November 3, 1988
• 00.07. Arizona University machine is infected by mail;
• 00.21. Main machine is infected Princeton University (a VAX 8650). Number of tests reaches 68 and the car breaks down;
• 00.33. Dewey.udel.edu machine is infected, University of Delaware;
• 30.1. UCLA machines are infected;
• 02.00. The worm is found on machines at Harvard University;
• 02.38. From Berkeley to send an email message with content: “We are attacked.” Areas listed as infected: UC Berkeley, UC San Diego, MMM, Stanford and NASA Ames;
• 03.15 Infected machine from the University of Chicago. One of the machines from the Physics department suffers 225 infection attempts via fingerd, through machines from Cornell;
• 03.39. Warning about the worm is transmitted from foo@bar.arpa form: “It’s probably lost a virus over the Internet.”. Were three short sentences about how to stop worm, followed by “I hope this helps, but more, I hope it is a farce.”. Who proved to be conveyed by FG Narvard Andy Sudduth, who was called by telephone by the alleged author of the worm, Robert T Morris.Due to network load and engine warning string is advertised next 24 hours;
• 04.00. University of Colorado is also subject to attack, 04.00. Machines at Purdue University are infected;
• 05.54. Be mailed a warning about Virme and, moreover, c minimum safeguard for the sendmail program. His message is taken from newsgroup Usenix;
• 06.45. It sounds at the National Computer Security Center and inform the Worm;
• 07.00. Cars from Georgia Institute of Technology are infected. Gateway machine (a VAX 780) have over 30 trials;
• 7.30 Uncover infecting machines at Purdue University. Sun machines loaded so that they could not read mail messages, including messages about worm
• 8.07 Berkeley is identified via the fingerd attack worm, but the message sent by mail can be read more than 13 hours;
• 8.18. Forward group is warning about the Worm Usene news.announce.important news and other 30 sites. These were the first information about the Worm, available for those affected during the day, this group of messages exchanged by mail on the progress and behavior of the worm;
• 10.36. Contagion is the first description of how the working worm NNTP-managers list. Fingerd attack program at this time still not known east;
• 11.30. Defense Communications Agency inhibits bridge between Arpane mail sites and Milne;
• 13.00. Over 130 cars are locked in SRI; ‘
• 14.50. Staff at Purdue finds infected machines with new versions of programs installed sendmail. It sends a mail message on the fact that the new version of sendmail is not a sufficient safeguard. That work was already known in many places, including Berkeley and MIT for more than one hour, but not yet published anything;
• 16.00. Purdue system administrators to meet to determine local strategy. Worm caught versions provided a variant to prevent infection by creating a folder with the name sh lusr tmp directory;
• 18.00. At Purdue it was discovered working as Virmele, with failure of finger program,
• 19.00. At MIT, was reconstituted via the fingerd attack worm ‘and you phoned to Berkeley to announce it. Has not been sent anything by mail about this kind of attack;
• 19.19. They sent new sendmail and fingerd program improvements, but these messages were received until the following day;
• 19.37. University of Rochester was mailed a description of the attack through fingerd program;
• 21.30. Berkeley Group decompile the worm begins to determine the source of the C.
November 4, 1988
• 00.50. Sending mail through a description of the fingerd attack. Are the first comments on the style and code of the worm author;
• 05.00. MIT group concluded decompile code;
• 09.00. Berkeley group concluded decompile code;
• 11.00. Bridge sites are reinstalled Milnet-mail between ARPANET;
• 14.20. Be retransmitted by post fingerd program changes;
• 15.36. From MIT, transmitted clarifications on how to run the worm; • 17.2d. Shall submit a final set of improvements for sendmail and fingerd;
• 21.30. Worm author is identified in two independent sources as Robert T Morris, son of the Scientific Director of the National Centre of Security of Computers(GNSC), Robert Morris.
• By November 8, most cars were reconnected to the Internet and traffic returned to normal. In the morning, some 50 researchers met with officials from the Centre National Security. On this occasion, were identified further action in this area. Network traffic analysers continued attempts to identify remaining infected machines on the Internet. A final attempt was identified in early December 1988.
About the author worm
After the worm was stopped, have been, inevitably, two questions: “Who?” and “why.”
The first question the answer came quickly identified Robert T. Morris of the New York Times. There are many elements that support the identification made. Many federal officials said they have evidence, obtained from different individuals, by stating that Morris talked to these people about Worm and his research in this direction. They also claim that their records on computers at Cornell University early versions of the code being tested worm cars on campus and also claim to have copies of the worm found in Morris’s account. Report provided by the Office of the Rector Cornel it also shows on Morris as culpable and has compelling reasons to support this conclusion.
But if the author was established, the reason for this action remains unclear and incorrectly placed between an experiment to an unconscious act of revenge against his father’s Morris.Study done by many people on decompile code, two conclusions emerged:
The first conclusion is the fact that the program does not contain explicit portions of code that would explicitly cause damage to systems that run. Taking into account the skills and knowledge outlined by the Code, for the author would have been a simple matter to introduce such controls, if it had been his intention. Finally, the premature release of the worm network shows that the author’s intention to destroy or disturb the structures and systems can not be considered explicitly;
The second conclusion concerns the fact that the code do not include a mechanism to stop the worm development. Taking this into account and used as an argument string complexity, necessary to trigger worm, many people who have examined the code does not consider the worm that was triggered by accident or intention was not to be advertised heavily. Given these things are strange attempts made to justify proceedings Morris, sustaining that his intention was to demonstrate something about security 7NTERNET site or that it was an innocent experiment. Cornell University Rector report does not attempt to excuse his behaviour. This is labelled as unethical and contrary to professional standards. Action is considered to be directed against University policy and accepted practice would have been expected, given the experience you have in this area, be aware that such actions are unlawful. Those who believe that the worm is an accident or an unfortunate experiment believe that the author should not be punished, up to the required punishment on managers and operators of affected systems and machines for negligence if they have treated aspects of security. Others consider that the author should be punished severely, including deprivation of liberty. From Cornell Commission recommended some punishment, but not so severe as to affect the future career of Morris. The recommendation is stated that Morris’s suspension from the University for at least a year. That no major disasters have happened may be an accident and is likely to be the author’s intention was to overload the site lNTERNET as it happened. Excusing such acts of vandalism, as the statement that the authors did not want to create great shortcomings can lead to deter repetition of such attempts, even more, they are encouraged.
