After spending more than 36 hours interpreting the computer code of the now infamous "Cornell virus," one of the nation's leading computer security experts is not convinced that the virus was the innocent experiment of a bored graduate student that it was originally thought to be.
Cliff Stoll, an astrophysicist currently working at Harvard, said in a Jefferson Hall lecture last night on computer security that while the virus was not programmed to be destructive, it was intentionally set up to be extremely difficult to defeat.
The virus, written by Cornell graduate student Robert T. Morris Jr. '87-'88, began its attack on mainframes across the country, including ones at Harvard, at midnight last Wednesday.
Stoll said he is not sure how, or if, Morris should be punished and took great pains to avoid the question. He said part of the reason for his indecision stems from his friendship with the young hacker's father, Robert Morris Sr., who works for the National Computer Security Council.
Experts believed that the program was designed to quietly inject itself into every machine running a version of the popular operating system Unix and remain there dormantly, not causing any damage.
Friends of Morris at Harvard have said that the young computer wizard, fatigued from lack of sleep, made an error in his program that caused the virus to run amok, crippling literally thousands of mainframe computer systems.
Stoll, however, noted that Morris injected the virus late at night, when computeroperators would be least alert. Furthermore,Morris encrypted the virus in a secret code whichstumped initial efforts to read the program. Also,Stoll said Morris never passed along the simplecode built into the virus which would have haltedits spread.
Computer experts say that once the virusinfiltrated a computer, it used that machine tolaunch attacks on nearby systems. The viruspropagated itself through the Internet, a computernetwork that connects most major educational,commercial and military computers throughout thenation.
Morris' error, according to experts contactedyesterday, was that he instructed the virus tospread to every 10th, rather than every 100th,adjacent computer on the Internet. The result ofthis forgotten zero was that the number of copiesof the virus increased exponentially at astaggering rate, bogging down computers with itssheer size.
Since the virus spread 10 times faster thanMorris had intended, the experts said, computersbegan to slow down and lose memory becausemultiple copies of the program were trying tobreak into the same computer at the same time.
This strange behavior alerted system operatorsto the presence of the virus; many of them,including Stoll, had already begun trying todefeat the virus by 2 a.m. Thursday morning.
The system operators first disconnected theirinfected machines from the Internet and tried tolocate the virus to destroy it. However, afterthey had successfully cured one of their machines,the virus would reinfect it from other computerswithin the same institution, using differenttechniques.
Because the virus was intentionally released solate at night, Stoll isn't sure that the virus wasreally meant as a harmless prank.
"Viruses using one [infection] technique can behard to handle," said Stoll, "but viruses that usethree, four or five are extremely difficult.Besides, it was 4 in the morning."
In addition, Stoll points out that the viruscontained fake code that sent programmers tryingto understand the virus on wild goose chases.
Finally, Stoll said experts have discoveredthat the virus could have been halted simply bytyping "pleasequit" at the right time on infectedmachines.
"When he saw how much damage his virus wasdoing, why didn't [Morris] tell everyone about'pleasequit' to stop it?" Stoll said. "There aresome things that still bother me about this.
Read more in News
Maher to Face GSAS Funding Challenges