WANK (Worms Against Nuclear Killers)
Initial release1989
Written inDIGITAL Command Language
Operating systemVMS
TypeComputer worm

The WANK Worm and the OILZ Worm were computer worms that attacked DEC VMS computers in 1989 over the DECnet. They were written in DIGITAL Command Language.[1]

Origin

The worm is believed to have been created by Melbourne-based hackers, the first to be created by an Australian or Australians. The Australian Federal Police thought the worm was created by two hackers who used the names Electron and Phoenix.[2] Julian Assange may have been involved, but this has never been proven.[3][4]

Approximately two weeks later a modified version of the worm called OILZ attacked other systems. The original version of the worm, WANK (Worms Against Nuclear Killers), contained bugs preventing, among other things. In OILZ, some of the problems of the first worm were corrected, allowing penetration of unpassworded accounts and altering passwords. The code indicated that the worms evolved over time and was not written by a single person.[1][5]

Political message

The WANK worm had a distinct political message attached; it was the first major worm to have a political message. WANK in this context stands for Worms Against Nuclear Killers. The following message appeared on an infected computer's screen:[6][2]

   W O R M S    A G A I N S T    N U C L E A R    K I L L E R S
 _______________________________________________________________
 \__  ____________  _____    ________    ____  ____   __  _____/
  \ \ \    /\    / /    / /\ \       | \ \  | |    | | / /    /
   \ \ \  /  \  / /    / /__\ \      | |\ \ | |    | |/ /    /
    \ \ \/ /\ \/ /    / ______ \     | | \ \| |    | |\ \   /
     \_\  /__\  /____/ /______\ \____| |__\ | |____| |_\ \_/
      \___________________________________________________/
       \                                                 /
        \    Your System Has Been Officially WANKed     /
         \_____________________________________________/

  You talk of times of peace for all, and then prepare for war.

The worm coincidentally appeared on a DECnet network operated by NASA days before the launch of a NASA Space Shuttle carrying the Galileo spacecraft. At the time, there were protests by anti-nuclear groups regarding the use of the plutonium-based power modules in Galileo. The protesters contended that if this shuttle blew up as Challenger did three years earlier in 1986, the plutonium spilled would cause widespread death to residents of Florida.[7]

The worm propagated through the network pseudo-randomly from one system to the other by using an algorithm which converted the victim machine's system time into a candidate target node address (composed of a DECnet Area and Node number) and subsequently attempted to exploit weakly secured accounts such as SYSTEM and DECNET that had password identical to the usernames. The worm did not attack computers within DECnet area 48, which was New Zealand. A comment inside the worm source code at the point of this branch logic indicated that New Zealand was a nuclear-free zone. New Zealand had recently forbidden U.S. nuclear-powered vessels from docking at its harbours, thus further fueling the speculation inside NASA that the worm attack was related to the anti-nuclear protest.[2] The line "You talk of times of peace for all, and then prepare for war" is drawn from the lyrics of the Midnight Oil song "Blossom and Blood". Midnight Oil is an Australian rock band known for political activism and opposition to both nuclear power and nuclear weapons. The process name of the second version of the worm to be detected was "oilz", an Australian shorthand term for the band.[8]

Playful nature

DECnet networks affected included those operated by the NASA Space Physics Analysis Network (SPAN), the US Department of Energy's High Energy Physics Network (HEPnet), CERN, and Riken.[6] The only separation between the networks was a prearranged division of network addresses (DECnet "Areas"). Thus, the worm, by picking a random target address, could affect all infected networks equally. The worm code included 100 common VAX usernames that were hard-coded into its source code. In addition to its political message, the worm contained several features of an apparently playful nature. The words "wank" and "wanked" are slang terms used in many countries to refer to masturbation. In addition, the worm contained "over sixty" randomizable messages that it would display to users, including "Vote anarchist" and "The FBI is watching YOU". The worm was also programmed to trick users into believing that files were being deleted by displaying a file deletion dialogue that could not be aborted, though no files were actually erased by the worm.[1][2]

anti-WANK, OILZ and WANK_SHOT

R. Kevin Oberman (from DOE) and John McMahon (from NASA) wrote separate versions of an anti-WANK procedure and deployed them into their respective networks. It exploited the fact that before infecting a system, WANK would check for NETW_(random number), that is a copy of its own, in the process table. If one was found, the worm would destroy itself. When anti-WANK was run on a non-infected system, it would create a process named NETW_(random number) and just sit there. anti-WANK only worked against the earlier version of the worm, though, because the process name of the worm in a later version was changed to OILZ.[2][9]

A second version of WANK, called OILZ, was released on October 22nd. Unlike the previous version of WANK, this version was designed to actually damage the computers it infected, rather than only falsely claim to do so, and would alter the passwords of infected computers. Like the previous version of WANK, this program would utilise the RIGHTSLIST database to find new computers to infect. The program WANK_SHOT was designed by Bernard Perrow of the Institut de physique nucléaire d'Orsay, to rename RIGHTLIST and replace it with a dummy database. This would cause WANK to go after the dummy, which could be designed with a hidden logic bomb. WANK_SHOT was then provided to the system administrators of affected networks to be installed onto their computers. It still took weeks for the worm to be completely erased from the network.[1][5]

See also

References

  1. 1 2 3 4 Levi, Ran; Salem, Eli. "Malicious Life Podcast: The WANK Worm Part 1". Malicious Life Podcast. Retrieved 20 June 2022.
  2. 1 2 3 4 5 Dreyfus, Suelette; Assange, Julian (June 1997). Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier. Random House Australia. ISBN 1863305955. Archived from the original on 8 May 2004.
  3. Bernard Lagan, "International man of mystery," The Sydney Morning Herald, 10 April 2010. Retrieved 17 March 2014.
  4. David Leigh and Luke Harding, WikiLeaks: Inside Julian Assange's War on Secrecy (2011) p. 42.
  5. 1 2 Longstaff, Thomas A.; Schultz, E. Eugene (1993-02-01). "Beyond preliminary analysis of the WANK and OILZ worms: a case study of malicious code". Computers & Security. 12 (1): 61–77. doi:10.1016/0167-4048(93)90013-U. ISSN 0167-4048.
  6. 1 2 Pomeroy, Ross. "When NASA got WANKed". RealClearScience. RealClearScience. Retrieved 20 June 2022.
  7. Broad, William (10 October 1989). "Groups Protest Use of Plutonium on Galileo". The New York Times Company. The New York Times. Retrieved 20 June 2022.
  8. Dreyfus, Suelette (16–17 February 1998). Computer Hackers: Juvenile Delinquents or International Saboteurs?. Internet Crime Conference. Australian Institute of Criminology. Melbourne. Archived from the original on 2009-10-09. Retrieved 10 September 2020.
  9. Levi, Ran; Pinkas, Noa. "Malicious Life Podcast: The WANK Worm Part 2". Cybereason. Cybereason. Retrieved 20 June 2022.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.