Next: Current Protection Against Up: Worms Previous: Worms

History of Worms

Worms were first used as a legitimate mechanism for performing tasks in a distributed environment. Network worms were considered promising for the performance of network management tasks in a series of experiments at the Xerox Palo Alto Research Center in 1982. The key problem noted was ``worm management;'' controlling the number of copies executing at a single time. This would be experienced later by authors of malicious worms.

Worms were first noticed as a potential computer security threat when the Christmas Tree Exec [Den90] attacked IBM mainframes in December 1987. It brought down both the world-wide IBM network and BITNET. The Christmas Tree Exec wasn't a true worm. It was a trojan horse with a replicating mechanism. A user would receive an e-mail Christmas card that included executable (REXX) code. If executed the program claimed to draw a Xmas tree on the display. That much was true, but it also sent a copy to everyone on the user's address lists.

The Internet Worm [Spa89] was a true worm. It was released on November 2, 1988. It attacked Sun and DEC UNIX systems attached to the Internet (it included two sets of binaries, one for each system). It utilized the TCP/IP protocols, common application layer protocols, operating system bugs, and a variety of system administration flaws to propagate. Various problems with worm management resulted in extremely poor system performance and a denial of network service.

The Father Christmas worm was also a true worm. It was first released onto the worldwide DECnet Internet in December of 1988. This worm attacked VAX/VMS systems on SPAN and HEPNET. It utilized the DECnet protocols and a variety of system administration flaws to propagate. The worm exploited TASK0, which allows outsiders to perform tasks on the system. This worm added an additional feature; it reported successful system penetration to a specific site.

This worm made no attempt at secrecy; it was not encrypted and sent mail to every user on the system. About a month later another worm, apparently a variant of Father Christmas, was released on a private network. This variant searched for accounts with ``industry standard'' or ``easily guessed'' passwords.

The history of worms displays the same increasing complexity found in the development of PC viruses. The Christmas Tree Exec wasn't a true worm. It was a trojan horse with a replicating mechanism. The Internet Worm was a true worm; it exploited both operating system flaws and common system management problems. The DECnet worms attacked system management problems, and reported information about successful system penetration to a central site.

Several conclusions can be drawn from this information:



Next: Current Protection Against Up: Worms Previous: Worms


konczal@csrc.ncsl.nist.gov
Thu Mar 10 15:32:44 EST 1994