Harley Hahn's
Internet Insecurity


Chapter 9...

The Mystery of Viruses: Revealed

What Are Viruses?

A VIRUS — or more formally, a COMPUTER VIRUS — is a computer program that is able to make a copy of itself without you knowing what is happening. A virus may copy itself from one part of your hard disk to another, or it may copy itself from one computer to another.

Most viruses do more than make copies of themselves. Some of them cause real damage, say, by deleting files on your hard disk. Others are merely annoying. They may display a message on your monitor or cause something strange to happen as you are working. All viruses are malevolent in that they do their work without your knowing what is happening, and they can cause problems merely by spreading uncontrollably.

The name "virus" is merely a metaphor. It was chosen because the first programmers to work with computer viruses thought they had some of the characteristics of biological viruses. As you will see, this is not true. In fact, the metaphor is a particularly poor one, in that it encourages people to think that computer viruses are mysterious and are alive in some way.

This is not true at all. Computer viruses are not alive, nor do they spread by infection. They do not arise spontaneously, they do not mutate, they do not change by themselves, and they do not spontaneously adapt to their surroundings. Computer viruses are not artificial life. They are programs, and they arise in only one way. They are created, on purpose, by programmers who want to cause trouble.

Jump to top of page

The Virus Challenge

A virus is a program that can make copies of itself. This sounds like a strange idea. How can a program make a copy of itself? Let's start with some basic ideas.

A COMPUTER is a machine that has the capability of carrying out a variety of actions. A COMPUTER PROGRAM (or PROGRAM) is a list of actions that, when carried out by a computer, does something.

In this sense, think of a program as being a recipe consisting of a list of instructions. The job of a computer is to RUN or EXECUTE programs. To run a program, the computer simply follows the instructions, one after another. A person who creates a list of such instructions (that is, a program) is called a PROGRAMMER.

The power of computers comes from three things. First, computers are designed to be general purpose machines. Second, they can execute many instructions (sometimes millions) every second. Third, there are a great many talented programmers who are good at creating lists of instructions.

Whenever you see a computer do anything — display a picture, manipulate words or numbers, transfer information — just remember that everything that computer is doing only happens because the computer is following instructions and those instructions were written by a person.

(To be completely accurate, I do have to mention that there are programs that can read specifications and use them to create other programs. Thus, some programs are created automatically. For the most part, however, programs are written by people.)

How is a program stored on your computer? As we discussed in Chapter 3, data is stored in a file on a disk, and files themselves are organized into folders (also called directories). Since a program is essentially a list of instructions, it is easy to store on a computer. The program — that is, the instructions — is stored in a file. To be sure, a very complex program — such as a Web browser or Microsoft Word or Windows itself — will have a huge list of instructions. In such cases, pieces of the program will actually be stored in many different files, but the idea is the same.

In the simplest case, all a programmer would have to do to create a virus is write a program that makes a copy of the file that contains itself. Each time you ran the program, it would create another copy of itself (say, under a different name). As you might imagine, if you know how to program, this is not a difficult program to write. As such, it's not much of a challenge for a bored, socially immature programmer. However, recall the definition of a virus I gave you earlier. A virus has two characteristics: it can make a copy of itself, and it must do so in a way that you don't know what is happening.

That is the challenge that presents itself to a bored, socially immature programmer. "How," he asks himself, "can I create a program that will copy itself in such a way that the person in front of the computer has no idea what is going on?" And, at the same time, if the programmer can create a virus that spreads from one computer to another, possibly causing damage, and it all happens in such a way that he doesn't get caught, so much the better. (I use the word "he", by the way, because, for some reason, virtually all socially immature programmers are male.)

Jump to top of page

How a Virus Spreads From
One File to Another

In the most general terms, you can think of the inside of your computer as having three main functional parts: the processor, the memory and the hard disk. The PROCESSOR (an electronic chip) acts as the "brain". The MEMORY (a group of chips) holds data that is manipulated by the processor. The hard disk provides long-term storage. (For information about disks, see Chapter 3.)

When you buy a computer, you will see references to these three components. The speed of the processor will be measured in MHz (megahertz); the amount of memory will be specified in MB (megabytes); and the size of the hard disk is specified in GB (gigabytes). As a general rule, if you have a choice, get a computer with a fast processor, lots of memory and a large hard disk. (If you need help with megabytes and gigabytes, see Chapter 3.)

As I explained in the last section, a program consists of one or more files. These files are stored on your hard disk. The disk acts as long-term storage in the sense that, when you turn your computer off, the contents of the disk do not disappear.

Your processor, however, cannot work directly with data on a disk. The processor can only work with data which is in the memory, that is, within the memory chips. It has to do with how computers are designed.

For an analogy, think of a book, sitting on your bookshelf. Let's say that book contains some information you want to think about. Your mind cannot work directly with the pages of the book. Before you can think about the contents of a book, you must open it and read the information. In other words, you must copy the information from the book into your head. Once the information is in your head, you can think about it.

Most of the time, of course, this happens so rapidly, that you don't realize what is happening. However, when you are using a computer, even a fast computer, you can see the lag. You click on something to start a program, and you have to wait a few seconds for the program to be copied from the hard disk into the memory. (Now you know what you are waiting for.)

Unlike a disk, however, computer memory provides short-term storage. When you turn off the power, whatever is in the memory disappears.

So how does this apply to viruses? When a program file contains a virus, nothing happens until the program is copied into memory and begins to run. At this point, the processor begins to execute the virus instructions, which are hidden in the program, and the virus becomes active. The virus will now begin to carry out whatever tasks the virus programmer has specified. In particular, the virus can insert copies of itself into other programs that are stored on the hard disk. These new copies of the virus will lay dormant until, one day, you run one of these programs.

Jump to top of page

Who Creates Viruses?

Later in this chapter, I will relate how the term "virus" was coined in 1983 by a professor at the University of Southern California, because he thought computer viruses were, in some sense, similar to biological viruses.

Actually, this is not true at all. Computer viruses are much different from — and much, much simpler than — real viruses. Unfortunately, it is all too common to hear people talk about a computer virus as if it were alive, trying to breed and survive. The popular press discusses viruses that "infect" a "host" in order to "reproduce". You read that viruses "adapt" and cause "epidemics", and that antivirus tools can "disinfect" a file.

The reason I don't like this terminology — and you will notice that I do not use it in this book — is because it blinds us to the primary cause of viruses. Unlike real viruses, new computer viruses are not living organisms that appear spontaneously. They are created deliberately by mean-spirited programmers whose only goal is to harass people and damage their computer systems.

The days are long gone when writing viruses was cute. Viruses cause a lot of trouble and waste a lot of money, and the people who write them should be punished.

As an example of how writers often mischaracterize viruses, let me show you a couple of short quotes from an article entitled "Fighting Computer Viruses", published in the November 1997 issue of Scientific American. The article was written by four researchers from the IBM Thomas J. Watson Research Center. (IBM was one of the pioneers in creating antivirus software.)

"Just as external factors such as drought, sanitation and migration have a strong influence on biological epidemics, changes in the computing environment are responsible for the presence of several distinct epochs in viral infection."

Wrong. Viruses do not mutate spontaneously in order to survive in a changing computing environment. New viruses are created by irresponsible, dishonest programmers who actively look for new ways to create trouble for other people.

The entire article — and remember, this is Scientific American — is riddled with such nonsense. However, I'll confine myself to quoting the last paragraph, in which the authors become philosophical:

"Regardless of how sophisticated antivirus technology may become, computer viruses will forever remain in an uneasy coexistence with us and our computers. Individual strains will wax and wane, but as a whole, computer viruses and antivirus technology will co-evolve much as biological parasites and hosts do. Both will also evolve in response to such changes in the computing environment as itinerant software agents — which will have to be protected from corruption by the computer systems they traverse even as those systems guard themselves from agent malice. Perhaps computer viruses and computer immune systems are merely precursors of an eventual rich ecosystem of artificial life-forms that will live, die, cooperate and prey on one another in cyberspace."

Really? Virus "strains" that wax and wane? Viruses that evolve in response to change? Viruses and "immune systems" that are precursors to artificial life?

I know a bit about biology because, after finishing computer science graduate school, I went to medical school at the University of Toronto. One of my best friends in medical school was Tim Rutledge, who went on to become a highly accomplished specialist in emergency medicine.

I mention Tim here because he once made a remark that, word for word, has more wisdom than anything else I have ever heard in my life. Take a moment to re-read the last paragraph of the Scientific American article.

Now, think about the following:

"When you get serious about bullshit,
you're getting into serious bullshit."

— Tim Rutledge

Jump to top of page

The Three Types of Viruses

If you were to study computer viruses, you would find yourself immersed in a large morass of technical details. The people who create viruses have a lot of tricks. There are a lot of different viruses and some of them are very sophisticated. For this reason, experts will classify viruses into many different categories and subcategories. However, let's be practical. As a normal human being, you really only need to know two things:

  • What are the main types of viruses?
  • How do you prevent them from causing damage on your system?

For practical purposes, the best way to classify viruses is based on how they are designed to spread, because that helps you understand how to stop them. There are three main ways in which viruses spread on the Internet today.

  1. A regular virus is one that is embedded within a program file that spreads when one person shares the file with another person.
  2. A worm is a virus in the form of a file that spreads automatically over a network, usually by email.
  3. A macro virus is a virus that is attached to a data file that is then shared.

Notice what all three types of viruses have in common. In order for a virus to spread, a file must be shared.

All viruses have one more thing in common. They are programs, and a program cannot do anything until it is executed. For example, you could have a hundred different viruses hidden within a hundred different files on your computer and, if they are never executed, it won't make any difference.

Virus creators know this, and they go to a great deal of trouble to ensure that their viruses are executed once they spread to new computers. This means that, to be effective, a virus must be designed to either (1) run automatically under certain conditions, or (2) entice you to run a program voluntarily that, unknown to you, contains the virus.

Once a virus is executed it can take any action that you yourself (or one of your programs) might take. For example, a virus can communicate with a Web site, send email, delete files, create new files, change files, and so on. In particular, it is common for viruses to be designed to make copies of themselves, either by creating new files or by modifying existing files. Moreover, virus programmers do their best to have all of this activity happening in a way that you won't notice until it is too late. (As a general rule, computer viruses are much smaller than most other programs, so it's not hard to hide them in a file.)

Thus, in order for a virus to cause trouble in the world at large, two things must happen. The virus must be shared and, once it is shared, it must be run. This suggests a strategy for avoiding trouble: Don't share suspicious files and don't run suspicious files.

In the following sections, I will discuss each of the three types of viruses. I'll explain a bit about them and then show you how to use this strategy to protect yourself. You will be surprised. It's a lot easier than you might think.

Before we continue, let me clear up one possible misunderstanding. Originally, the word "virus" was used in a narrow way to describe a program that is embedded in another program (the first type of program I mentioned above). Other types of troublesome creations, such as worms, were considered to be in a different category. (In fact, as you will see when we discuss the history of viruses, there were computer worms before the term "computer virus" was even used.)

Today, many purists still do not consider worms and certain other types of similar programs to be true viruses. However, most people use the word "virus" in a more general sense, to refer to any type of troublesome program that copies itself without your knowing it. That is why I mentioned three types of viruses: regular ("true") viruses, worms, and macro viruses.

Jump to top of page

Virus Hoaxes

In Chapter 8, we talked about rumors and hoaxes, and how and why they spread. Nowhere in the world of computing does nonsense spread more quickly than when people start worrying about viruses. To many people, viruses are mysterious things that can hurt their computers in ways that are difficult to understand. This feeling of defenselessness, along with a genuine desire to help others, often leads people to pass along every virus-related warning that enters their mailbox. Many people will forward such messages to everyone they know, without even checking if the problem is real.

Nowhere in the world of computing does nonsense spread more quickly than when people start worrying about viruses.

As a result, there are a great many VIRUS HOAXES, that is, warnings about viruses that don't really exist. In fact, compared to actual viruses, there are so many false warnings circulating around the Net, that some people have suggested that the hoaxes themselves are the real viruses.

From time to time, I receive a message from someone I know, asking if a recent virus warning is real. In almost every case, the warning is spurious, and I tell the person not to pass it on to other people.

So how can you tell if a virus warning is a hoax? It's easy. First, the message will have certain characteristics:

  • Virus hoaxes are excessively dramatic, often warning against a terrible catastrophe. Look for capital letters, lots of exclamation marks, and poor sentence structure.
  • Virus hoaxes often quote an unnamed authority from a well-known company (such as Microsoft or IBM) or from the government.
  • Virus hoaxes threaten terrible unrealistic consequences.

For example, a warning might say that just looking at a particular virus-containing mail message will delete files on your hard disk. In virtually all cases, this is not true. We'll discuss how email viruses actually spread in Chapter 10.

I do have to say that, hypothetically, it is possible for you to encounter a virus just by reading an email message. However, it can only happen under certain circumstances and only if you use a Microsoft mail program. In Chapter 11, I'll address this problem and show you how to avoid it permanently. In the meantime, for practical purposes, you can assume that a warning that tries to scare you in this way is a hoax.

The biggest tip-off that a warning is a hoax is that:

  • Virus hoaxes are forwarded by people who are not computer experts.

I know a number of people who program and maintain computer systems for a living. If one of these people were to send me a virus warning — and it has happened — I would take it seriously. Similarly, if you work on a large network and you receive a virus warning from your network administrator, pay attention. Such warnings are usually correct. However, if a friend who is not a nerd sends you a virus warning, it's a safe bet that the warning is a hoax.

In case you have never seen such a message, here is an excerpt from a real virus hoax:

This notice regarding some computer viruses that are circulating the systems was received at our office today.
 
WARNING!!!!!! If you receive an e-mail titled "JOIN THE CREW" DO NOT open it! It will erase EVERYTHING on your hard drive!
 
This information was received this morning from IBM, please share it with anyone that might access the Internet.

There is one sure way that you can always tell whether or not a virus warning is a hoax. There are a number of authoritative Web sites that track all the hoaxes. Before you start worrying, and before you send mail to all your friends, check with one of these sites to see if the warning you received is real:

If you have a few moments, take a look at one of these Web sites now. You will be amazed at how many virus hoaxes and how much misinformation is on the Net. You will also be surprised how many of the hoaxes resurface again and again over a long period of time.

Jump to top of page

The Trojan Horse

A common way that viruses spread is by inserting themselves into a file that contains a program. When someone then shares the program, the virus goes with it. Such a file is referred to as a TROJAN HORSE.

In order to create a successful Trojan horse, a virus programmer will look for a program that he thinks people will want to share, such as a popular game. He will insert a virus into the file, and then start sharing it.

The idea, of course, is not a new one. The original Trojan horse from Greek mythology had a similar purpose. Although you have probably heard of the original Trojan horse, you may not know the full story (which was told by Homer in his long narrative poem, the Iliad). It goes like this:

Once upon a time, the most beautiful woman in the world was Helen, the daughter of Zeus, chief of the gods. Helen was courted by many men and, ultimately, she married the king of Sparta, in Greece. For awhile, everything was hunky-dory.

However, a short time later, the goddess Discord (a troublemaker) threw a golden apple among the other gods. The apple was marked "For the Fairest". This set off a dispute among three of the goddesses, Aphrodite, Athena and Hera, as to who was the most beautiful. Zeus was asked to judge but — in a fit of good sense — refused to do so. (Zeus might be chief of the gods, but he was nobody's fool.) Instead, he sent the three goddesses to Paris, a prince in the city of Troy, and told Paris to decide who should get the apple.

All three goddesses did their best to influence Paris, but he chose Aphrodite because she promised to give him the most beautiful woman in the world. Making good her promise, Aphrodite led Paris to Sparta and presented him with Helen (shrewdly ignoring the fact that Helen was already married to someone else). Paris abducted Helen and carried her from Greece to Troy.

Well, as you can imagine, the Greeks had a cow. They mustered an army and sent it to Troy in an attempt to recover their queen. To protect itself, Troy, which was surrounded by a wall, locked its gates and settled down for a long siege.

The Greeks and Trojans fought for ten years. Eventually, the Greeks gained the upper hand, but they still needed to achieve a final victory. It was then that the Greek warrior Odysseus had an inspired idea.

Odysseus devised a large hollow horse constructed out of wood. He hid a number of Greek soldiers inside the horse and left it outside the gates of Troy. The Greeks pretended to sail away, but actually, they were waiting along the coast, just out of sight. They did, however, leave one soldier standing next to the horse. When the Trojans came to look at the horse, the Greek soldier told them that the goddess Athena would be pleased if they would open the gates and bring the horse inside the city.

By now, I am sure you are thinking, only a fool would bring a large hollow container inside a fortified city that had been fighting a war for ten years. In fact, two prominent Trojans felt the same way. Cassandra, a prophetess, warned against bringing in the horse, as did Laoco÷n, a priest. He remarked, "I am wary of Greeks even when they are bearing gifts." Unfortunately, the warnings were not heeded and the horse was brought inside the gates.

Later that night, the Greeks returned to Troy and waited nearby. At the same time, the hidden soldiers snuck out of the horse and opened the gates. The Greeks rushed in and, within a short time, they had won the war and recovered their beautiful queen. In the process, they also managed to destroy the city of Troy completely.

This is a good story to remember the next time someone emails you a message that says "Click on the attached program and you will see a picture of a beautiful woman."

Jump to top of page

Early Computer Viruses

In the fall of 1983, a doctoral student named Fred Cohen, in the electrical engineering department of the University of Southern California, was taking part in a regular weekly seminar on computer security. Cohen conceived the idea that it might be possible to design a program that would spread by embedding itself in other programs. As those programs were shared, the piggyback program would spread.

The advisor to the seminar, Professor Len Adelman, coined the term "virus" to describe such a program. (In 1994, by the way, Adelman became the first person to build a simple working computer out of DNA.) After working on the idea for eight hours, Cohen came up with an actual computer virus. After receiving permission, he performed five experiments, and, on November 10, 1983, Cohen demonstrated his virus for the seminar group.

(In case you want the technical details, Cohen used a VAX 11/750 computer running Unix. The virus was implanted in the vd program — a utility to display Unix file structures graphically — and was spread via the system's electronic bulletin board.)

Cohen went on to get his Ph.D. by writing about viruses. In the process, he contributed a great deal to the theoretical understanding of such programs. However, did Cohen write the first computer virus? Actually, the answer is no.

In late 1981, a small group of students at Texas A&M University were using pirated copies of games on Apple II computers. They started to discuss how, as games are shared, copies of the popular games proliferate, while the unpopular games die out. They then started to think about the idea of programs which could reproduce on their own. In early 1982, students developed the first program which was a real virus (although they didn't call it that). This program lived on floppy disks, and was written to spread from one floppy to another.

The virus caused some problems, so they did not allow it to spread. Soon after, they came up with a second version of the virus. This one seemed more benign, so they let it spread to floppies belonging to members of the group. Unfortunately, the self-imposed security was breached, and before long the virus had spread to the general Apple II population. Once this happened, it became evident that the virus did, indeed, cause problems.

Eventually, the group developed one more virus. They worked hard on this one so that it would spread without causing problems, and they were successful.

So, was the 1982 Apple II virus the first computer virus? Yes, as far as regular viruses go. However, if we broaden the definition to include other self-replicating programs, such as worms, we can push the origin of viruses back further, to the late 1970s, where esoteric work at a research center in northern California was about to change the world of network computing forever.

Jump to top of page

Early Worms

In 1970, the Xerox company established a research center in Palo Alto, California, close to Stanford University. Within a short time, the Xerox Palo Alto Research Center — or Xerox PARC, as it was known — became one of the hotbeds of computer science, home to some of the most innovative research in the country. Over the years, the scientists at Xerox PARC developed the first personal computer, called the Alto (they were in Palo Alto), laser printers, the Ethernet network, the idea of client/server systems (upon which the Internet is based, see Chapter 4), and much more.

The 1970s was when I began to study computer science, and at the time, Xerox PARC was one of the most important computer research centers. In the late 1970s, when I was a computer science graduate student (at the University of California at San Diego), I visited Xerox PARC and was shown around by one of the researchers. He showed me something I had never seen before: a personal computer that used windows, icons and a mouse. This was a prototype of the graphical user interface, or GUI, that is still in use today.

Many people visited Xerox PARC in those days. In 1979, Steve Jobs made the pilgrimage to see the Alto computer and its GUI. He took the idea back to Apple and (without giving credit to Xerox) used it to create the Macintosh. Later, Microsoft used the same ideas (without giving credit to Xerox or Apple) to create Windows. Thus, when you use the Internet today, much of the technology sitting in front of you is based on ideas that emerged from Xerox PARC in the late 1970s.

Actually, Xerox PARC affected the Internet more than most people realize. This highly regarded research center is also the home of the first real computer virus: the worm.

In May of 1980, John Shoch and Jon Hupp, two researchers in the Systems Science Laboratories group at Xerox PARC, published an internal paper. In this paper (#SSL-80-3), Shoch and Hupp described programming experiments they had been carrying out since the late 1970s. They had designed a number of programs whose role in life was to spread from one computer to another on the network (at the time, about 200 Alto computers) performing useful tasks.

Shoch's original idea was to create a program (later known as the "Vampire") that would run at night when most of the computers were idle. The program would look for available computers on the network, and start them running a copy of itself. Once the program was running, it would make use of the idle machines to work on complex problems that required a great deal of computing power. In the early morning, before people returned to work, the Vampire would silently retreat from most of the computers, waiting patiently in one or two machines, only to reemerge the next evening.

By the late 1970s, most of the pieces already existed. The Unix operating system (which controlled the Alto computers) already allowed programmers to write special programs, called DAEMONS, that would run in the background in order to provide useful services. Unix also had a scheduling facility, called cron, that enabled users to arrange for a program to be run automatically at specific times. Moreover, the Alto computers were already connected into a network that supported inter-computer communication. All this was well known. In fact, computer scientists were already experimenting with DISTRIBUTED COMPUTING, the idea that more than one computer could work on various pieces of a problem at the same time.

What Shoch did was to put the pieces together. His idea was to use the built-in Unix facilities, along with the network, to create an automatic distributed computing environment, one that would grow or shrink dynamically as conditions changed. To describe this approach to distributed computing, Shoch and Hupp named their system a "worm". Within the worm, each individual program was called a segment.

(The term "worm" was suggested by a researcher named Steve Weyer. At the time, Weyer was a graduate student from the Stanford University Education School who was working on systems relating to information retrieval and hypertext. Weyer's suggestion to call these new programs worms was inspired by a science fiction novel, Shockwave Rider (1975, Del Ray Books) written by John Brunner. In this novel, a totalitarian government uses a ubiquitous computer network to maintain control over its citizens. A clever rebel, Nickie Haflinger, is a fugitive from Tarnover, the government think tank at which he was educated. Haflinger escapes and devotes himself to trying to save the world by restoring personal freedom to the over-computerized masses. Eventually, Haflinger is able to write a program that spreads throughout the network, forcing it to shut down and destroying the government's power base. This program is called a "tapeworm".)

Today, we use the term WORM to refer to any virus that is designed to spread automatically over a network. As you will see in Chapter 10, most of today's worms spread via email. However, the first real computer worm, which Shoch called the Existential Worm, did not depend on email. It spread directly over a network. Shoch designed the Existential Worm as an experiment. The program had only one purpose: to stay alive, even if the machine on which it was running went down.

The worm worked as follows. Someone would start the program running on one computer. This program (the first segment) would look for other machines that were up and running on the network. Each time it found such a machine, the program would copy itself to that computer and start running there as well, creating a new segment. After a segment had run for a random amount of time, it would terminate voluntarily. Alternatively, a human being could stop a segment by rebooting the computer on which the segment was running.

During the night, something went wrong...

One night in 1978, Shoch and two co-workers set a small worm loose on the network in order to test a specific control function. Everything looked okay, so they went home leaving the worm to do its work. During the night, however, something went wrong. One of the segments caused the computer in which it was running to crash (that is, to stop working). The worm, sensing that it had lost a segment, found a new computer and started the program running again. When this computer crashed, the worm looked for another computer, and so on.

The next morning, the daytime inhabitants of the building arrived to find that all the computers on the network had crashed. Such an occurrence was not that unusual, as Alto computers often crashed for no reason. (Evidently, when Microsoft developed Windows, they borrowed more than the graphical user interface.) What was odd, in this case, was that each time someone restarted his computer it would immediately crash again. What was happening? The aberrant worm was refusing to die, causing the first computer virus outbreak in the history of the world.

Eventually, Shoch and his co-workers were called in. They went on a search and destroy mission, but were unable to terminate the segments fast enough to control the worm. Fortunately, Shoch had foreseen such a possibility and had built a self-destruct mechanism into the worm. Using it, he was able to completely eradicate all the segments, but at the cost of destroying the worm.

In some companies, such an occurrence would have scared people silly. But Xerox PARC was a research institution. Uncontrollable computer worms were things to be studied, not feared. It wasn't long before the worm technology was improved to the point where it provided a number of interesting and useful services. For example:

  • The Town Crier Worm traveled throughout the network making announcements.
  • Every morning, the Billboard Worm displayed a different cartoon on everyone's computer.
  • The Alarm Clock Worm maintained a list of wake-up requests from various people. Early in the morning at the appropriate times, the worm would initiate a telephone call to each person. (The ringing phone would act as an alarm clock.)
  • During the night, the Peeker Worm tested the memory of each Alto computer. The program would then notify a technician if it detected that a specific computer might need a memory chip replaced. (At the time, memory chips were much less reliable than they are today.)

By now, you probably have a feel for the basic difference between a worm and a regular virus. A regular virus is able to copy itself to other programs on the same computer. However, in order to jump from one computer to another, a virus requires the help of two people: one to share the program, and the other to perform some action to start the program on the new computer.

A worm is proactive. It is designed to use network connections to send copies of itself from one computer to another automatically. Since each new copy of the worm will do the same thing, worms can — if given the opportunity — multiply exponentially.

Some worms, like the ones we discussed above, can start running by themselves, as soon as they copy themselves onto a new computer. These types of worms spread the fastest. Other worms, like the email worms I mentioned earlier in the chapter, require a person to run the program on the new computer, say, by clicking on an email attachment. (We'll discuss email worms in detail in Chapter 10.)

As you can see, a regular virus can only spread as fast as people can deliberately share files. Under the right conditions, a worm can spread much, much faster, because it requires significantly less help from human beings.

This became clear in 1988, ten years after the first out-of-control worm became a nuisance at Xerox PARC, when a talented but naive student at Cornell University released a worm that brought down the Internet.

Jump to top of page

The Last Days of Innocence

In retrospect, by the late 1980s, it was only a matter of time until someone created a worm that would run rampant throughout the Internet. Although the Net was not nearly as large as it is today, it already had connections at most of the universities and research institutions in the United States, as well as a large number of military installations. Many of these computers ran Unix, a venerable operating system whose innards were accessible to any programmer who wanted to take a look.

Although Unix had been around for almost twenty years (the first version was developed at Bell Labs in 1969), it did not have a great deal of built-in security. The system was originally designed for trustworthy people who wanted to share and, up to now, the biggest problems were caused by people trying to surreptitiously break into one remote system at a time. The Unix networking and email facilities had bugs (known and unknown) but, as far as security went, most people didn't worry about them.

The Internet had never been infiltrated by a worm, although security-conscious programmers had been speculating for some time on the possibility. Still, in the early fall of 1988, a Unix network administrator could go home at night, secure in the knowledge that his system was safe from outside threats. He knew that, when he came back to work in the morning, everything would be up and running the way he had left it.

This was the case on November 2, 1988, as network administrators everywhere went home for the evening. Unknown to them, in a few hours, something extraordinary was about to happen, something that would, in a very short time, bring down the Net and change their world forever.

Jump to top of page

The Worm That Brought Down the Net

In the fall of 1988, 23-year-old Robert Tappan Morris Jr. was a first-year computer science graduate student at Cornell University in Ithaca, New York. Morris was a talented programmer who had been interested in computers for years. His father, Robert Morris Sr., was the Chief Scientist of the U.S. National Security Agency (NSA) and was associated with the University of Cambridge in England. Morris Sr. was an eminent researcher who lectured widely on computer security and ethics.

Morris Jr. grew up with computers and had been programming for a long time. When Morris was young, his father had once brought home one of the original Enigma machines from the NSA. (The Enigma was an encryption machine used by the Germans in World War II.) As a teenager, Morris had a computer account that allowed him access to a Unix network at Bell Labs, the legendary AT&T research center in Murray Hill, NJ. Morris was sufficiently ingenious as to figure out how to override the computer security system and give himself special privileges.

As a first year grad student at Cornell, Morris began to play with the idea of creating a program that would slowly spread throughout the Internet. The program wouldn't really do anything good or bad. It would just spread, slowly and silently, from one machine to another, politely taking up residence in various computers around the country. Morris worked on several prototypes and, on Wednesday, November 2, 1988, at about 6:00 P.M., he released the program, a worm, from a computer at MIT.

Morris's worm was a complex program that exploited a number of Unix features and flaws, and used a variety of methods to spread itself to as many computers as possible. Each time the program established itself on a new computer, the program would attempt to steal as many passwords as possible. This allowed it to break into people's accounts, looking for information on more computers to attack.

Interestingly enough, in 1979, Morris Sr. and Ken Thompson (one of the co-inventors of Unix) had published a paper in which they detailed various methods for writing a program to guess the passwords of Unix users. Ironically, nine years later, Morris Jr. used the very same methods, with great success, in his own program. (If you want to read the paper, it is called "Password Security: A Case History". You will find it in the November 1979 issue of Communications of the ACM, Volume 22, Number 11.)

People have speculated as to whether or not Morris thought he was doing anything wrong. His motives remain obscure, although it is clear that he went to a lot of trouble of hiding the origin of his worm. For example, although he was working at Cornell, Morris released the worm from a computer at MIT and made it look is if it had come from a machine at U.C. Berkeley. Later, an unknown person — and we are not naming any names here — deleted a log file on the MIT computer that contained a record of Morris's actions. That is why, earlier, I had to say that the worm was released "about 6:00 P.M.". Since the log file had vanished mysteriously, no one was able to pin down the exact times and events relating to the launching of the worm.

To me, it is obvious that Morris was irresponsible and short-sighted. However, I wonder, am I being too harsh on him? To be honest, I have to admit that when I was a first-year graduate student, if I had known how to break into computer systems, I probably would have created a worm myself, just to see if it would work. (Fortunately, my father was an accountant.)

Back in 1988, it was only a matter of hours before the worm began to spread, slowly at first, and then more quickly. What Morris didn't realize was that there were flaws in his design. Once the worm established itself on a new computer, the program would make so many copies of itself that it would exhaust the resources of the computer. Some computers crashed. Others kept going, but were so occupied with running the worm that no one could do any work. Moreover, if a system administrator turned a computer off, a short time after the machine was turned on, the worm would restart itself automatically.

Eventually, the worm had spread to over 6,000 computers, and within hours, machines all over the Internet were incapacitated. To put this in perspective, at the beginning of October 1988, there were about 56,000 computers connected to the Internet. Thus, Morris' worm was able to slow down or bring to a standstill over 10 percent of the Net. (If you are interested in the technical details, the worm affected Sun 3 and VAX computers running 4.2BSD Unix.)

The damage caused by the worm was even worse than it sounds, because once the news started to spread, many network administrators disconnected their networks from the Internet to keep them from being affected. Thus, within a few hours of releasing his worm, Robert Morris had effectively shut down most of the Internet.

Interestingly enough, Morris had put in a safeguard to keep all of this from happening. He designed the worm to look for other copies of itself on the same machine. When two worms found each other, one of them would, at a particular point, voluntarily self-destruct. This safeguard should have kept the worms from getting out of hand.

However, Morris also designed the program so that one out of every seven worms would not look for its cohorts. In effect, this made one seventh of the worms immortal. Morris may have done this in order to ensure that network administrators would not be able to use fake worms to kill off the real ones. Unfortunately, Morris underestimated the staying power of his program. So many immortal worms were created that machines all over the country were overloaded.

Eventually, Morris realized that something very bad was happening. He talked with a friend at Harvard and they brainstormed in an attempt to come up with a solution to what was rapidly becoming a problem of national importance. After some discussion, Morris and his friend used a computer at Harvard to send an anonymous message over the Net. The message continued instructions on how to terminate the program and keep it from restarting.

It was too late. By the time Morris and his friend sent the message, their link to the Net was clogged. The message did not go through until much later.

Meanwhile, throughout the night, groups of Unix experts around the country were working feverishly to find a way to counteract and eradicate the worm. Within hours, two groups — one at U.C. Berkeley and another at MIT — had managed to capture a copy of the program and were hard at work analyzing it. They discovered that the program had no mechanism to stop it from spreading. To the contrary, Morris had designed the worm to propagate indefinitely. Moreover, the worm was programmed to use a variety of Unix tricks to avoid being identified or terminated.

By 5 A.M. Thursday morning — about 11 hours after the worm was released — the Computer Systems Research Group at Berkeley had developed a procedure to halt the program from spreading. They sent out the information via Usenet (a system of discussion groups) as well as posting it to a number of electronic mailing lists. However, the release of this information was slowed significantly because so many system administrators had disconnected their computers from the Net.

Later that day, another group, this one at Purdue University in Indiana, developed a simple, effective method of stopping the worm. By 9 P.M., the Purdue information was circulating on the Net.

Within a few days, system administrators around the country had things under control. The worm was wiped out, computers were back online, and the Net was humming again. The Internet gods were in their heaven; all was right with the world.

Jump to top of page

The Internet Worm: Prologue

The Internet is — and always will be — vulnerable to a scattering of talented troublemakers who are blessed with a rudimentary sense of honesty and a less than perfect attitude toward responsibility. Today, it is unlikely that a worm like the one Robert Morris created will ever find its way to your computer. However, there are other types of worms and viruses, and some of them are quite sophisticated.

In a moment, we'll talk about practical measures, and I'll show you what you can do to protect your computer. As you read the discussion, you will see that there is a trade-off between security and convenience. It is possible to make your computer completely safe, but only by putting up with unacceptable inconveniences. This has always been the case with computer systems and it was certainly true at the time of the Internet worm.

Computer users consider convenience to be important, and the Unix that was in use in 1988 had been designed, above all, for ease of use. There was a tendency for people to overlook security loopholes if fixing them would cause problems for regular users. However, the episode of the worm permanently changed the way people thought about Internet security. Ironically, this was one of the benefits that Morris brought to the Net.

The first benefit was the realization that it was important for programmers everywhere to cooperate in order to improve security on the Internet. One of the reasons that the worm was eliminated so quickly was that distant groups shared information with one another. This lesson was never forgotten.

Another insight was that it was not possible to provide adequate security at the level of the network. To ensure a safe environment, each computer on a network must be configured and maintained properly. This was a major change in the way network administrators thought about security.

The final benefit of the worm episode occurred a few weeks later. On November 29, 1988, an unknown person was able to exploit a security hole and break into a military computer. At the time, the military network was separate from the rest of the Net, although the two parts were connected. As soon as the break-in was discovered, the military disconnected themselves from the rest of the Net.

Eventually, the connection was restored. However, everyone's awareness had just been raised by the worm. These two incidents, happening too close to one another, prompted the agency of the Department of Defense that oversaw the Internet to establish a brand new organization, the Computer Emergency Response Team (CERT), based at the Software Engineering Institute at Carnegie Mellon University. The job of CERT was to coordinate the response to Internet security emergencies. Today, CERT still exists and provides important services to the Internet community.

By now you are probably wondering, what, if anything, happened to Robert Morris Jr.? After the electronic dust settled, Morris became the first person charged under the Computer Fraud and Abuse Act of 1986, a law that made it a felony to break into a federal computer network.

On January 23, 1990, Morris was convicted, and in May 1990, he was sentenced to three years probation, 400 hours of community service, and a fine of $10,050. In addition Morris was required to pay the costs of his supervision.

Today, Robert Morris Jr. is an assistant professor of the Electrical Engineering and Computer Science at MIT. According to his Web site, Morris devotes his time to "building data networking infrastructure that is easy to configure and control."

Jump to top of page

Quick Diversion: A Puzzle

Before we move on, here is a short puzzle just for fun.

Clifford Stoll, the writer of the book Cuckoo's Egg (which relates a long, difficult, and ultimately successful hunt for a hacker) once met with Robert Morris Sr. at the NSA. During the meeting, Morris gave Stoll the following puzzle.

Look at the following sequence of five numbers and figure out which number comes next:

1 11 21 1211 111221

See what you can do with it, and I'll give you the answer at the end of Chapter 10. In the meantime, here is a hint: there is no arithmetic involved.

Jump to top of page