Underground: Hacking, madness and obsession on the electronic frontier - Suelette Dreyfus

The manager would have to conduct a forced reboot of the machine. Take it down, then bring it back up on minimum configuration. Break back into it. Fix the password which the worm had changed. Logout. Reset some variables. Reboot the machine again. Close up any underlying security holes left behind by the worm. Change any passwords which matched users' names. A cold start of a large VMS machine took time. All the while, the astronomers, physicists and engineers who worked in this NASA office wouldn't be able to work on their computers.

At least the SPAN team was better prepared for the worm this time. They had braced themselves psychologically for a possible return attack. Contact information for the network had been updated. And the general DECNET internet community was aware of the worm and was lending a hand wherever possible.

Help came from a system manager in France, a country which seemed to be of special interest to the worm's author. The manager, Bernard Perrot of Institut de Physique Nucleaire in Orsay, had obtained a copy of the worm, inspected it and took special notice of the creature's poor error checking ability. This was the worm's true Achilles' heel.

The worm was trained to go after the RIGHTSLIST database, the list of all the people who have accounts on the computer. What if someone moved the database by renaming it and put a dummy database in its place? The worm would, in theory, go after the dummy, which could be designed with a hidden bomb. When the worm sniffed out the dummy, and latched onto it, the creature would explode and die. If it worked, the SPAN team would not have to depend on the worm killing itself, as they had during the first invasion. They would have the satisfaction of destroying the thing themselves.

Ron Tencati procured a copy of the French manager's worm-killing program and gave it to McMahon, who set up a sort of mini-laboratory experiment. He cut the worm into pieces and extracted the relevant bits. This allowed him to test the French worm-killing program with little risk of the worm escaping and doing damage. The French program worked wonderfully. Out it went. The second version of the worm was so much more virulent, getting it out of SPAN was going to take considerably longer than the first time around. Finally, almost two weeks after the second onslaught, the WANK worm had been eradicated from SPAN.

By McMahon's estimate, the WANK worm had incurred up to half a million dollars in costs. Most of these were through people wasting time and resources chasing the worm instead of doing their normal jobs. The worm was, in his view, a crime of theft. `People's time and resources had been wasted,' he said. `The theft was not the result of the accident. This was someone who deliberately went out to make a mess.

`In general, I support prosecuting people who think breaking into machines is fun. People like that don't seem to understand what kind of side effects that kind of fooling around has. They think that breaking into a machine and not touching anything doesn't do anything. That is not true. You end up wasting people's time. People are dragged into the office at strange hours. Reports have to be written. A lot of yelling and screaming occurs. You have to deal with law enforcement. These are all side effects of someone going for a joy ride in someone else's system, even if they don't do any damage. Someone has to pay the price.'

McMahon never found out who created the WANK worm. Nor did he ever discover what he intended to prove by releasing it. The creator's motives were never clear and, if it had been politically inspired, no-one took credit.

The WANK worm left a number of unanswered questions in its wake, a number of loose ends which still puzzle John McMahon. Was the hacker behind the worm really protesting against NASA's launch of the plutonium-powered Galileo space probe? Did the use of the word `WANK'—a most un-American word—mean the hacker wasn't American? Why had the creator recreated the worm and released it a second time? Why had no-one, no political or other group, claimed responsibility for the WANK worm?

One of the many details which remained an enigma was contained in the version of the worm used in the second attack. The worm's creator had replaced the original process name, NETW_, with a new one, presumably to thwart the anti-WANK program. McMahon figured the original process name stood for `netwank'—a reasonable guess at the hacker's intended meaning. The new process name, however, left everyone on the SPAN team scratching their heads: it didn't seem to stand for anything. The letters formed an unlikely set of initials for someone's name. No-one recognised it as an acronym for a saying or an organisation. And it certainly wasn't a proper word in the English language. It was a complete mystery why the creator of the WANK worm, the hacker who launched an invasion into hundreds of NASA and DOE computers, should choose this weird word.