Hack-Tic 1



WORM OP HET
INTERNET

  Het internet verbindt een groot aantal research computers in de hele wereld. Een waanzinnig slimme programmeur heeft een programma ontwikkeld dat zichzelf razendsnel en zeer efficient over dit netwerk kan verspreiden.
  Op het internet wordt ook nieuws over diverse onderwerpen over de aardbol gestuurd. De nieuwsgroep "RISKS" (The risks of computing) bevatte vorig jaar november een groot aantal interessante berichten. (De hele structuur van de worm was al bekend toen de pers hier nog schreef dat 'men in het duister tastte'. Nu nog heeft de pers het over een virus in plaats van een worm. De artikelen spreken voor zich…
…………………………
  Hi Gang!
  It's now 3:45 AM on Wednesday 3 November 1988. I'm tired, so don't believe everything that follows…
  Apparently, there is a massive attack on Unix systems going on right now.
  I have spoken to systems managers at several computers, on both the east & west coast, and I suspect this may be a system wide problem.
  Symptom: hundreds or thousands of jobs start running on a Unix system bringing response to 0.
  Systems attacked: Unix systems, 4.3BSD unix & variants (eg: SUNs) any sendmail compiled with debug has this problem. See below.
  This virus is spreading very quickly over the Milnet. Within the past 4 hours, I have evidence that it has hit 10 sites across the country, both Arpanet and Milnet sites. I suspect that well over 50 sites have been hit. Most of these are "major" sites and gateways.
  The bug in Sendmail:
  When the Unix 4.3 BSD version of Sendmail is compiled with the Debug option, there's a hole in it.
  Most Unix systems (BSD 4.3 and Suns) apparently do not have this bug. It exists only where the system manager recompiled Sendmail and enabled debugging.
  This is bad news.
…………………………
Date: Thu, 03 Nov 88 22:04:15 EST
Subject: A cure!!!!!

FLASH!!
  Kevin ("Adb's your friend.") Braunsdorf just burst into my office with a cure discovered in the disassembled worm binary.
  If there is an external variable in the library named "pleasequit" that is non-zero, the worm will die immediately after exiting. Thus, to kill any new worms, include a patch in your library that defines the symbol. The following shell file and source code will modify your C library to define this symbol.
  It WON'T kill any currently linked and running versions, but it will prevent reinfection.
…………………………
Subject: The Worm
  Our site apparently didn't get hit, because our newly installed NSFnet router has been so flaky that it has been unusable. Just goes to show, I guess.
…………………………
A REPORT ON THE INTERNET WORM
Bob Page
University of Lowell
Computer Science Department
November 7, 1988

  Here's the scoop on the "Internet Worm". Actually it's not a virus - a virus