RFC 1135 (rfc1135) - Page 3 of 33
Helminthiasis of the Internet
Alternative Format: Original Text Document
RFC 1135 The Helminthiasis of the Internet December 1989 point interfaces, and other machines at randomly guessed addresses on networks of first hop gateways. The Internet worm was also able to infect systems using guessed passwords, typically spreading itself within local networks by this method. It tried to guess passwords, and upon gaining access, the worm was able to pose as a legitimate user. 1.2 Festering - Password Cracking The worm festered by going into a password cracking phase, attempting to access accounts with obvious passwords (using clues readily available in the /etc/passwd file), such as: none at all, the user name, the user name appended to itself, the "nickname", the last name, the last name spelled backwards. It also tried breaking into into accounts with passwords from a personalized 432 word dictionary, and accounts with passwords in /usr/dict/words. Most users encountered a slowing of their programs, as the systems became overloaded trying to run many copies of the worm program, or a lack of file space if many copies of the worm's temporary files existed concurrently. Actually, the worm was very careful to hide itself and leave little evidence of its passage through a system. The users at the infected sites may have seen strange files that showed up in the /usr/tmp directories of some machines and obscure messages appeared in the log files of sendmail. 1.3 The Cure Teams of computer science students and staff worked feverishly to understand the worm. The key was seen to get a source (C language) version of the program. Since the only isolated instances of the the worm were binary code, a major effort was made to translate back to source, that is decompile the code, and to study just what damage the worm was capable of. Two specific teams emerged in the battle against the Internet worm: the Berkeley Team and the MIT team. They communicated and exchanged code extensively. Both teams were able to scrutinize it and take immediate action on a cure and prevent reinfection. Just like regular medical Doctors, the teams searched, found and isolated a worm specimen which they could study. Upon analyzing the specimen and the elements of its design, they set about to develop methods to treat and defeat it. Through the use of the "old boy network" of UNIX system wizards (to find out something, one asks an associate or friend if they know the answer or who else they could refer to to find out the answer), email and phone calls were extensively used to alert the computer world of the program patches that could be used at sites to close the sendmail hole and Reynolds
