The WANK Worm, Part 1

On October 16th, 1989, NASA's scientists went into work preparing to launch a spacecraft that very day. But when they sat down to their computers, they were met with an unexpected greeting: “Your system has been officially WANKed. You talk of times of peace for all, and then prepare for war.”

Hosted By

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 12 million downloads as of Oct. 2018.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Special Guest

Eli Salem

Security Analyst / Malware Analyst at Cybereason

The WANK Worm, Part 1

NASA was warned.

December 22nd, 1988. Deep inside the dark halls of the Goddard Space Flight Center in Washington D.C., a ticking time bomb is set. Thousands of computers, in facilities around the country, unwittingly spread an unsolicited, malicious program, set to go off in less than 36 hours. It comes with an ominous message…

Hi, How are ya ?

I had a hard time preparing all the presents. It isn’t quite an easy job. I’m getting more and more letters from the children every year and it’s not so easy to get the terrible Rambo-Guns, Tanks and Space Ships up here at the North pole. But now the good part is coming. Distributing all the presents with my sleigh and the deers is real fun. When I slide down the chimneys I often find a little present offered by the children, or even a little Brandy from the father. (Yeah!) Anyhow the chimneys are getting tighter and tighter every year. I think I’ll have to put my diet on again. And after Christmas I’ve got my big holidays :-). Now stop computing and have a good time at home !!!! Merry Christmas and a happy New Year… Your Father Christmas.

Father Christmas Worm

Hi I’m Ran Levi, welcome to Malicious Life. If you’ve listened to our two-part episode on the Morris Worm, you’ll remember how groundbreaking an event it was. The Morris worm began spreading around the U.S. on November 2nd, 1988, and, in only a few days’ time, had infected an estimated ten percent of all the computers then in existence. It was a wake-up call–that this new technology, a “worm”, could cause so much chaos in such a short time.

But there’s another worm that affected just as many computers as Morris did, not even two months later. It was called Father Christmas.

Its main target was SPAN, the Space Physics Analysis Network. SPAN was NASA’s operating network–connecting their various teams and facilities, as well as some related government organizations. Remember in 1988 that the internet as we know it did not exist. Fewer than 100,000 computers were in use around the world, most of them connected only to other computers within their same organization, university or government. From the network protocol to the operating systems to the computer models themselves, SPAN ran over a network comprised end-to-end of technologies built by the Massachusetts-based Digital Equipment Corporation, or DEC. DEC supplied networking tech to organizations around the world, which together comprised the “DECnet”. Overall, the system worked quite well. The company’s “VAX” computers, as they were called, were powerful for their time, and for the first seven or eight years of its existence, the SPAN network was productive and secure. This was the internet before the internet, with all of the positive and negative connotations therein. As a NASA report from the time presciently noted: “The DECnet Internet, on one hand, has solved the problem of transparency between computers regardless of what DECnet network they are connected to. On the other hand, the DECnet Intemet provides the connectivity to make one network’s security problem everyone’s concern.”

 

As systems manager for SPAN at NASA’s Goddard Space Flight Center, John McMahon [MAK-MAN]–nicknamed “Fuzzyface” for his fluffy beard–was the guy who the world’s best scientists would call for tech support. Being part of the organization that put a man on the moon, you’d have to say his job was relatively less dramatic than that of many of his peers. But that began to change, beginning on December 22nd of 1988.

At 4:52 pm east coast time, an unknown individual using a computer at the University of Neuchatel in Switzerland unleashed a program to the DECnet internet, which connected SPAN with various other wide area networks running over the same DEC infrastructure. Not ten minutes later, John McMahon noticed the presence of the strange file, named “Hi.com”, on his network in D.C.

Hi.com, what we now call the Father Christmas worm, was a simple program–a command file type written in DEC’s Digital Command Language. It began by searching a network for random node numbers. Once it hit on a legitimate node, it would attempt to run a copy of itself, either by gaining access to the target system through the default username and password “DECNET” and “DECNET”, or by exploiting a legitimate built-in program that allowed a node to start a task on a remote computer.

If Hi.com fails both attempts to run on the target system, it deletes that copy of Hi.com. If it succeeds, it’s loaded into memory and the original file is deleted. Then, it waits. The worm will check the computer’s clock and, if it’s between 12 AM and 12:30 AM on the morning of Christmas Eve, 1988, it compiles a list of all users of the computer system and sends them each a friendly letter from Santa.

The Father Christmas worm is less well known today, partly because Morris came first, and partly because Morris was inherently more destructive. In fact, where Morris was a story of drama and intrigue–of a program out of control, security researchers coding late into the night to stop it, and a trial and conviction for its creator–Father Christmas was little more than a fun side note of cyber history.

For its part, NASA distributed two technical reports on the Father Christmas worm. They introduced a new auditing software that would allow system administrators to more rapidly address future network vulnerabilities. All computer users at the organization were advised to strengthen their passwords. But it was not enough.

The WANK Worm

You know the saying, “it’s not rocket science”? Like, when your boss leans against the wall of your cubicle, looks down at you and says in that snide tone: “finish the report, Jim, it’s not rocket science.” There are a very select number of people in the world for which that saying doesn’t apply. People who go into work every day, to do the remarkable work of sending giant machines into outer space. People who, when their boss walks up to their cubicle, are allowed to say: “give me a break, it’s rocket science!”

On October 16th, 1989, those people went into work preparing to launch a space shuttle that very day. But when they sat down to their computers, they were met with an unexpected greeting:

“WANK,” their screens read. “Your system has been officially WANKed. You talk of times of peace for all, and then prepare for war.”

Not one year after the Morris worm, Fall 1989, very few people knew what a computer worm was. In fact, some NASA employees probably didn’t know what the word “wank” means, either: it’s a predominantly british term for something that a man does…well, by himself, if you know what I mean. The confusion would’ve only grown worse when, in logging into their computers, those employees were met with a non-stop, rolling screen of all their files being deleted, one by one. “deleted file, deleted file, deleted file, deleted file.” The computer was methodically deleting years-worth of sensitive information, representing billions of dollars of government investment and research. And there was no way to stop it.

The WANK worm was, structurally, much like Father Christmas. They were written in the same coding language. They used the same method of finding new computers in a network–by conducting random node number searches. Most important of all: both worms leveraged the same crippling security vulnerability common to computers of the time – the lack of network segmentation – allowing them to spread quickly and effectively.

Recall how Father Christmas searched for accounts with the username “DECNET” and password “DECNET”. WANK worm did the same, but added a few more common strings, like “SYSTEM” and “FIELD”. It’s because when VAX computers were built and sent off to NASA, Switzerland, or anywhere else, they’d come preset with, among other things, a default admin account. These high-privilege accounts came preset with standard username and password combinations, like “DECNET”, “DECNET”. You, as the owner of the computer, could rewrite that login information to your liking. But if you didn’t? That’s the digital equivalent of leaving your keys under the mat.

NASA employees had been warned about this type of security vulnerability already. After Father Christmas, you’ll recall, a notice was sent to SPAN network users, encouraging them to change their passwords. Plus, changing default passwords, and making sure your password is different from your account name, is cyber security 101. You don’t need to be a rocket scientist to understand that.

It turns out, though, that even if you are a rocket scientist, you might still not understand that. As WANK broke into more and more computers, it developed a database of high-privilege network accounts. Some of those it cracked were no more secure than username “SYSTEM”, password “SYSTEM”.

But WANK worm didn’t just crack weakly-secured accounts. It used those accounts as jumping-off points, to infect all the other nodes in a network. Within hours, it had penetrated not only a majority of the SPAN network, but also other, connected networks, like the High Energy Physics network–or HEPnet–supporting the U.S. Department of Energy.

Chaos At NASA

“Underground”–a 1997 book authored by Suelette Dreyfus, researched by the now famous Julian Assange–paints a portrait of what went on inside the halls of NASA and DOE that October, 1989, and it’s not pretty. John McMahon at NASA, in D.C., and Kevin Oberman, a network manager at a DOE-adjacent lab, in San Francisco, began investigations. Both would come to find that, as difficult as it was to uncover and stop the WANK worm, half their work would be dealing with human errors.

That’s because the WANK worm was designed for psychological, not physical, damage. Like how it would show computer users a running list of their deleted files–presenting, before your eyes in real time, each individual file on your computer being unthinkingly, ceaselessly, deleted. It must have been utterly terrifying to scientists whose life’s work, representing countless hours and dollars, was disappearing for no good reason. When McMahon and Oberman actually looked, however, they discovered that all this was a hoax. WANK worm didn’t actually delete any files at all. That “delete, delete, delete” screen was a prank.

In one case, for instance, a beset manager called McMahon to tell him that the WANK worm destroyed his whole system. McMahon later recalled, quote: “He just didn’t believe us when we told him that the worm was mostly a set of practical jokes.” So that manager reinitialized his system, returning it to factory settings and, in the process, deleting all of his data. Doing the WANK worm’s job for it.

Fake-deleting sensitive data was very much in line with the WANK author’s strange sense of humor. Another component of the worm leveraged the instant messaging feature of DECnet computers, to send little one-liners to other machines in the network. One-liners like “The FBI is watching YOU,” and “Nothing is faster than the speed of light…to prove this yourself, try opening the refrigerator door before the light comes on.”

McMahon, Oberman and their small security teams were half cyber security incident response, half customer service support, as they worked to both mitigate the WANK worm, and mitigate those panicked by it. NASA, for one, had no centralized map of its own network–nobody, McMahon included, had a clear picture of its size, scope or orientation. So being John McMahon, trying to track the origin and path of the WANK worm, was like being an epidemiologist trying to track a plague, without having a world map. John was receiving frantic phone calls, about computers he didn’t previously know existed. In trying to reach managers at other NASA locations, he found the contact information on file largely outdated.

Then matters got even worse, when the manager at NASA’s Jet Propulsion Laboratory decided to take their segment of the network offline. You can understand why he did it–he was able to stop the worm from spreading to JPL, by simply disconnecting from the rest of SPAN. However, JPL was a routing center for the rest of SPAN. By taking down JPL, many other branches of the network went down, too. WANK worm was prevented from reaching these areas of the network, but so was John McMahon.

Anti-WANK

Trying to defeat one of the first ever major computer worms must have been difficult enough. Now imagine having to do that, while the walls of the room you’re in, your desk, your keyboard, are all shaking.

Kevin Oberman released his anti-WANK worm program at exactly 5:04 pm pacific standard time on October 17th, 1989. We know this because, as he was making the final touches and getting ready to send his report out to all corners of the HEPnet, the 6.9 magnitude Loma Prieta earthquake struck the Bay Area in California. Just as quickly as he clicked “send” on his email did Kevin have to rush out of his office, for fear of his own safety.

Luckily Oberman escaped unharmed, and his anti-WANK program worked. It was a very simple fix, actually, turning one of WANK worm’s simplest features against it.

Like Father Christmas, when WANK worm first entered a new computer system, it would check for a version of itself already running there. Perhaps the writers of both of these programs had seen what happened to Robert Morris’ worm–how it would infect the same computers so many times over that those computers were essentially broken in the process. If WANK were already present on the target system it visited, the incoming copy of the WANK worm would simply self-destruct. Taking advantage of this feature, Oberman simply wrote a program that pretended to be the WANK worm. Anybody whose computer was not yet infected could run anti-WANK so that, if the WANK worm did come poking around, it would mistake a harmless program for a version of itself, and self-destruct on the spot.

John McMahon distributed his own version of anti-WANK, and by the end of the day on Tuesday, October 17th, 1989–just over 36 hours after the WANK worm first released to DECnet–NASA, the Department of Energy, and other affected organizations had been cured.

Five days later, John McMahon received a call. The WANK worm was back, with a vengeance.

WANK 2.0

WANK worm 2.0 was not fooled by Oberman’s anti-WANK software. When it entered a new computer system, it would simply destroy any iteration of the worm it saw, whether it be a version of itself, the earlier worm, or the anti-WANK program. Worse than that, though, it rewrote the passwords to accounts it broke into. Now users were not only infected, but locked out of their computers. This spelled doom for anybody affected, but especially system administrators. Admins are who you turn to if you’re locked out and need to reset your password. But what if the admins themselves were locked out? WANK 1.0 only pretended to cause damage, but WANK 2.0 very much did.

But help was on the way. Bernard Perrot was a systems manager at the French National Institute of Nuclear and Particle Physics, one of the European organizations–along with CERT, the University of Switzerland, and others–that was just as affected by the WANK worm as NASA and the DOE. Perrot came up with an anti-worm perhaps even more clever than Oberman’s was the first time around.

He took advantage of one component that didn’t change, between the first and second versions of the WANK worm. RIGHTLIST.DAT is a file which lists all user accounts on a VAX computer, and the WANK worm would attempt to break into accounts it found in RIGHTLIST as a bridge point into new, targeted systems. Perrot, in order to stop the second WANK worm, built WANK_SHOT: a program that would rename a computer’s RIGHTLIST file, and replace it with a decoy. When WANK 2.0 pursued the decoy list, it would run into the cyber bomb hidden inside.

Nearly two weeks later, WANK_SHOT had successfully, finally, defeated the WANK worm.

The End?

It’s November 1989 now: the WANK worm is defeated, and everything is back to normal. Maybe you’re expecting me to finish with a nice “the end…”.

But what if I told you that everything you just heard…is only half of the story? In the next episode of Malicious Life we’re going back to the beginning, on a journey to reveal the WANK worm’s creator. This journey will take us 10,000 miles across the ocean to Australia, and 588 million kilometers out to space, to Jupiter. What does the Challenger space shuttle disaster and an Australian rock band have to do with a computer worm? All that and more, next time on Malicious Life.