[8409] in bugtraq
Re: 10th anniversary of the Internet Worm
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Wed Nov 4 19:23:48 1998
Date: Tue, 3 Nov 1998 22:14:15 -0500
Reply-To: perry@piermont.com
From: "Perry E. Metzger" <perry@PIERMONT.COM>
X-To: Gregory Newby <gbnewby@ILS.UNC.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Mon, 02 Nov 1998 22:33:51 EST."
<3D3FC13074F5D11191E700A0C9C874FF2BE7DE-100000@mail.ils.unc.edu>
Gregory Newby writes:
> Estimates at the time were that around 6000 computers were
> infected. Because the Internet (and Usenet) was virtually
> useless during the few days the Worm was active,
During the day, not during the few days. At Bellcore, we shut down
most of our network the morning of the attack, and were back up
(mostly) the same evening.
Also, Usenet was *not* carried primarily over the internet at that
time -- it still went (mostly) over dialup modems.
> people working to eradicate the worm used BITNET mailing lists to
> communicate.
Untrue.
0) Most sites did not have BITNET. We didn't have BITNET at
Bellcore, for example.
1) eradicating the worm on any given host was very easy. The problem
was, of course, that it tended to go runaway, driving up the load, but
once you got that under control, it was easy to delete the thing. The
real problem was you tended to get re-infected immediately if you
didn't segment your network and sterilize all the machines on any
given subsegment before reconnecting them together.
2) most of the work being done coordinating decompilation of the worm
went on over the phone. I remember chatting extensively with some
folks at Berkeley and elsewhere who were decompiling the thing. Once
we knew that it contained nothing malicious, most of us just turned
everything back on again.
The worm, as deployed, attacked Suns (68k processors, at that time)
and Vaxen. Other machines were not, of course, impacted.
Perry
