WANK (computer worm)

WANK (Worms Against Nuclear Killers)
Initial release	1989
Written in	DIGITAL Command Language
Operating system	VMS
Type	Computer worm

Last updated February 16, 2024

The WANK Worm and the OILZ Worm were computer worms that attacked DEC VMS computers in 1989 over the DECnet. They were written in DIGITAL Command Language.^[1]

Origin

The worm is believed to have been created by Melbourne-based hackers, the first to be created by an Australian or Australians. The Australian Federal Police thought the worm was created by two hackers who used the names Electron and Phoenix.^[2] Julian Assange may have been involved, but this has never been proven.^[3]^[4]

Approximately two weeks later, a modified version of the worm called OILZ attacked other systems. The original version, WANK, had bugs preventing access to accounts with no password. In OILZ, some of the problems of the first worm were corrected, allowing penetration of unpassworded accounts and altering passwords. The code indicated that the worms evolved over time and was not written by a single person.^[1]^[5]

Political message

The WANK worm had a distinct political message attached; it was the first major worm to have a political message. WANK in this context stands for Worms Against Nuclear Killers. The following message appeared on an infected computer's screen:^[6]^[2]

   W O R M S    A G A I N S T    N U C L E A R    K I L L E R S  _______________________________________________________________  \__  ____________  _____    ________    ____  ____   __  _____/   \ \ \    /\    / /    / /\ \       | \ \  | |    | | / /    /    \ \ \  /  \  / /    / /__\ \      | |\ \ | |    | |/ /    /     \ \ \/ /\ \/ /    / ______ \     | | \ \| |    | |\ \   /      \_\  /__\  /____/ /______\ \____| |__\ | |____| |_\ \_/       \___________________________________________________/        \                                                 /         \    Your System Has Been Officially WANKed     /          \_____________________________________________/    You talk of times of peace for all, and then prepare for war.

The worm coincidentally appeared on a DECnet network operated by NASA days before the launch of a NASA Space Shuttle carrying the Galileo spacecraft. At the time, there were protests by anti-nuclear groups regarding the use of the plutonium-based power modules in Galileo. The protesters contended that if this shuttle blew up as Challenger did three years earlier in 1986, the plutonium spilled would cause widespread death to residents of Florida.^[7]

The worm propagated through the network pseudo-randomly from one system to the other by using an algorithm which converted the victim machine's system time into a candidate target node address (composed of a DECnet Area and Node number) and subsequently attempted to exploit weakly secured accounts such as SYSTEM and DECNET that had password identical to the usernames. The worm did not attack computers within DECnet area 48, which was New Zealand. A comment inside the worm source code at the point of this branch logic indicated that New Zealand was a nuclear-free zone. New Zealand had recently forbidden U.S. nuclear-powered vessels from docking at its harbours, thus further fueling the speculation inside NASA that the worm attack was related to the anti-nuclear protest.^[2] The line "You talk of times of peace for all, and then prepare for war" is drawn from the lyrics of the Midnight Oil song "Blossom and Blood". Midnight Oil is an Australian rock band known for political activism and opposition to both nuclear power and nuclear weapons. The process name of the second version of the worm to be detected was "oilz", an Australian shorthand term for the band.^[8]

Playful nature

DECnet networks affected included those operated by the NASA Space Physics Analysis Network (SPAN), the US Department of Energy's High Energy Physics Network (HEPnet), CERN, and Riken.^[6] The only separation between the networks was a prearranged division of network addresses (DECnet "Areas"). Thus, the worm, by picking a random target address, could affect all infected networks equally. The worm code included 100 common VAX usernames that were hard-coded into its source code. In addition to its political message, the worm contained several features of an apparently playful nature. The words "wank" and "wanked" are slang terms used in many countries to refer to masturbation. In addition, the worm contained "over sixty" randomizable messages that it would display to users, including "Vote anarchist" and "The FBI is watching YOU". The worm was also programmed to trick users into believing that files were being deleted by displaying a file deletion dialogue that could not be aborted, though no files were actually erased by the worm.^[1]^[2]

Anti-WANK, OILZ and WANK_SHOT

R. Kevin Oberman (from DOE) and John McMahon (from NASA) wrote separate versions of an anti-WANK procedure and deployed them into their respective networks. It exploited the fact that before infecting a system, WANK would check for NETW_(random number), that is a copy of its own, in the process table. If one was found, the worm would destroy itself. When anti-WANK was run on a non-infected system, it would create a process named NETW_(random number) and just sit there. anti-WANK only worked against the earlier version of the worm, though, because the process name of the worm in a later version was changed to OILZ.^[2]^[9]

A second version of WANK, called OILZ, was released on October 22, 1989. Unlike the previous version of WANK, this version was designed to actually damage the computers it infected, rather than only falsely claim to do so, and would alter the passwords of infected computers. Like the previous version of WANK, this program would utilise the RIGHTSLIST database to find new computers to infect. The program WANK_SHOT was designed by Bernard Perrow of the French National Institute of Nuclear and Particle Physics to rename RIGHTLIST and replace it with a dummy database. This would cause WANK to go after the dummy, which could be designed with a hidden logic bomb. WANK_SHOT was then provided to the system administrators of affected networks to be installed onto their computers. It still took weeks for the worm to be completely erased from the network.^[1]^[5]

Related Research Articles

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

In computing, a Trojan horse is any malware that misleads users of its true intent by disguising itself as a standard program. The term is derived from the ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy.

The Morris worm or Internet worm of November 2, 1988, is one of the oldest computer worms distributed via the Internet, and the first to gain significant mainstream media attention. It resulted in the first felony conviction in the US under the 1986 Computer Fraud and Abuse Act. It was written by a graduate student at Cornell University, Robert Tappan Morris, and launched on 8:30 pm November 2, 1988, from the Massachusetts Institute of Technology network.

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

Agobot, also frequently known as Gaobot, is a family of computer worms. Axel "Ago" Gembe, a German programmer also known for leaking Half-Life 2 a year before release, was responsible for writing the first version. The Agobot source code describes it as: “a modular IRC bot for Win32 / Linux”. Agobot was released under version 2 of the GNU General Public License. Agobot is a multi-threaded and mostly object oriented program written in C++ as well as a small amount of assembly. Agobot is an example of a Botnet that requires little or no programming knowledge to use.

Nahshon Even-Chaim, aka Phoenix, was the first major computer hacker to be convicted in Australia. He was one of the most highly skilled members of a computer hacking group called The Realm, based in Melbourne, Australia, from the late 1980s until his arrest by the Australian Federal Police in early 1990. His targets centred on defense and nuclear weapons research networks.

Electron was the computer handle of Richard Jones, a member of an underground hacker community called The Realm. Jones, born in June 1969, was one of three members of the group arrested in simultaneous raids by the Australian Federal Police in Melbourne, Australia, on 2 April 1990. All three — Nahshon Even-Chaim, Electron and Nom — were convicted of a range of computer crimes involving the intrusion into US defense and government computer systems and the theft of an online computer security newsletter in the late 1980s and early 1990.

<i>In the Realm of the Hackers</i> 2003 Australian film

In The Realm of the Hackers is a 2003 Australian documentary directed by Kevin Anderson about the prominent hacker community, centered in Melbourne, Australia in the late 1980s until early 1990. The storyline is centered on the Australian teenagers going by the hacker names "Electron" and "Phoenix", who were members of an elite computer hacking group called 'The Realm' and hacked into some of the most secure computer networks in the world, including those of the US Naval Research Laboratory, Lawrence Livermore National Laboratory, a government lab charged with the security of the US nuclear stockpile, and NASA. The film runs for 55 minutes and was inspired by the book Underground, by Melbourne-based writer and academic Suelette Dreyfus.

The Father Christmas worm, also known as the HI.COM VMS worm, was a computer worm that used the DECnet to attack VAX/VMS systems. It was released in December 1988. The aim of this worm was to send a Christmas greeting from "Father Christmas" from the affected system.

Underground: Tales of Hacking, Madness and Obsession on the Electronic Frontier is a 1997 book by Suelette Dreyfus, researched by Julian Assange. It describes the exploits of a group of Australian, American, and British black hat hackers during the late 1980s and early 1990s, among them Assange himself.

In computer security, the Zardoz list, more formally known as the Security-Digest list, was a famous semi-private full disclosure mailing list run by Neil Gorsuch from 1989 through 1991. It identified weaknesses in systems and gave directions on where to find them. Zardoz is most notable for its status as a perennial target for computer hackers, who sought archives of the list for information on undisclosed software vulnerabilities.

Julian Paul Assange is an Australian editor, publisher, and activist who founded WikiLeaks in 2006. He came to wide international attention in 2010 when WikiLeaks published a series of leaks from US Army intelligence analyst Chelsea Manning: footage of a US airstrike in Baghdad, US military logs from the Afghanistan and Iraq wars, and US diplomatic cables. Assange has won multiple awards for publishing and journalism.

Suelette Dreyfus is a technology researcher, journalist, and lecturer in the Department of Computing and Information Systems at the University of Melbourne, as well as the principal researcher on the impact of digital technologies on whistleblowing as a form of freedom of expression. Her research includes information systems, digital security, privacy, and the impact of technology on whistleblowing, health informatics and e-education.

Sality is the classification for a family of malicious software (malware), which infects Microsoft Windows systems files. Sality was first discovered in 2003 and has advanced to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet to relay spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks to process intensive tasks. Since 2010, certain variants of Sality have also incorporated rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered one of the most complex and formidable forms of malware to date.

Slenfbot is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Slenfbot was first discovered in 2007 and, since then, numerous variants have followed; each with slightly different characteristics and new additions to the worm's payload, such as the ability to provide the attacker with unauthorized access to the compromised host. Slenfbot primarily spreads by luring users to follow links to websites, which contain a malicious payload. Slenfbot propagates via instant messaging applications, removable drives and/or the local network via network shares. The code for Slenfbot appears to be closely managed, which may provide attribution to a single group and/or indicate that a large portion of the code is shared amongst multiple groups. The inclusion of other malware families and variants as well as its own continuous evolution, makes Slenfbot a highly effective downloader with a propensity to cause even more damage to compromised systems.

Underground: The Julian Assange Story is an Australian television film produced for Network Ten. It premiered at the 2012 Toronto International Film Festival and aired on Network Ten on 7 October 2012. The film draws its title from Underground: Tales of Hacking, Madness and Obsession on the Electronic Frontier, a 1997 book by Suelette Dreyfus, researched by Julian Assange, but the film bears little relation to the book itself, which catalogues the exploits of a group of Australian, American, and British hackers during the 1980s and early 1990s, among them Assange himself. The film was not approved by Julian Assange, Wikileaks or any other member of the Assange family and there was no collaboration with the Assanges or Wikileaks during the making of the film. However Julian Assange subsequently had "a very favourable response to the movie".

Ikee was a worm that spread by Secure Shell connections between jailbroken iPhones. It was discovered in 2009 and changed wallpapers to a photo of Rick Astley. The code from Ikee was later used to make a more malicious iPhone malware, called Duh.

Code Shikara is a computer worm, related to the Dorkbot family, that attacks through social engineering.

References

1 2 3 4 Levi, Ran; Salem, Eli. "Malicious Life Podcast: The WANK Worm Part 1". Malicious Life Podcast. Retrieved 20 June 2022.
1 2 3 4 5 Dreyfus, Suelette; Assange, Julian (June 1997). Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier. Random House Australia. ISBN 1863305955. Archived from the original on 8 May 2004.
↑ Bernard Lagan, "International man of mystery," The Sydney Morning Herald , 10 April 2010. Retrieved 17 March 2014.
↑ David Leigh and Luke Harding, WikiLeaks: Inside Julian Assange's War on Secrecy (2011) p. 42.
1 2 Longstaff, Thomas A.; Schultz, E. Eugene (1993-02-01). "Beyond preliminary analysis of the WANK and OILZ worms: a case study of malicious code" . Computers & Security. 12 (1): 61–77. doi:10.1016/0167-4048(93)90013-U. ISSN 0167-4048.
1 2 Pomeroy, Ross. "When NASA got WANKed". RealClearScience. RealClearScience. Retrieved 20 June 2022.
↑ Broad, William (10 October 1989). "Groups Protest Use of Plutonium on Galileo". The New York Times Company. The New York Times. Retrieved 20 June 2022.
↑ Dreyfus, Suelette (16–17 February 1998). Computer Hackers: Juvenile Delinquents or International Saboteurs?. Internet Crime Conference. Australian Institute of Criminology. Melbourne. Archived from the original on 2009-10-09. Retrieved 10 September 2020.
↑ Levi, Ran; Pinkas, Noa. "Malicious Life Podcast: The WANK Worm Part 2". Cybereason. Cybereason. Retrieved 20 June 2022.

External links

Oberman, R. Kevin. "CERT Advisory CA-1989-04 WANK Worm On SPAN Network" (PDF). Carnegie Mellon University Software Engineering Institute. Archived from the original on 2000-12-18. Retrieved 14 September 2019.
Advisory from Virus Test Center, University of Hamburg, Germany
Dreyfus, Suelette; Assange, Julian (June 1997). Underground. Random House Australia. ISBN 1863305955.
Norman, James (2003-05-25). "Hack to the future". The Age .
"Juvenile Delinquents or International Saboteurs?" presented by Suelette Dreyfus at the Internet Crime conference held in Melbourne, 16–17 February 1998, by the Australian Institute of Criminology
Darby, Tom; Schmidt, Charles. "The history of worm like programs". The Morris Internet Worm. Archived from the original on 2002-05-10. Retrieved 14 September 2019.
"Hacktivism and Politically Motivated Computer Crime" - Written by one of the Digital Equipment Corporation investigators; disputes the WANK worm had any political motivation but was rather a play on the British meaning of the word "wank"

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[Cybereason1-1] 1 2 3 4 Levi, Ran; Salem, Eli. "Malicious Life Podcast: The WANK Worm Part 1". Malicious Life Podcast. Retrieved 20 June 2022.

[Underground-2] 1 2 3 4 5 Dreyfus, Suelette; Assange, Julian (June 1997). Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier. Random House Australia. ISBN 1863305955. Archived from the original on 8 May 2004.

[ManOfMystery-3] Bernard Lagan, "International man of mystery," The Sydney Morning Herald , 10 April 2010. Retrieved 17 March 2014.

[4] David Leigh and Luke Harding, WikiLeaks: Inside Julian Assange's War on Secrecy (2011) p. 42.

[:0-5] 1 2 Longstaff, Thomas A.; Schultz, E. Eugene (1993-02-01). "Beyond preliminary analysis of the WANK and OILZ worms: a case study of malicious code" . Computers & Security. 12 (1): 61–77. doi:10.1016/0167-4048(93)90013-U. ISSN 0167-4048.

[RCS-6] 1 2 Pomeroy, Ross. "When NASA got WANKed". RealClearScience. RealClearScience. Retrieved 20 June 2022.

[7] Broad, William (10 October 1989). "Groups Protest Use of Plutonium on Galileo". The New York Times Company. The New York Times. Retrieved 20 June 2022.

[8] Dreyfus, Suelette (16–17 February 1998). Computer Hackers: Juvenile Delinquents or International Saboteurs?. Internet Crime Conference. Australian Institute of Criminology. Melbourne. Archived from the original on 2009-10-09. Retrieved 10 September 2020.

[9] Levi, Ran; Pinkas, Noa. "Malicious Life Podcast: The WANK Worm Part 2". Cybereason. Cybereason. Retrieved 20 June 2022.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]