Helminthiasis of the Internet
RFC 1135

Document Type RFC - Informational (December 1989; No errata)
Last updated 2013-03-02
Stream Legacy
Formats plain text html pdf htmlized bibtex
Stream Legacy state (None)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state RFC 1135 (Informational)
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                        J. Reynolds
Request for Comments: 1135                                           ISI
                                                           December 1989

                   The Helminthiasis of the Internet

Status of this Memo

   This memo takes a look back at the helminthiasis (infestation with,
   or disease caused by parasitic worms) of the Internet that was
   unleashed the evening of 2 November 1988.  This RFC provides
   information about an event that occurred in the life of the Internet.
   This memo does not specify any standard.  Distribution of this memo
   is unlimited.

Introduction

         ----- "The obscure we see eventually, the completely
         apparent takes longer." ----- Edward R. Murrow

   The helminthiasis of the Internet was a self-replicating program that
   infected VAX computers and SUN-3 workstations running the 4.2 and 4.3
   Berkeley UNIX code.  It disrupted the operations of computers by
   accessing known security loopholes in applications closely associated
   with the operating system.  Despite system administrators efforts to
   eliminate the program, the infection continued to attack and spread
   to other sites across the United States.

   This RFC provides a glimpse at the infection, its festering, and
   cure.  The impact of the worm on the Internet community, ethics
   statements, the role of the news media, crime in the computer world,
   and future prevention will be discussed.  A documentation review
   presents four publications that describe in detail this particular
   parasitic computer program.  Reference and bibliography sections are
   also included in this memo.

1.  The Infection

         ----- "Sandworms, ya hate 'em, right??" ----- Michael
         Keaton, Beetlejuice

   Defining "worm" versus "virus"

      A "worm" is a program that can run independently, will consume the
      resources of its host from within in order to maintain itself, and
      can propagate a complete working version of itself on to other
      machines.

Reynolds                                                        [Page 1]
RFC 1135           The Helminthiasis of the Internet       December 1989

      A "virus" is a piece of code that inserts itself into a host,
      including operating systems, to propagate.  It cannot run
      independently.  It requires that its host program be run to
      activate it.

      In the early stages of the helminthiasis, the news media popularly
      cited the Internet worm to be a "virus", which was attributed to
      an early conclusion of some in the computer community before a
      specimen of the worm could be extracted and dissected.  There are
      some computer scientists that still argue over what to call the
      affliction.  In this RFC, we use the term, "worm".

   1.1  Infection - The Worm Attacks

      The worm specifically and only made successful attacks on SUN
      workstations and VAXes running Berkeley UNIX code.

      The Internet worm relied on the several known access loopholes in
      order to propagate over networks.  It relied on implementation
      errors in two network programs: sendmail and fingerd.

      Sendmail is a program that implements the Internet's electronic
      mail services (routing and delivery) interacting with remote sites
      [1, 2].  The feature in sendmail that was violated was a non-
      standard "debug" command.  The worm propagated itself via the
      debug command into remote hosts.  As the worm installed itself in
      a new host the new instance began self-replicating.

      Fingerd is a utility program that is intended to help remote
      Internet users by supplying public information about other
      Internet users.  This can be in the form of identification of the
      full name of, or login name of any local user, whether or not they
      are logged in at the time (see the Finger Protocol [3]).

      Using fingerd, the worm initiated a memory overflow situation by
      sending too many characters for fingerd to accommodate (in the
      gets library routine).  Upon overflowing the storage space, the
      worm was able to execute a small arbitrary program.  Only 4.3BSD
      VAX machines suffered from this attack.

      Another of the worm's methods was to exploit the "trusted host
      features" often used in local networks to propagate (using rexec
      and rsh).

      It also infected machines in /etc/hosts.equiv, machines in
      /.rhosts, machines in cracked accounts' .forward files, machines
      cracked accounts' .rhosts files, machines listed as network
      gateways in routing tables, machines at the far end of point-to-

Reynolds                                                        [Page 2]
RFC 1135           The Helminthiasis of the Internet       December 1989

      point interfaces, and other machines at randomly guessed addresses
      on networks of first hop gateways.
Show full document text