Approaching Zero Part 4

Chapter 4.

VIRUSES, TROIANS, WORMS, AND BOMBS.

The first doc.u.mented computer virus attack was recorded on October 22,1987, at the University of Delaware, in Newark, Delaware. According to a spokesperson for the Academic Computer Center at the university, the virus infected "several hundred disks, rendering 1 percent of them unusable, and destroying at least one student's thesis." Later a news report appeared in The New York Times that claimed, "Buried within the code of the virus ... was an apparent ransom demand. Computer users were asked to send $2,000 to an address in Pakistan to obtain an immunity program." But that wasn't quite true. Researchers using specialized software were later able to call up the actual operating program of the virus onto a computer screen. Within the ma.s.s of instructions that controlled the bug, they found the following message: WELCOME TO THE DUNGEON (C) 1986 BASIT & AMJAD (PVT) LTD.

BRAIN COMPUTER SERVICES 730 NIZAB BLOCK ALLAMA IQBAL TOWN LAh.o.r.e--PAKISTAN PHONE: 430791, 443248, 280530.

BEWARE OF THIS VIRUS ...

CONTACT US FOR VACCINATION ...

There was no ransom demand.

Computer researchers now know the virus as Brain, though at the time it didn't have a name, and it was later discovered to have been programmed only to infect the first sector on a diskette. Diskettes are divided into sectors invisible to the naked eye, each holding 512 bytes (or characters) of information, equivalent to about half a page of typewritten material. The first sector on a diskette is known as the boot sector, and its function is something like that of the starter motor on a car: it kicks the machine into operation (hence the expression "booting up," or starting up, a computer). When a computer is switched on, the machine bursts into life and carries out some simple self-diagnostic tests. If no fault is found, the machine checks to see if there is a diskette in the disk drive. The disk drive, acting like a record player with the diskette as its record, begins to rotate if a diskette is in place, and the boot sector of the diskette directs the computer to the three actual start-up programs that make the computer operational.

The Brain virus was designed to hide in the boot sector waiting for the computer to start up from the diskette so that it can load itself into the computer's memory, as if it were a legitimate startup program. But at around 2,750 bytes long, it is much too big to fit entirely within the boot sector, and instead does two things: it places its first 512 bytes in the boot sector and then stores the rest of its code, together with the original boot-sector data, in six other sectors on the diskette. When the computer starts up, the head of the virus jumps into memory, then calls up its tail and the original boot sector.

Brain is one of the most innocent viruses imaginable, though that wasn't known at the time. The University of Delaware spent a full week and considerable manpower cleaning out its computer system and destroying infected diskettes, only to find that the virus's payload is simply the tagging of infected diskettes with the label "Brain." A label is the name a user can give to a diskette, and is of no real importance. Most users don't even bother to label their diskettes, and if a virus suddenly names it for them, thev are unlikely to notice or care.

However, like all viruses, Brain can cause unintended damage. If a diskette is almost full, it is possible for some sectors to be identally overwritten while the virus is attaching its tail, thereby wiping out all the data contained there. Also, copying can render the virus unstable, and could unintentionally overwrite systems areas (the sectors on diskettes that enable their use by Computers), thus rendering them useless.

Paramount to the viability of a computer virus is an effective infection strategy. Brain was viable because it didn't do anything deliberately dangerous or even very obvious, so it wasn't likely to get noticed. Therefore, when it climbed into the computer memory, it could stay there until the computer was switched off targeting any other diskettes that were introduced into the com- puler during that session.

Brain also contained a special counter, which permitted it to infect a new diskette only after the computer operator had accessed it thirty-one times. Thereafter, it infected at every fourth use. Yet another, particularly ingenious, feature was its ability to evade detection. Normally the boot sector, where the virus hides, can be read by special programs known as disk editors. But if someone tried to read the boot sector to look for it, Brain redirected them to the place where the original boot sector had been stored, so that everything looked normal. This feature, which now takes other forms, has become known as stealth, after the Stealth bomber that was designed to evade radar detection.

It wasn't difficult to trace the writers of Brain, since they had conveniently included their names, telephone numbers, and address on their virus. The programmers were nineteen-year-old Basit Farooq Alvi and his twenty-six-year-old brother, Amjad Farooq Alvi. Together they run a computer store in Lah.o.r.e, Pakistan, called Brain Computer Services. They wrote the virus in 1986, they said, "for fun," and it was in all probability the first virus ever to be disseminated internationally.

Shortly after writing Brain, Basit had given a copy of the virus to an unidentified friend, and it traveled from Pakistan to North America via an unknown route, finally reaching the University of Delaware. Like Joe Dellinger at A&M, who was surprised at how quickly his self-replicating programs had traveled, Basit and Amjad Alvi were startled that their little virus had emigrated all the way to America in less than a year.

The second doc.u.mented virus attack occurred only a month later, in November 1987, on computers at Lehigh University in Bethlehem, Pennsylvania. Unlike Brain, the virus at Lehigh was deliberately damaging. It kept a count of the number of files that it infected and, when its counter reached four, it trashed the diskette by overwriting it with "garbage" collected from another part of the computer.

The university's senior computer consultant, Ken van Wyk, realized he had a problem when students began complaining that their diskettes didn't work. At first there was a trickle of bad diskettes, then a flood. Something was zeroing out the diskettes, and Van Wyk guessed that it was probably a virus.

Van Wyk worked for five days to isolate the bug and find a cure. He discovered that, unlike Brain, the Lehigh virus did not infect the boot sector; instead, it hid itself inside one of the three start-up programs that are triggered immediately after the boot had occurred. Like Brain, the virus jumped into memory whenever a computer was started from an infected diskette. Van Wyk also discovered that the antidote was extremely simple: all he needed to do was delete the infected start-up program and replace it with a clean one. The data on the trashed diskettes, however, was irrecoverable. Van Wyk notified colleagues at other colleges that the virus "is not a joke. A large percentage of our disks have been gonged by this virus in the last couple of days."

Later that year the university suffered another attack from a modified version of the same virus. This one trashed a diskette after infecting ten files, as opposed to four. The longer delay made the new version of what was by then known as the Lehigh virus much more insidious in that it infected more diskettes with versions of itself, and therefore propagated more widely, before unleashing its payload. But because the antidote was already known to Van Wyk, the cleanup operation was quick.

The writer of the Lehigh virus was never discovered, though he or she was a.s.sumed to be a student at the university. But by one of those concurrences that excite conspiracy theorists, the professor of electrical engineering and computer science at Lehigh when the viruses attacked was Fred Cohen, by then Dr. Cohen, the same student who two years earlier had written the dissertation that had first coined the term computer virus.

Early in 1988 two more viruses were discovered, both of them written for the Macintosh, a personal computer produced by Apple, which had become the successor to its historic Apple II. The first became known as MacMag or, sometimes, Peace, and contained the phrase "universal message of peace" signed by Richard Brandow, the publisher of MacMag Magazine, a Canadian publication for Macintosh users. It also included a small drawing of the world autographed by the author of the virus, Drew Davidson.

Later it was discovered that the virus had been included on a computer game shown at a meeting of a Macintosh users' group in Montreal. A speaker at the meeting had accidentally copied the virus onto a diskette, and subsequently infected a computer in the offices of Aldus, a Seattle-based software publisher, for whom he was doing some work. The company then unwittingly copied the virus onto what was later described as "several thousand" copies of a program called Freehand, which were distributed to thousands of computer stores. After complaints from consumers, who were quite bewildered at receiving a peace message with their software, the company recalled five thousand copies of the program.

The MacMag virus, though relatively widely distributed, was not malicious. After displaying its message, it removed itself from infected systems. Nevertheless, it was an unwanted extra and served to demonstrate the speed and ease with which self-replicating programs could propagate. When questioned about the morality of deliberately publishing Davidson's virus, Brandow was quoted as saying, "You can't blame Einstein for Hiroshima."

The second Macintosh virus to be reported in 1988 was called Scores and was much more serious. On April 19,1988 Electronic Data Systems (EDS) of Dallas, a subsidiary of General Motors, announced that twenty-four of its machines had been infected with a virus that was thought to have been written by a disgrun- tled ex-employee. The virus had infected the operating system and two standard files of each computer, and then hidden itself inside two more secret files that it had created. Two days after a system has been infected with Scores, the virus begins to spread to the other programs on the computer--in particular, it looks for two specific programs developed by EDS, and when it finds them, it prevents the computer user from saving his data, thereby causing the loss of whatever he was working on.

By early 1988 a small but potentially lucrative computer security industry had begun to specialize in protecting machines from viruses. A number of computer specialists offered their services as security consultants or sold computer software designed to track down and kill viruses. But despite Brain, Lehigh, and the two Macintosh viruses, there was little real evidence of the oft-hyped plague of computer bugs. It was understandable that writers of antiviral software and others in the new security industry would exaggerate the threat; they were like burglar-alarm salesmen in a community without very many burglars. They needed to convince the public that a slew of viruses was gathering, to be unleashed on defenseless computer users in the coming year.

The emotive term virus helped their case, as did the willingness of the press to publish dubious statistics and unverified, unsourced stories of virus incidents--particularly the computer magazines, which were then locked in a difficult circulation war and looking for something out of the ordinary to write about. Viruses made good copy, as did nightmarish stories about the effects of a plague. In essence, the burglars hadn't quite hit town yet, but by G.o.d they were on the way.

One of the earliest antiviral programs for IBM PC-type computers was the work of a New York-based programmer, Ross Greenberg. He said that he had seen the impending virus threat coming for years, and had therefore created a program called Flu Shot.

During the summer of 1988 Greenberg was contacted by writer Ralph Roberts, who was researching a book about computer viruses. According to Roberts, Greenberg insisted that he had "about twenty viruses in quarantine." When asked to identify them, Greenberg told the writer, "I don't give the little suckers names." But he did describe his "favorite virus," which he said could randomly transpose two numbers on the screen. "Sounds cute," he reportedly said, "but it could be dangerous if you're using Lotus 1-2-3 [a program used for accounting] to run a multimillion-dollar company."

Roberts's book, Computer Viruses, was the first attempt to put the problem into perspective. In it he describes his interviews with the newly formed Computer Virus Industry a.s.sociation (CVIA), a body representing virus researchers and consultants that had identified "twenty different types that attack IBM PCs and compatibles" and fourteen others that infect other types of computers. The CVIA also listed the names of the top five virus strains by reported incidence as Scores, Brain, SCSI, Lehigh, and Merritt. Yet the Lehigh virus seemed to be confined to Lehigh University; Brain was relatively harmless in that the damage it caused was infrequent and accidental; and the Merritt virus (sometimes called Alameda or Yale) was a benign virus that simply replicated and had been seen at only a few universities and colleges. The SCSI virus attacked only the Amiga, which was primarily a games machine. The most threatening virus on the list was Scores, even though it seemed to be directed against one particular company. Of the twenty-nine other reported viruses, either they had been seen only once or twice or their existence was unconfirmed. (The twenty viruses Greenburg claimed to have in quarantine were not on the list.) And that, according to the CVIA, was about the size of the virus problem in the summer of 1988.

In the following year Greenberg wrote an article for Byte, an eminently respectable American computer magazine, in which he described two of the viruses he had in quarantine: his favorite number-transposing virus, now named Screen, and a similar one that he had reported to researchers as dBase, which transposed characters within files. It was called dBase because it targeted records generated by a popular program of the same name.

In 1988 and even early 1989, viruses were exceedingly rare, so there was a growing suspicion about Greenberg's claims to have twenty unnamed bugs in some sort of quarantine. It was thought that Greenberg was exaggerating for effect. Other virus researchers understandably wanted copies of Greenberg's viruses and, in particular, the dBase virus he had described in detail.

Eventually Greenberg produced a copy of dBase. It wasn't quite as he had first described it; it had only been seen on one unidentified site, and only then by Greenberg, but at least its existence could be verified. However, the existence of the other nineteen viruses, including Screen, has yet to be confirmed.

Other early viruses were equally problematic. A virus researcher named Pamela Kane told writer Ralph Roberts about the Sunnyvale Slug, which flashed the message, "Greetings from Sunnyvale. Can you find me?" on infected machines. But it has never been confirmed as a virus, nor seen since Kane first reported it. Then there was the "retro-virus," reported to have been distributed with three popular but unnamed shareware (free, shared software) programs. It was said to have been programmed to detach itself from its infected hosts--a program or file--and then to reinfect them at some future date. It was "like a submarine rigged for silent running ... the retro-virus waits until the destroyers have stowed their depth charges and gone back to port before returning to sink ships," it was claimed, somewhat colorfully, in the computing journal Info World. At the time, the retro-virus was without a doubt the most sinister virus ever reported, but it had only been seen once--by the researcher who reported it.

The CVIA was not averse to creating a few myths of its own. Its chairman, John McAfee, an ebullient and eminently quotable computer expert, was always available to fill in the press on the irresistible spread of viruses. He was a good interviewee, with a store of anecdotes about computer viruses and reports of virus attacks at generally unidentified companies and inst.i.tutions, and he managed to give the impression that each anecdote could lead to a thousand more, that each incident was representative of a hundred others. In 1988 and 1989, reports about viruses always intimated that what was public knowledge was only the tip of the iceberg--that the problem was much bigger, much wider, and much more pervasive than anyone suspected. But far from being the tip of the iceberg, what had been reported was the whole problem--and even that was seen through a prism. The hype had its effect, however, and sales of antivirus software soared.

Born in science fiction, legitimized by academia and inst.i.tutionalized by the Computer Virus Industry a.s.sociation, the computer virus finally came of age on September 26,1988, when it made the front cover of Time magazine.

Time was once derided as the publication "for those that can't think" (its sister publication, Life, was said to be "for those who can't read"). It has been accused of publishing middle-brow a.n.a.lyses and overwrought cover stories, and its ability to be out of touch has been so noticeable that in show business the offer of a Time cover story is considered a sure sign that the unfortunate star's career is on the wane. Not that anyone has ever turned down a cover story--Time is still one of the most influential publications in America, and for better or worse, what it says is often believed.

So, when Time headlined its cover about computer viruses "Invasion of the Data s.n.a.t.c.hers!" its readers were more than certain that data was indeed being s.n.a.t.c.hed. The magazine detailed an attack on a local newspaper office by the Brain virus, and called it a "deliberate act of sabotage." Brain, Time said, was "pernicious," "small but deadly," and "only one of a swarm of infectious programs that have descended on U.S. computer users this year." The magazine also announced, "In the past nine months, an estimated 250,000 computers have been hit with similar contagions."

The article captured perfectly the hyperbole about viruses: Brain was far from pernicious, and it certainly wasn't deadly. There was no swarm of viruses: the number then proven to have infected systems--as opposed to those conjured up in the imaginations of virus researchers--was probably less than ten. And as for the estimate that 250,000 computers had been hit by viruses, it was just that-- an estimate. No one at the time had any real idea how many computer sites had been affected.

The Time writer also dug deep to unearth the Cookie Monster, which had appeared during the 1970s at a number of American colleges. Inspired by a character on the children's television show Sesame Street, this joke program displayed a message on a computer screen: I WANT A COOKIE. If the user typed in "cookie," it would disappear, but, if the message was ignored, it kept reappearing with increasing frequency, becoming ever more insistent. But the Cookie Monster wasn't a virus, even in the broadest definition of the term: it was a joke program introduced by a prankster on a single computer; it had no ability to replicate and it couldn't travel surrept.i.tiously from machine to machine.

Time did recognize that "the alarm caused by these ... viruses was amplified by two groups with a vested interest in making the threat seem as dramatic as possible"--the computer security specialists and the computer press, "a collection of highly compet.i.tive weekly tabloids that have seized on the story like pit bulls, covering every outbreak with breathless copy and splashy head- lines." It was an apt description of the exaggerated coverage of the virus phenomenon. But the threat would soon become real.

On the evening of November 2, 1988, a little over five weeks after the Time story appeared, events occurred that seemed to fulfill all of the doomsday prophecies. Between 5:00 and 6:00 P.M., eastern standard time, on that Wednesday night, a rogue program was loaded onto the ARPANET system. Three hours later, across the continent at the Rand Corporation in Santa Monica, operators noticed that their computers were running down. Something was taking up computer s.p.a.ce and slowing the machines to a crawl. At 10:54 P-M- managers at the University of California at Berkeley discovered what they thought was a hacker trying to break into their systems. As the attempts continued and the attacks increased, they realized to their horror that it wasn't a hacker. It was a program, and it was multiplying.

By that time the same program was attacking the computer at MIT's Artificial Intelligence Laboratory as well as sites at Purdue, Princeton, and Stanford. It was moving across networks, spreading from the ARPANET onto MILNET--the Department of Defense computer network--and then onto Internet, which itself links four hundred local area networks. It spread to the Lawrence Livermore National Laboratory, then to the University of Maryland, then across the country again to the University of California campus at San Diego, and then into the NASA Ames Laboratory, and the Los Alamos National Laboratory in New Mexico. Within a few hours the entire Internet system was under siege. Peter Yee, at Ames, posted the first warning on the network's electronic mail service at 2:28 A.M.: "We are currently under attack from an Internet virus. It has. .h.i.t UC Berkeley, UC San Diego, Lawrence Livermore, Stanford, and NASA, Ames ..."

Yee had earlier spotted what seemed to be an entire army of intruders attempting to storm his computer. He counterattacked, killing off some of the invaders. But then came another wave, and another, and he was soon overwhelmed.

His powerful computer had started to slow down noticeably, its energy drained by the proliferation of vampire programs that were reproducing uncontrollably and monopolizing its resources.

The same attackers. .h.i.t the MIT Media Laboratory in Ma.s.sachusetts. Pascal Chesnais, a scientist who had been working late in the lab, thought he had managed to kill off his mysterious intruders then went to grab a meal. When he got back, he found that more copies of the invaders were coming in with his electronic mail, so he shut down his network connection for a few hours. Then, at 3:10 A.M., he sent out his own warning: ' A virus has been detected at Media Lab. We suspect that the whole Internet is infected by now. The virus is spread by [electronic] mail ... So mail will not be accepted or delivered."

Just before midnight the rogue program had spread to the Ballistic Research Laboratory, an army weapons center in Mary land. The managers at the lab feared the worst: they could be under attack from hostile agents. Even if that proved not to be the case, they didn't know what the program was doing. It was cer- tainly multiplying, that was clear, but it might also be destroying data. By the next morning the lab had disconnected itself from the network and would remain isolated for nearly a week. It wasn't alone in disconnecting--so many sites attempted to isolate themselves that electronic mail (the usual channel of communication between computer operators) was hampered, creating even more confusion about what was happening. At one point the entire MILNET system severed all mailbridges--the transfer points for electronic mail--to ARPANET.

By midnight the electronic freeways between the sixty thousand or so interconnected computers on Internet and ARPANET were so clogged with traffic that computer specialists were roused from their sleep and summoned to their offfices to help fight the attack. Most of them wouldn't get back home until the next night.

At 3:34 A.M. on November 3rd, shortly after Yee had sounded the first alarm, another message about the virus was sent from Harvard. This message was much more helpful: it wasn't just a warning, but offered constructive suggestions and outlined three steps that would stop the virus. The anonymous sender seemed to be well informed about its mechanisms, but because of the chaos on the network, the message wouldn't get through for forty-nine hours.

At first the experts believed that all of the sixty thousand-plus computers on the besieged networks were at risk. But it quickly became apparent that the rogue program was attacking only particular models: Sun Microsystems, Series 3 machines, and VAX computers running variants of the UNIX operating system. On infected machines unusual messages appeared in the files of some utilities, particularly the electronic-mail handling agent, called Sendmail. But what was most apparent was that the rogue program was multiplying at devastating speed, spreading from computer to computer, reinfecting machines over and over. As the reinfections multiplied, the systems became bogged down; then the machines ran out of s.p.a.ce and crashed.

On the morning of Thursday, November 3rd, Gene Spafford, a computer science professor at Purdue University, sent the following message to his colleagues: "All of our Vaxes and some of our Suns here were infected with the virus. The virus made repeated copies of itself as it tried to spread, and the load averages on the infected machines skyrocketed. In fact, it got to the point that some of the machines ran out of s.p.a.ce, preventing log-in to even see what was going on!" Spafford did manage to capture part of the rogue program, but only the half that controlled its spread. The other half, the main operating system within the program, erased itself as it moved from computer to computer, so as not to leave any evidence. The deviousness of the program lent weight to the theory that it would also be damaging: that the rogue program could somehow have been tampering with systems, altering files, or destroying information.

The rogue program, it was subsequently discovered, moved from computer to computer by exploiting flaws in the Berkeley version of UNIX. The princ.i.p.al flaw was in Sendmail, the program designed to send electronic mail between computers in the interlinked networks. A trapdoor on Sendmail would allow com- mands (as opposed to actual mail) to be sent from computer to computer. Those commands were the rogue program. Once it had entered one computer through Sendmail, it would collect information about other machines in the system to which it could jump, and then proceed to infect those machines.

In addition to exploiting the Sendmail flaw, the rogue program could try to guess the pa.s.swords to jump to target computers. Its pa.s.sword routine used three methods: it tried simple permutations of known users' names, it tried a list of 432 frequently used pa.s.swords, and it also tried names from the host computer's own dictionary. If one method didn't work, it would try another and then another until it had managed to prise open the door of the target computer. An early a.n.a.lysis of the program made at four A.M. on the morning after the initial attack described it as "high quality." Some twelve hours after its release, it was estimated that about 6,200 computers on Internet had been infected; the costs, in downtime and personnel, were mounting.

In the meantime, three ad hoc response teams, at the University of California at Berkeley, at MIT, and at Purdue, were attempting to put an end to the attack. At five A.M. the Berkeley team sent out the first, interim set of instructions designed to halt the spread. By that time the initial fears that the rogue program might destroy information or systems had proved unfounded. The program, it was discovered, was designed to do nothing more than propagate.

It contained no destructive elements apart from its ability to multiply and reinfect to such an extent that it would take over all available s.p.a.ce on a target computer.

Later on Thursday the team at Purdue sent out an electronic bulletin that catalogued methods to eradicate the virus. And at Berkeley they isolated the trapdoors it had used and published procedures for closing them.

Once the commotion had died down and computer managers had cleared out the memories on their machines and checked all the software, their thoughts turned to the reasons for the attack. That it was deliberate was certain: the rogue program had been a cleverly engineered code that had exploited little-known flaws in UNIX; it had erased evidence of its intrusions on the computers it had infected; and it was encrypted (written in code) to make it more difficult to tear apart. There was little doubt in anyone's mind that the program was the work of a very clever virus writer, perhaps someone who had a grudge against ARPANET or one of the universities, a computer freak outside of the mainstream attempting to get back at the establishment. But these suppositions were wrong.

Internet's rogue program became a media event. The New York Times called the incident "the largest a.s.sault ever on the nation's systems." The program itself became known as the Internet Virus or, more accurately, the Internet Worm. At a press conference at MIT the day after the worm was released onto ARPANET, the university's normally reticent computer boffins found themselves facing ten camera crews and twenty-five reporters. The press, the MIT researchers felt, was princ.i.p.ally concerned with confirming details of either the collapse of the entire U.S. computer system or the beginning of a new world war, preferably both. One partic.i.p.ant had nightmarish visions of a tabloid headline: COMPUTER VIRUS ESCAPES TO HUMANS, 96 KILLED.

The incident received worldwide press coverage, and the extent of the damage was magnified along the way. One of the first estimates--from John McAfee, the personable chairman of CVIA--was that cleaning up the networks and fixing the system's flaws would cost $96 million. Other estimates ran as high as $186 million. These figures were widely repeated, and it wasn't until later that cooler heads began to a.s.sess the damage realistically. The initial estimate that about 6,200 machines, some 10 percent of the computers on Internet, had been infected was revised to roughly 2,000, and the cleanup cost has now been calculated at about $1 million, a figure that is based on the a.s.sumed value of "downtime," the estimated loss of income while a computer is idle. The actual rest.i.tutional cost has been a.s.sessed as $150,000; McAfee's exaggerated estimate of $96 million was dismissed.

By the time the real a.s.sessments had been made, the ident.i.ty of the author of the worm had been discovered. He was Robert Morris, Jr., a twenty-three-year-old graduate of Harvard University and, at the time of the incident, a postgraduate student at Cornell. Far from being an embittered hacker or an outsider, he was very much the product of an "insider" family. His father Robert Morris, Sr., was the chief scientist at the National Computer Security Center, a nationally recognized expert on computer crime, and a veteran of Bell Laboratories. He was, coincidentally, also one of the three designers of a high-tech game called Core Wars, in which two programs engage in battle in a specially reserved area of the computer's memory. The game, which was written in the early 1960S at Bell, used "killer" programs that were designed to wipe out the defenses of the opponent. The curious similarities between Core Wars and the Internet Worm were often cited in press reports.

Morris received an enormous amount of publicity after his ident.i.ty became known. His motives have been endlessly reviewed and a.n.a.lysed, especially in a recent book, Cyberpunk, that was partly devoted to the Internet Worm. The consensus was that Morris wrote a program that fulfilled a number of criteria, including the ability to propagate widely, but that he vastly underestimated the speed at which it would spread and infect and then reinfect other machines.

He himself called the worm "a dismal failure" and claimed that it was never intended to slow computers down or cause any of them to crash. His intention, he said, was for the program to make a single copy on each machine and then hide within the network. When he realized, on the night of November 2nd, that his program was crashing computers on the linked networks, he asked a friend, Andrew Sudduth, to post an electronic message with an apology and instructions for killing the program. That was the message sent out at 3:34 A.M., the one overlooked in the general confusion.

Morris was indicted for "intentionally and without authorization" accessing "federal-interest computers," preventing their use and causing a loss of at least $1,000 (that figure being the minimum loss for an indictment). The charge, under a section of the 1986 Computer Fraud and Abuse Act, potentially carries a fine of $250,000 and up to five years in prison.

Morris was tried in January 1990. His defense lawyers said that be had been attempting to "help security" on Internet and that his program had simply gotten out of control. The prosecution argued that "the worm was not merely a mistake; it was a crime against the government of the United States."

On January 22nd a federal jury found Morris guilty, the first conviction under that particular section of the 1986 act. Despite the verdict the judge stated that he believed the sentencing requirements did not apply in Morris's case, saying the circ.u.mstances did not exhibit "fraud and deceit." The sentence given was three years' probation, a fine of $10,000, and four hundred hours' community service.

The type of program that Morris had released onto ARPANET, a worm, has been defined as a program that takes up residence in a computer's memory, similar to the way a real worm takes up residence in an apple. Like the biological worm, the electronic one reproduces itself; unlike the real-life worm, however, the offspring of a computer worm will live in another machine and generally remain in communication with its progenitor. Its function is to use up s.p.a.ce on the computer system and cause the machine to slow down or crash.

To researchers there is a clear distinction between worms and viruses, which are a separate sort of malicious program that require a "host," a program or file on a disk or diskette that they can attach themselves to. Viruses almost always have a payload as well, which is designed to change, modify, or even attack the system they take residence on. Worms can also usually be destroyed by closing down the network.

The fact that worms can travel independently from one linked machine to another has always intrigued programmers, and there have been many attempts to harness this ability for beneficial purposes. Ironically, one of the first experiments was made on ARPANET. A demonstration program called Creeper was designed to find and print a file on one computer, then move to a second and repeat the task. A later version not only moved through computers performing ch.o.r.es, but could also reproduce, creating perfect clones of itself that would undertake the same ch.o.r.es and replicate again. The problem became obvious: the number of worms would increase exponentially as each generation replicated, creating a seemingly endless number of clones.

The solution was to create another, nonreplicating worm, called the Reaper, which would crawl through the system behind the Creeper and kill off the proliferating clones after they had performed their tasks. The experiment was abandoned when it became apparent that the Reaper would never be able to keep up with the proliferating number of Creepers.

There are other sorts of malicious programs, including what are known as trojans--after the Greek wooden horse. The first trojan incident was reported in Germany in 1987. On the afternoon of December 9th, several students at the University of Clausthal-Zellerfeld, just south of Hannover, logged in to their computers and found that they had received electronic mail in the form of a file called Christmas. On reading the file, they saw the message LET THIS EXEC RUN AND ENJOY YOURSELF! followed by a small drawing of a Christmas tree, crudely represented by asterisks. An "exec" is an executable file, or program, and the suggestion was that if they ran the program, a large Christmas tree would appear on their computer screens. By the side of the small drawing was the greeting: A VERY MERRY CHRISTMAS AND BEST WISHES FOR THE NEXT YEAR.

Underneath the drawing was a further message, in broken English: BROWSING THIS FILE IS NO FUN AT ALL JUST TYPE "CHRISTMAS," followed by some seventy lines of computer instructions. The students could recognize that these instructions were written in an easy-to-use programming language that was available on their IBM mainframe, but few could comprehend what the program was designed to do. Most of the students decided to give the program a try, typed in "Christmas," and were duly rewarded with a large drawing of a Christmas tree. Typically, they then deleted the file. However the next time they logged in to their computers, they found that they had received more copies of the Christmas file, as had many other computer users at the university. What no one had realized was that as well as drawing a Christmas tree, the program had been reading the files containing the students' electronic address books with the details of their other regular contacts on the IBM mainframe computer. The program then sent a copy of itself to all the other names that it could find. It was an electronic chain letter: each time the program was run, it could trigger fifty, or a hundred, or even more copies of itself, depending on the size of each user's electronic address book.

The unidentified student who playfully introduced the Christmas file into the electronic mail system had probably visualized a little local fun. He hadn't realized that some of the university's computer users had electronic addresses outside Clausthal-Zellerfeld linked by EARNet, the European Academic Research Network. Or that when copies of the file started whizzing around EARNet, they would then find their way onto BitNet, an academic computer network linking 1,300 sites in the United States, and from there onto VNet, IBM's private worldwide electronic mail network, which links about four thousand mainframe computers and many more smaller computers and workstations. The electronic chain letter reached VNet on December 15th, just six days after it was launched.

IBM's corporate users typically carry more names and addresses in their files than university users. Soon thousands of copies of the file were circulating around the world; it quickly reached j.a.pan, which, like all the addresses, was only seconds away by electronic mail. Within two days the rampaging programs brought IBM's entire network to a standstill, simply by sending Christmas greetings throughout the network. The company spent an unfestive Christmas season killing all copies of the file.

The program was later dubbed the IBM Christmas Tree Virus, but because it needed some user interaction--in this case, typing in the word Christmas--it isn't considered a true virus. User interaction implies inviting the intruder in behind your defenses, as the Trojans did with the Greek horse. But virus researchers have created a subcategory for trojans that replicate--as the IBM Christmas Tree did called, naturally enough, replicating trojans.

The pervasive media coverage of the Internet Worm was probably one reason for the next major computer incident that year. On December 23, 1988, just six weeks after Morris's Internet Worm hit the front pages, a very different worm hit the NASA s.p.a.ce Physics Astronomy Network (SPAN) and the Department of Energy computer networks.

Like the IBM Christmas Tree Trojan, it carried a Christmas greeting, and like the Internet Worm, it also targeted Digital Equipment's VAX computers. What later became known as the Father Christmas Worm waited until midnight on December 24th before delivering its message to users on the network: HI HOW ARE YOU? I HAD A HARD TIME PREPARING ALL THE PRESENTS. IT ISNT QUITE AN EASY JOB. IM GETTING MORE AND MORE LETTERS.... NOW STOP COMPUTING AND HAVE A GOOD TIME AT HOME!! MERRY CHRISTMAS AND A HAPPY NEW YEAR. YOUR FATHER CHRISTMAS.

The Father Christmas Worm was considered nothing more than a nuisance, and did no damage. But in October 1989 the SPAN network was. .h.i.t again, with a worm delivering a protest message. The new worm was a variant of Father Christmas, but this time when users logged in to their systems, they found that their normal opening page had been replaced with a large graphics display woven around the word w.a.n.k. In ordinary characters, the symbolism was explained: WORMS AGAINST NUCLEAR KILLERS Your System Has Been Officially w.a.n.ked.

You talk of times of peace for all, and then prepare for war.

The arrival of the worm coincided with reports of protestors in Florida attempting to disrupt the launch of a nuclear-powered shuttle payload. It is a.s.sumed that the worm was also a protest against the launch.

The w.a.n.k Worm spread itself at a more leisurely rate than the lnternet Worm, sending out fewer alarms and creating less hysteria. But when Kevin Obermann, a computer technician at Lawrence Livermore Laboratories, took it apart, he reported, "This is a mean bug to kill and could have done a lot of damage."

The w.a.n.k Worm had some features that were not present in the Father Christmas Worm: to a limited extent it could evolve and miltate, allowing it to become just a little bit smarter as it made its way from machine to machine. In other words, the worm had been designed to mutate deliberately, to add to the problems that might be caused by accidental mutation or by unintentional programming errors. And, by not immediately announcing its presence, it had more time to spread.

A method for combatting the worm was developed by Bernard Perrot of the Inst.i.tut de Physique Nucleaire at Orsay, France. Perrot's scheme was to create a b.o.o.by-trapped file of the type that the worm could be expected to attack. If the worm tried to use information from the file, it would itself come under attack and be blown up and killed.

By the end of 1989 the prophecies of the computer virus experts seemed to have come true. Now not only were there viruses, but there was a whole panoply of malicious software to deal with: worms, trojans, and the programs known as logic bombs.

Bombs are always deliberately damaging but, unlike viruses, don't replicate. They are designed to lay dormant within a computer for a period of time, then explode at some preprogrammed date or event. Their targets vary: some delete or modify files, some zap the hard disk; some even release a virus or a worm when they explode. Their only common feature is the single blast of intentional destruction.

What had started out as simple self-replicating programs had grown into a full-blown threat to computer security. Those who had warned about the potential danger for the past two years were ent.i.tled to say, "I told you so."

But the prophecies were self-fulfilling. The choice of the term virus to describe quite unremarkable programs glamorized the mundane; the relentless promotion of the presumed threat put ideas in the minds of potential virus writers; the publicity given the concept ensured that the writer's progeny would become known and discussed. Even if the writer himself remained anony- mous, he would know that his creative offspring would become famous.

The computer underworld is populated with young men (and almost no women), mostly single, who live out their fantasies of power and glory on a keyboard. That some young men find computing a subst.i.tute for s.e.xual activity is probably incontrovertible. Just as a handle will often hide a shy and frightened fifteen-year-old, an obsession with computing to the exclusion of all else may represent security for a s.e.xually insecure youngster. The computer is his partner, his handle is his alter ego, and the virus he writes is the child of this alter ego and his partner.

A German virus writer once said, "You feel something wonderful has happened when you've produced one. You've created something that lives. You don't know where it will go or what it will do, but you know it will live on."

The antivirus industry, of course, had no thoughts of creating a hobby for insecure technology wizards when it began its campaign of publicity and hype in 1987 and 1988. But there was little question that by the end of 1989 a real threat to computer systems had been created, posed by what was indeed becoming a plague of viruses. The number of catalogued viruses in the West would grow exponentially: from thirty-odd in mid-1988, to a hundred at the end of 1989, five hundred in 1990 and over two thousand-plus at the end of 1992. Along the way the antivirus industry would lose all control of the plague--its security software overwhelmed, its confidence battered by the sheer number of new viruses confronting it. And the new viruses became much more destructive, malicious, and uncontrollable than anyone had ever imagined.

Chapter 5.

THE BULGARIAN THREAT.

In March 1990 the first attempt was made to quantify the extent of the threat posed by computer viruses. Dr. Peter Tippett, a Case Western University scholar and the president of Certus International, a software company, predicted that 8 percent of all PCs would be infected within two years, even if no new viruses were written. He estimated the cost of removing the infections at $1.5 billion over five years--not taking into account the value of the data that would be destroyed. In 1991 he estimated that organizations in North America with over four hundred computers had a 26 percent probability of being hit by a virus within the next year; they also had a 5 percent chance of that virus causing a "disaster," which he defined as an infection that spread to twenty-five or more machines. A more recent projection, made in late 1991, went farther. It suggested that as many as 12 million of the world's 70 million computers--or roughly 17 percent--would be infected within the next two years.

But predictions such as those made by Dr. Tippett have proved difficult to substantiate: most virus attacks simply aren't reported; there is no body that regularly collects reliable statistics about the virus problem, and estimates of costs are always just guesses. When Dr. Tippett made his predictions, the number of new viruses that were appearing made it seem possible that their sheer volume would overwhelm the world's computer systems. By 1992, there were over 1,500 catalogued viruses and variants in the West by spring 1993, there could well be twice that number.

Tippett had based his predictions on the behavior of just one virus, called Jerusalem. It was first discovered in December 1987 at the Hebrew University in Jerusalem, though it is thought to have been written in Haifa, the country's princ.i.p.al port and the home of its leading technical college, Technion University. At least, that is one theory. No one has proved that the virus was written in Haifa, nor has anyone ever claimed authorship.