Beyond preliminary analysis of the WANK and OILZ worms: a case study of malicious code

Abstract

In October 1989 a DECnet worm attacked the NASA Space Physics Analysis Network (SPAN) and the DOE's High-Energy Physics (HEP) and Energy Science (ES) networks. Approximately two weeks later a second worm, a modification of the first, attacked other systems. These worms (written in DCL) used several methods of propagation, including guessing accounts with an identical username and password and entering through system accounts and unpassworded accounts. The original version of the worm, WANK (Worms Against Nuclear Killers), contained bugs preventing, among other things, penetration into unpassworded accounts. In the second version, OILZ, some of the problems of the first worm were corrected. OILZ intruded into user accounts probed from remote systems already breached by this worm. OILZ masqueraded its presence, and its method of discovering user accounts and privileged access helped circumvent standard VMS alarm settings. The style of each worm code indicated that the worm evolved over time and was not written by a single individual. The paper focuses on selected procedures from both variations of the worm and analyzes the authorship and history of the development of this worm. This information may be useful not only in determining the origin of this malicious code, but also in studying the evolution of malicious code. This paper also presents some lessons learned from studying this attack and applies these lessons to recommendations for network policy. More than anything else, the WANK and OILZ worms demonstrate the need for effective password management and proper system and network configuration. Determining the source and style of malicious code can assist in developing policy and procedures for effectively detecting and preventing attacks of this type.