From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mike Haertel Message-Id: <200109261915.f8QJFlJ58643@ducky.net> To: 9fans@cse.psu.edu Subject: Re: [9fans] authorization schemes (was CORBA) In-Reply-To: <008601c146b4$6d4e9a50$a2b9c6d4@SOMA> Date: Wed, 26 Sep 2001 12:15:47 -0700 Topicbox-Message-UUID: f4fbb672-eac9-11e9-9e20-41e7f4b1d025 The version of the story that I remember is that Duff wrote the virus as an experiment and placed it in his own bin directory. Then he waited to see how long it would take to spread. It rapidly spread through their network of research Unix machines. Its spread was limited since (almost) nobody else ran v9 Unix. It was ~300 bytes of Vax machine code that wanted to sit in the padding of executable text to the next 1K boundary, so on average about 60% of the binaries had room for it. It altered the a.out entry point to point at itself, then jumped to main after doing its dirty work. First it scanned the current directory, /bin, and /usr/bin, looking for executables it could write itself into. The story I heard, which might have been from Duff, or might have been from one of the other people there the summer I worked there, was that he gave a talk about his virus at one of the internal colloquia, and after the talk their research director came up and said to him, "That's very interesting, now STOP IT!" So he had to spend awhile doing "janitorial work" as penance for his research. The virus erupted at least one more time from the backup system and spread throughout their network again. The main symptom of the virus is that machines got really slow, since nearly every command people were running would first search /bin and /usr/bin looking for programs to infect. By the time I got there (summer of 1991) the backup system had been modified to refuse to restore any infected files. McIllroy's "IX" system detected and stopped the virus. Actually I think what happened is that after the virus wrote programs in /bin under the IX system, the system would refuse to run them any more since they were possibly contaminated by unauthorized users. So the IX system stopped the virus but stopped working in the process. Arguably better than silently continuing to function whilst infected.