[9fans] authorization schemes (was CORBA)

9fans archive / 2001 / 09 / 364 /    prev next

From: Mike Haertel <mike@duc...>
Subject: Re: [9fans] authorization schemes (was CORBA)
Date: Wed, 26 Sep 2001 12:15:47 -0700 (PDT)

The version of the story that I remember is that Duff wrote the
virus as an experiment and placed it in his own bin directory.
Then he waited to see how long it would take to spread.  It rapidly
spread through their network of research Unix machines.  Its spread
was limited since (almost) nobody else ran v9 Unix.

It was ~300 bytes of Vax machine code that wanted to sit in the
padding of executable text to the next 1K boundary, so on average
about 60% of the binaries had room for it.  It altered the a.out
entry point to point at itself, then jumped to main after doing
its dirty work.  First it scanned the current directory, /bin, and
/usr/bin, looking for executables it could write itself into.

The story I heard, which might have been from Duff, or might have
been from one of the other people there the summer I worked there,
was that he gave a talk about his virus at one of the internal
colloquia, and after the talk their research director came up
and said to him, "That's very interesting, now STOP IT!"

So he had to spend awhile doing "janitorial work" as penance for
his research.

The virus erupted at least one more time from the backup system and
spread throughout their network again.  The main symptom of the
virus is that machines got really slow, since nearly every command
people were running would first search /bin and /usr/bin looking
for programs to infect.

By the time I got there (summer of 1991) the backup system had been
modified to refuse to restore any infected files.

McIllroy's "IX" system detected and stopped the virus.  Actually I
think what happened is that after the virus wrote programs in /bin
under the IX system, the system would refuse to run them any more
since they were possibly contaminated by unauthorized users.  So
the IX system stopped the virus but stopped working in the process.
Arguably better than silently continuing to function whilst infected.