The rogue program, it was subsequently discovered, moved from computer to computer by exploiting flaws in the Berkeley version of UNIX. The principal flaw was in Sendmail, the program designed to send electronic mail between computers in the interlinked networks. A trapdoor on Sendmail would allow com- mands (as opposed to actual mail) to be sent from computer to computer. Those commands were the rogue program. Once it had entered one computer through Sendmail, it would collect information about other machines in the system to which it could jump, and then proceed to infect those machines.
In addition to exploiting the Sendmail flaw, the rogue program could try to guess the passwords to jump to target computers. Its password routine used three methods: it tried simple permutations of known users' names, it tried a list of 432 frequently used passwords, and it also tried names from the host computer's own dictionary. If one method didn't work, it would try another and then another until it had managed to prise open the door of the target computer. An early analysis of the program made at four A.M. on the morning after the initial attack described it as "high quality." Some twelve hours after its release, it was estimated that about 6,200 computers on Internet had been infected; the costs, in downtime and personnel, were mounting.
In the meantime, three ad hoc response teams, at the University of California at Berkeley, at MIT, and at Purdue, were attempting to put an end to the attack. At five A.M. the Berkeley team sent out the first, interim set of instructions designed to halt the spread. By that time the initial fears that the rogue program might destroy information or systems had proved unfounded. The program, it was discovered, was designed to do nothing more than propagate.
It contained no destructive elements apart from its ability to multiply and reinfect to such an extent that it would take over all available space on a target computer.
Later on Thursday the team at Purdue sent out an electronic bulletin that catalogued methods to eradicate the virus. And at Berkeley they isolated the trapdoors it had used and published procedures for closing them.
Once the commotion had died down and computer managers had cleared out the memories on their machines and checked all the software, their thoughts turned to the reasons for the attack. That it was deliberate was certain: the rogue program had been a cleverly engineered code that had exploited little-known flaws in UNIX; it had erased evidence of its intrusions on the computers it had infected; and it was encrypted (written in code) to make it more difficult to tear apart. There was little doubt in anyone's mind that the program was the work of a very clever virus writer, perhaps someone who had a grudge against ARPANET or one of the universities, a computer freak outside of the mainstream attempting to get back at the establishment. But these suppositions were wrong.
Internet's rogue program became a media event. The New York Times called the incident "the largest assault ever on the nation's systems." The program itself became known as the Internet Virus or, more accurately, the Internet Worm. At a press conference at MIT the day after the worm was released onto ARPANET, the university's normally reticent computer boffins found themselves facing ten camera crews and twenty-five reporters. The press, the MIT researchers felt, was principally concerned with confirming details of either the collapse of the entire U.S. computer system or the beginning of a new world war, preferably both. One participant had nightmarish visions of a tabloid headline: COMPUTER VIRUS ESCAPES TO HUMANS, 96 KILLED.
The incident received worldwide press coverage, and the extent of the damage was magnified along the way. One of the first estimates--from John McAfee, the personable chairman of CVIA--was that cleaning up the networks and fixing the system's flaws would cost $96 million. Other estimates ran as high as $186 million. These figures were widely repeated, and it wasn't until later that cooler heads began to assess the damage realistically. The initial estimate that about 6,200 machines, some 10 percent of the computers on Internet, had been infected was revised to roughly 2,000, and the cleanup cost has now been calculated at about $1 million, a figure that is based on the assumed value of "downtime," the estimated loss of income while a computer is idle. The actual restitutional cost has been assessed as $150,000; McAfee's exaggerated estimate of $96 million was dismissed.
