Mark Eichin and Jon Rochlis at MIT and Gene Spafford at Berkeley did some pretty amazing work, reverse engineering the attack payload on the fly in real-time to regenerate the source C code responsible for the attack while the attack was under way and at a time when no one was doing that sort of work yet.
My favorite part of those efforts was when Spafford posted a tongue in cheek bugfix patch to the attack code midway through the attack (at a time when the only people in the world with the source code were his team, Mark and Jon, and of course RTM since he wrote it). I couldn’t find the patch but it’s somewhere in the RISKS archives from that era.
I was a teenager when this happened. RTM's worm probably started a number of security careers and brought career peak levels of excitement to many of the people involved with analysis. I remember being absolutely astonished that someone writing computer programs could cause such a commotion. Some people must have realized that it was a good thing that awareness was raised. I have a hard time putting much stock in the pretend damage estimates.
>I imagine in the 1970s there weren't a whole lot of hacks that began with "scan the entirety of ARPANET to find a few vulnerable machines, then apply vulnerability."
That was a scary time, the first ever large scale network attack. I found myself a couple days later flying down to DC with some other folks from MIT and Harvard to brief a bunch of senior DoD and agency types on what happened, but the thing I remember most vividly was getting home late at night after spending the day repeatedly trying to disinfect and protect our machines, only to log in via a 4800 baud modem and see our machines were somehow infected yet again, with the realization we’d changed root passwords so many times I had no idea how to get in and fix it, nor any way to reach our sysadmin who was even more exhausted than I was.
So I called a friend, who is now a physics professor at MIT, and said “Our machines are infected, could you please break in, go root, clean the infection, and send an email to our sysadmin explaining to him you did this at my request?” All he said was “Ok, get some sleep” and yes even though we’d just spent almost 24 hours locking down every possible attack vector into our machines and network we woke up to clean machines with a polite email in the sysadmin’s inbox. I never have figured out whether that was more a measure of the state of network security in the late 1980’s or of the kind of mad skills it takes to become tenure track at a place like MIT.
There is a good telling of the worm story in the final chapters of Cliff Stoll’s amazing book on discovering a case of internet-hacking meets East-German-spies meets 2400-baud-modems and three-letter-agencies back in the mid 1980’s (which spent 42 weeks on the NYTimes bestseller list and is a ton of fun to read)[0]
I'm happy to give Elias credit for a big part of the shift, but the reality is that first x86 exploit was published well before that Phrack article, and people quickly repurposed it. (I'm a little biased here, since the author of that exploit is a partner of mine).
The vulnerability research community in 1995 was very close-knit (not tiny, but you could fit them in a hotel banquet hall for Summercon), and they worked pretty quickly to educate each other about the attack.
Ehh in 1988 that worm was like an alien artifact from the cyberpunk future.
First "real" worm code, multi-platform, multiple payloads, "staging", first practical buffer overflow exploit and it does credential brute-forcing.
Heck it was not until nearly a decade later that people were really doing buffer overflows, and there were a LOT of easy overflows to be found.
I'd make the case rtm didn't just "make a worm" he foreshadowed the next few decades of computer exploitation.
Took a whole bunch of research and ideas, synthesised them, built an actual working "product" a decade or two ahead of its time and released it in a transgressive way.
If you are the kind of person who can do that I'm sure lots of people would like to be friends with you.
I was there that day, sitting near several of the people deeply involved. I'm not really a security guy, so I was mostly a morbidly curious bystander. Early on, I saw a bunch of SeriouslyScary(tm) stuff in chat, and decided to see what was up. I was shoulder-surfing while they were looking at the url/endpoint, and when we found the code, and then the diff that put it into the codebase, the collective "oh shit" was something I won't soon forget.
There may be some new documents available now, but the story as such seems to have been known for a while.
I first learned of it last summer while reading some of the drafts for Ross Anderson's update of his excellent Security Engineering.
Uh... I'm too young for that, unfortunately. But as I get it that first they wrote the implementation(s), then - seeing it's reasonably good - documented the results for everyone to discuss and use.
The point is, they had an idea, hacked the software (without any standards, at that point, as I understand, this was the case with IRC which had RFCed only 10 years after the birth), then willingly shared the knowledge.
If I recall - CmdrTaco talked in considerable detail (at the time, on SlashDot) about the rather extreme technical changes that he and his crew performed, on the fly, on 9/11, to keep their site up.
Trinity used nmap to find an actual openssl exploit. Even then, people were nitpicking over whether or not the exploit was known during the time period that the world inside the Matrix is purported to be, though IIRC that was in good fun.
I thought this exploit was imagined a decade ago? I could swear I have seen links posted here where concerns were raised as speculative execution entered the picture. But I agree that it’s hard to blame them when it took a decade for something to actually materialize.
> FWIW IOS backdoors were already being researched by 2003 [...]
I recall there was a Swede (the grue?) on the Pull the Plug IRC network who was cross-compiling and linking in backdoored object code in Cisco IOS images already back in 2000.
Literally every "researcher" in 1995 was working on this problem. I was in the room with Mudge at Pumpcon while he was doing the research work for this, with like a dozen other people. All of them were I believe primarily motivated by 8lgm --- that's why Mudge's post uses a contrived syslog(3) example instead of a real bug, because the 8lgm Sendmail exploit was an overflow in syslog(3).
It's fine, it's a solid post, it's an early post. But Lopatic and 8lgm set this in motion, and the actual blueprint for this attack was probably splitvt.
To me, the historical reconstruction aspect of this is at least as interesting as the attack. One of my more obscure hobbies is studying the history of ancient texts, and it is fascinating to watch the process of losing primary historical sources play out in front of my eyes:
> However, in 1995, Usenet poster Jay Ashworth, citing personal communications with Ken Thompson, provided strong evidence of the existence of a real-world experiment of this attack. Unfortunately, the full Usenet message is missing on the web. There are only quoted snippets of this Usenet post circulated around various blogs, reducing its authenticity.
> In 2021, I’ve rediscovered the full Usenet message after a search effort in multiple Usenet archives. My success was partial - it was still a repost by someone else, and I was unable to find the original message. However, this repost contains the full Usenet message, including complete headers and message body, with the poster name and its Message-ID, establishing the authenticity of the post beyond reasonable doubts.
My favorite part of those efforts was when Spafford posted a tongue in cheek bugfix patch to the attack code midway through the attack (at a time when the only people in the world with the source code were his team, Mark and Jon, and of course RTM since he wrote it). I couldn’t find the patch but it’s somewhere in the RISKS archives from that era.
reply