes (levels 0-9) for say Monday or Tuesday would probably turn something up. Coordinating the search effort would be difficult and possibly not worth it.
salzman%aja@RAND.ORG (Isaac) (11/05/88)
>So the first step might be to (quietly) grep unix filesystems for some >appropriate (cleartext) substrings that would appear in his files (ie, >pieces of the infecting shell script). Anyone who owned such files >before the infection would be suspect. Another thing that everyone should do is make sure you clean out your /usr/tmp directories (though most of you have probably done so allready), and also check if anyone on your net has snarfed up copies of the stuff left in /usr/tmp. Anyone who's got that stuff lying around has the potential for starting the whole thing up again! Of course since everyone out there has plugged the holes it wouldn't get anywhere, right? :-) As far as I'm concerned, this virus or worm or whatever you want to call it was actually a good thing! We can all be thankful that the thing was benign and didn't cause any real damage. What it did do (hopefully) is make everyone take a hard look at network security, or a lack thereof. Everyone likes to think that their system is safe from viruses and such attacks. This was a very humbling experience for those who think their net's are invincable. And of course it rid us of a very nasty security hole in sendmail. Rest assure people will start to find holes in other network utilities and get them patched up, and let the rest of us know about it! Ciao.... -- * Isaac J. Salzman ---- * The RAND Corporation - Information Sciences Dept. /o o/ / * 1700 Main St., PO Box 2138, Santa Monica, CA 90406-2138 | v | | * AT&T: +1 213-393-0411 x6421 or x7923 (ISL lab) _| |_/ * ARPA: salzman@RAND.ORG or salzman@rand-unix.ARPA / | | * UUCP: ...!{cbosgd,decvax,sdcrdcf}!randvax!salzman | | |
bob@allosaur.cis.ohio-state.edu (Bob Sutterfield) (11/08/88)
In article <19881104194515.0.GLR@MOSCOW-CENTRE.AI.MIT.EDU> glr@WHEATIES.AI.MIT.EDU (Jerry Roylance) writes: >So the first step might be to (quietly) grep unix filesystems for >some appropriate (cleartext) substrings that would appear in his >files (ie, pieces of the infecting shell script). Anyone who owned >such files before the infection would be suspect. This would yield circumstantial evidence, at best. Any information found this way would be obtained illegally, at worst, unless you have a search warrant against a specific user's files. Ironically enough, I recall someone else, from another subdomain of MIT, who recently discussed MIT's refusal to run `arbitron' because it would glean information from files in users' home directories, which (in that installation) are considered sacred and private. -=- Zippy sez, --Bob - if it GLISTENS, gobble it!!
walsh@endor.harvard.edu (Bob Walsh) (11/08/88)
Since the virus reportedly includes a quick implementation of a password cracking scheme, since the cracker did not personally aggressively eradicate it from the internet that night (eg., by using a copy of the virus to distribute its own fixes or by personally submitting an explanation, fixes, and an apology), and since it has taken almost a whole week to learn the facts, I believe that he should NOT be held up as a role model. The mistake may not be wholly innocent. The act was unfortunate. Increasing the security of the Internet is a beneficial side-effect, but could have been achieved another way. I agree that there are many individuals who work in a positive fashion who unfortunately go unrecognized at times like this. The cracker possessed no special skills; others could have done the same thing if given the inclination. It is a lack of possession (of judgement over an interval of time) which sets him apart. If an RFC is developed, I believe it should include the issues raised in a very pithy tcp-ip article sent yesterday, which included a discussion of potential ramifications for the Internet, society's view of computers and computer scientists...