Malicious Life Podcast: The WANK Worm Part 2

After the Challenger Disaster of 1986, NASA had a hard time convincing the public that the Galileo spacecraft, fueled by radioactive Plutonium, is safe to launch. The WANK worm, it turns out, was a message aimed at NASA from the two most powerful attackers in the world...

Noa Pinkas
About the Guest

Noa Pinkas

EMEA SOC Manager at Cybereason
ran-levi-headshot
About the Host

Ran Levi

Born in Israel in 1975, Malicious Life Podcast host Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.

In 2007, created the popular Israeli podcast Making History. He is author of three books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

About The Malicious Life Podcast

Malicious Life by Cybereason exposes the human and financial powers operating under the surface that make cybercrime what it is today. Malicious Life explores the people and the stories behind the cybersecurity industry and its evolution. Host Ran Levi interviews hackers and industry experts, discussing the hacking culture of the 1970s and 80s, the subsequent rise of viruses in the 1990s and today’s advanced cyber threats.

Malicious Life theme music: ‘Circuits’ by TKMusic, licensed under Creative Commons License. Malicious Life podcast is sponsored and produced by Cybereason. Subscribe and listen on your favorite platform:

All Posts by Malicious Life Podcast

Malicious Life Podcast: The WANK Worm, Part 2 Transcript

Entering into the 1980s, few organizations in history had so sterling a reputation as NASA. That all changed in a matter of seconds, on January 28th, 1986.

The “Challenger” shuttle launch was an historical event in the making. Two years prior, President Ronald Reagan had introduced the Teacher in Space Project–a proposal aimed at inspiring students, encouraging educators, and generating interest in the STEM fields, by bringing teachers to space. Christa McAuliffe, a high school social studies teacher from New Hampshire, was the very first person awarded a spot. 17 percent of all Americans tuned in live to watch, many of them classes of schoolchildren. And then…

In the aftermath, through investigations and hearings, it was revealed that the Challenger failure was a result not of random occurrence, or lack of know-how. It was human oversight. Managers and executives overseeing the operation had failed to take proper precautions regarding a component of the rocket boosters–called O-rings–which engineers had advised were liable to fail under the below-freezing temperature of that January day. They decided to push forward despite those warnings, and everybody aboard Challenger died when the aircraft exploded 73 seconds into its flight.

Galileo
The next spacecraft to take flight after Challenger was called “Galileo”. No matter what, Galileo was going to be scrutinized. It’s like the performer that has to go up on stage, after his opening act bombs (pun not intended). Everything was going to be ten times harder, and it was.

Firstly, Galileo needed plutonium, because it was headed for Jupiter. Typical rocket fuel suffices for trips to the moon, or nearby planets, but Jupiter is 588 million kilometers from Earth. Through its own heat-generating decay, plutonium is not only effective but highly compact, taking up less space and weight on the craft. For all the sense it made to NASA engineers, however, some American citizens still had the Challenger incident fresh in their minds. The fiery explosion. The falling debris. Imagine that, plus radioactive nuclear material raining from the sky.

NASA insisted that the flight would be safe–that the likelihood of a radiation leak as a result of another Challenger-like disaster was 1 in 2,700. To those who remembered the highest-ranking officials at NASA signing off on Challenger and its safety standard, the claim rung hollow.

Protests formed near the launch site, and anti-nuclear activist groups sued NASA in an attempt to stop Galileo from going up. A hearing in a U.S. District Court was scheduled to occur just a few days before the launch. And these roadblocks weren’t just a nuisance. If the anti-nuclear groups successfully delayed launch, they could effectively shut down the mission, because Galileo had a deadline. The project had begun all the way back in 1977, and was set to launch in 1982. Between development setbacks, rising costs and budget cuts, it got delayed to 1984, then 1986. When Challenger happened, it got pushed back again.

The deadline to launch was not only a bureaucratic decision, though. You see, in order to get to Jupiter, NASA’s engineers had to get creative. Even an efficient fuel source like plutonium would run out far before reaching such a distance. So they had the idea, to use the gravitational pull of planets as a kind of slingshot. Galileo would fly by Venus once, and Earth twice, building up a head of steam to then shoot off to Jupiter. The plan was ingenious, but it required very precise conditions–to line everything up just right, such that the trajectory of the spacecraft would align perfectly with the orbit of all three planets. It meant that Galileo had to be in-air by, latest, November 19th, 1989. If it missed that date, it would have to wait at least another 19 months. 19 months, and likely over 100 million dollars in expenses, for a project already 12 years in the making, and over one billion dollars over budget. There was no guarantee that Galileo ever would ever fly, if not now.

This, as protests heated up, the court battle drew nearer, press started asking questions, and rain poured down in East Florida. NASA’s employees were probably sitting at their desks thinking: what else could possibly go wrong? You know what happens next.

WANK’s Author
In Part 1 of this double episode, I told you about the WANK worm. How it spread through NASA, the U.S. Department of Energy, and other organizations throughout the Western world. How two systems managers developed a program to beat the worm, how the hacker came back with an even stronger version, and how a Frenchman built the program that defeated it once and for all. That, it turns out, was only part of the story.

When WANK worm infected a computer, it would set a system announcement message to read: “WANK: Worms Against Nuclear Killers,” and then underneath, “You Have Been Officially WANKed; You talk of times of peace for all and then prepare for war.” It was an utterly confusing message, even if you do know what the terms “worm” and “wank” mean, which you can bet many NASA employees in 1989 did not. Nonsensical it may have seemed, the message was packed with references–clues to the possible identity and motives of the individual or individuals who wrote it.

Let’s start with the obvious. Perhaps you know what the slang term “wank” means (if you don’t, Google it). The use of that term would seem to indicate two things. First, that the worm’s author might come from a country where that term is common–specifically, of or related to the United Kingdom. Second, that they’re rather immature–if one were to guess, young and male. Of course, “young and male”, when we’re talking about hackers, doesn’t narrow things down much.

It’s hard to imagine anything short of a large, official organization–maybe a government, or a crime ring–hacking into NASA. But plenty of evidence suggested this might have just been some misbehaving kid. The inane little messages it sent to networked computers. How it first breached the Department of Energy on Friday the 13th. And that no component of the WANK worm actually stole or purposely manipulated data on its host computer systems, or benefited the hacker in any material way.

Other clues were rather subject to interpretation. Like the structure of the code itself, which was utterly chaotic. In “Underground”, by Suelette Dreyfus and Julian Assange, NASA systems manager John McMahon compared trying to understand the WANK worm to trying to sift through spaghetti–everything tangled together, without logic or order. Could this mean that there were multiple authors, who weren’t well-coordinated? Or one, who simply didn’t have an eye for organization?

And there were multiple versions of the first WANK worm, but no obvious reason why. DOE network manager Kevin Oberman concluded that it must be a function of the program’s learning and changing as it went along and infected more systems. McMahon had a different theory: that the hacker released the worm, then made changes to it, and released updated versions as they went along. While the two men debated, Digital Equipment Corporation–the company that made all the infected computers–was dealing with their own, unique version of WANK worm. Their worm had instruction to infect as many computers running over Easynet–the company’s internal network–as possible…except those located inside DEC’s “Area 48”.

What was Area 48? We’ll come back to that.

Clues
WANK worm cost a lot of people a lot of time, effort, stress, and money. McMahon, Oberman and DEC–themselves more embarrassed than anyone–were out for scalps. John had even printed WANK worm out on white paper: seven pages total. They poured through every inch of the program. But no amount of analysis was going to get the job done. Because there was only one person on the case with the knowledge to blow it wide open, and it was not John, nor Kevin, but a journalist.

The first WANK worm ran as a process called “NETW_”. Recall in our last episode that the worm would check to see if itself–“NETW_”–was already running on a computer before infecting that computer. Oberman’s anti-WANK took advantage of this feature by running a process also named “NETW_” on an uninfected computer, so as to confuse the worm into deleting itself. The second WANK worm, as a result, was given a different name: “OILZ”.

Everything about the WANK worm was confusing, so few people gave thought to what “OILZ” may have stood for. Except one journalist covering the story: Suelette Dreyfus. Dreyfus may not have known as much about how to defeat a worm as John McMahon or Kevin Oberman, but she did have one, incidental advantage: her nationality. Immediately she knew what “OILZ” meant. So she went home and rummaged through her CD collection and, boom…

“You talk of times of peace for all, and then prepare for war.”

Zero minutes, 26 seconds, “Blossom and Blood”, by the Australian rock band Midnight Oil, also referred to by their fans as “OILZ”.

Phoenix and Electron
Networking technology didn’t hit Australia’s markets until the mid-90s, but already by the late 80s, Australians were famous in the worldwide hacking underground. That fame rested largely on the reputation of one hacking collective–The Realm–and its two most revered members–code named Phoenix and Electron.

Phoenix and Electron were digital assassins, breaching major companies, universities, governments, just for the game of it. They were so good, in fact, that John Markoff, a reporter for the New York Times, published a story in March of 1990, about a new computer worm sweeping through U.S. institutions. Shortly thereafter, Markoff received a call from a man calling himself “Dave”. Dave was angry, because he wanted credit. There was no worm. All those intrusions were him. It only looked like a worm because he was so good–he was breaking into so many networks, so quickly, that Markoff mistook the breaches as machine-made.

Dave was a fake name. This was Phoenix, real name Nashon Even-Chaim. His call to John Markoff was brash, and if he could’ve seen into the future–the series of events precipitated by his actions–he likely wouldn’t have picked up that phone, and wouldn’t have hacked all those universities. But he did, and he did. And you can understand why. He may have already, alongside Electron and other members of the Realm, hacked major universities, corporations and governments. But he was only 18 years old. 18 year-old boys like to brag.

And Phoenix was especially hot-headed. Having grown up in a broken home, you could say he walked around with a chip on his shoulder, breaking into networks seemingly just so that he could boast about his accomplishments to other hackers online.

Electron, too, found hacking when his family life spiraled out of control. His mother died when he was just a child, and his father–who first introduced him to computers–developed cancer not long after. In 2003, inspired by Suelette Dreyfus’ “Underground”, a documentary was made about Electron and Phoenix, called “In the Realm of the Hackers”. In it, Electron–real name Richard Jones–recalls learning about his father’s bowel cancer. “I can specifically remember thinking: computers don’t get cancer,” he said. According to his own account, as the authority figures in his life passed away, he turned ever more obsessively to computers.

So Phoenix and Electron were not so scary, but online they were. Despite not actually ever having met, or shared their real names, they partnered up–Phoenix the aggressor, with an expensive Commodore Amiga computer and its fastest modem speed, and Electron more reserved, more talented, but working on a slower Commodore 64 and its 1541 disk drive. Other prominent members of the group included Force–a kind of elder statesman of the group–and Nom, real name David John Woodcock. For years they operated over dial-up connections, through the University of Melbourne’s limited internet connection. With primitive machines, they were nonetheless able to crack universities, from Wisconsin to Berkeley to Purdue. Individual university professors who wrote negatively of hackers, like Eugene Spafford, a previous guest of our show. They stole–but did not use, or sell–thousands of credit cards from Citibank. They cracked the U.S. Department of Defense. NASA. Electron and Phoenix were hacking NASA while their classmates were taking driver’s ed.

And for awhile it worked. Until one journalist discovered a reference to a rock band in a computer worm. And another received a call, from someone claiming to have breached universities across the United States. No longer were these Australians a fringe issue. Something had to be done.

Operation Dabble
Phoenix and Electron now had a price on their heads. They were placed on a wanted list. The collective effort by Australian federal police, to capture and indict Phoenix and Electron, was given the decidedly non-intimidating name: Operation Dabble.

Operation Dabble commenced in 1988. It would’ve begun even sooner, but Australian authorities initially faced a roadblock: there was not yet any law in Australia, which addressed crimes committed via computers. In order to begin investigating, the Australian government first had to actually write legislation to define the terms of cyber crime. They passed a bill in June 1988, and by the end of the year–using informants and undercover agents–police had identified their targets.

It’s possible, even at this point, that Phoenix and Electron weren’t seen as much of an imminent threat. A year after identifying Nashon Even-Chaim and Richard Jones, little significant investigative action had commenced towards actually pursuing the two boys. Who knows? They might have even got off free, had they slowed down what they were doing. But Phoenix and Electron weren’t just occasional hackers–they were obsessive, constantly improving, becoming more dangerous and proliferate across the world. In October of 1989 a worm spread through NASA headquarters, on the day of a scheduled launch, and it seemed to have ties to Australia. Hack after hack continued in the following months. Phoenix and Electron were building the walls to their own prison. They forced their government’s hand.

In January of 1990, Australian police obtained warrant to tap all of Phoenix’s communications. For the following two months, they listened in to every call going in and out of his home. Their job was made easy, by how often he flaunted his achievements. They heard him gloat about, quote, “fucking with NASA.” “Yeah, they’re gonna really want me bad,” he said, “this is fun!” He bragged about the universities, too. Quote: “the guys down at the local universities here are screaming with rage because they couldn’t get rid of us. The Americans are getting pretty damn pissed off with me because I’m doing so much and they can’t do much about it. I’m getting to the point now where I can get into almost any system on the internet. I’ve virtually raped the internet beyond belief.”

Incriminating as those words were, the missing piece of evidence was the computer code itself. Police needed a means for capturing the data from Phoenix and Electron’s systems, or else all those phone conversations could be contested in court. No technology existed yet, however, for capturing data at such speeds as they needed to. So investigators needed to literally invent a system for intercepting the data, and they had a ticking timer to do so. Because, just as they were doing so, Phoenix and Electron had achieved their greatest, and more dangerous, breach yet.

Zardoz was a mailing list among computer security professionals between 1989 and 1991, which kept record of every known vulnerability in computer systems of the time, detailing where to find them and how they could be exploited. You can imagine how precious Zardoz was, then, to hackers and security experts alike. It was a hacker’s cheat code to the internet. And after breaking into CSIRO, an Australian research institute, Electron got his hands on it. He shared it with Phoenix.

You could argue at this point that, temporarily, Phoenix and Electron were the two most powerful hackers on Earth.

Even more frightening a prospect would be if Zardoz made its way from the Australians, out to other hackers. The effect of that would be difficult even to imagine. Coincidentally, however, the very same day Electron cracked Zardoz, Australia’s federal police made a breakthrough, implementing a communications intercept with high-enough modem speeds to intercept all data entering and exiting from the computers of Phoenix and Electron. This would mark the first ever case, in Australia as well as the rest of the world, where p olice effectively gathered criminal evidence via remote tapping of computers.

By the end of March 1990, the police finished their wire taps. Which meant that there was only one thing left to do.

Richard Jones was peeing, in the middle of the night, when police broke into his home, held him down and put him in handcuffs. At the same time, in two other locations in the Australia suburbs, police were arresting David John Woodcock, and Nashon Even-Chaim.

A Worm With A Message
In 1993, Jones was given six months of jail time and 300 hours of community service. Even-Chaim: 12 months, 500 hours. Some argued for greater sentences than that. Perhaps the judges took pity on the boys. After all, they were so young at the time. Observers noted that, at their own son’s court hearings, Phoenix’s parents were outwardly fighting with one another. Electron, in awaiting his case, experienced the death of his father, and drug addiction, culminating in a mental breakdown which required hospitalization.

While Nashon and Richard both admitted to hacking into NASA–among many other targets–to this day we have no definitive proof that they were the creators of the WANK worm. Electron has outwardly denied it. They’re really the only two suspects–the names that come up again and again in historical accounts–but nobody was able to produce that smoking gun. It probably wouldn’t have mattered, in the end, considering how many other breaches they’d been found guilty for.

Even if they did do it, that still doesn’t explain all those questions we left open earlier. “Worms against nuclear killers”? Zone 48?

WANK worm is remembered today, actually, not because of Phoenix, Electron, or for what it actually did to NASA. Its legacy is, in a way, more interesting than any of that. DECnet’s Zone 48 represents the nation of New Zealand. A member of John McMahon’s team, mulling over the matter, recalled that New Zealand is a famously nuclear-free country. Just as the plutonium-fueled Galileo spacecrat was going to make its way up into space, an Australian hacker (or two) sent a computer worm onto NASA’s SPAN network, with a message. Programmed into the worm was a command: that it could go anywhere, except New Zealand, because they’d already got that message.

And now that we’ve finished this two-part episode on the WANK worm, I’d like to take a second to tell you where that word–“worm”–actually comes from; because many people, in looking back at this story, have noticed parallels to the book that coined the term.

“The Shockwave Rider” was a tepidly-received, but cult-classic science fiction novel published in 1975, written by John Brunner. It tells the story of Nick Haflinger, a programmer living in a dystopian, technocratic 21st century United States, who manages to escape the government’s program for training gifted individuals towards furthering state interests. This America is dominated by networks, with a ruling class that uses it towards its own ends, as a tool of control. That is, until Nick creates a worm which, when activated, reveals all the government’s secrets to the people. As the novel comes to an end, Nick’s final, saving act is to stop a government-ordered nuclear strike.

A computer worm, designed to shine a light on the government’s activity, and prevent its nuclear activity. WANK worm wasn’t just an effective malware. It was the first malware program to carry with it a statement of intent. Software like DeCSS, created a decade later, and cyber-destroyers like Shamoon, another decade after that, can all be traced back, in some small but meaningful way, to the WANK worm, which demonstrated that computer programs can do more than execute actions–they can communicate ideas.