Computer Virus Probe Turns to Grad Student : Hundreds of Institutions, 70,000 Work Stations Across U.S. Affected in Unprecedented Rampage

Authorities investigating the runaway “computer virus” that crippled a nationwide network of government and research computers this week focused their suspicions late Friday on a 23-year-old Cornell University graduate student who is the son of a top government security specialist.

A Cornell official confirmed Friday night that the computer account of Robert T. Morris Jr. had been used to pilfer files in Cornell and Stanford University computers that contained passwords capable of unlocking the Department of Defense system.

Stuart Lynn, Cornell’s vice president for information technologies, said it was unclear whether the user was Morris, a computer science student and the son of Robert Morris Sr., a widely published author on the security of the system breached this week.

“His account contained files that appear to hold passwords for some computers at Cornell and Stanford to which he is not entitled,” Lynn told The Times. “We have also discovered that Morris’ account contained a list of passwords substantially similar to those found in the virus.” Stanford officials said late Friday they had seen no evidence that their computers had been used to trigger the virus.

Spotted Earlier in System

Cornell officials also said they have evidence that the computer “virus” was spotted on their computer system more than two weeks ago and possibly was created there. They cited evidence that at least twice since Oct. 17 someone with access to Cornell computers used a virus very similar to the one reported in computers nationwide this week.

Meanwhile, computer scientists scrambling to clean up the damage left by the virus’s unprecedented rampage said the diabolical program was the most sophisticated they had seen. Some remained unsure that it was completely under control.

Pentagon officials, defense contractors, universities and others on the nationwide computer network penetrated by the virus hastened Friday to say that they had cleansed and secured their systems. They said no classified material and little data had been lost.

Yet investigators were stunned by the magnitude of the breach: The virus affected hundreds of institutions with as many as 70,000 work stations across the United States. It even infiltrated some 1,000 military computers which officials had believed were protected by a computer “vaccine.”

The virus infected computers at literally hundreds of institutions throughout the country. Among those affected: NASA Ames Research Center in Mountain View; Caltech; Stanford; Lawrence Berkeley Laboratory; UC Berkeley; UC San Diego; the Naval Ocean Systems Command in San Diego; Massachusetts Institute of Technology; Harvard, Princeton, Columbia and Rutgers universities; the Naval Research Laboratory in Maryland and the Army’s Ballistics Research Laboratory in Maryland.

Investigators also marveled at the saboteur’s ingenuity in designing a program some said had up to eight ways of spreading from computer to computer. They said the programmer seemed intimately familiar with the system, conversant in all its flaws.

Some said the incident raised grave questions about the security of the country’s computer networks, which traditionally depend on a kind of honor system. While institutions began developing new safeguards, experts cautioned that no system can ever be fail-safe.

‘Trust All Users Equally’

“These networks trust all users equally,” said Peter G. Neumann, a computer scientist at SRI International, a research and development firm in Menlo Park. “But not all users are equally trustworthy. Security is a holistic problem. One weak link and the whole system can fail.”

A computer virus is a short program, or set of instructions, that sneaks into a computer’s memory the way a biological virus invades a cell. The program then reproduces wildly and sends copies of itself to other computers, riding on messages or programs being exchanged.

A benign virus may simply flash a provocative message. A more malevolent one might order a computer to erase months or years of work. The virus that hit this week simply reproduced relentlessly, tying up so much energy that the infected computers could do no other work.

The networks penetrated consist of computers tied together by telephone lines. The systems are used for such things as exchanging messages, data and even surplus capacity. The virus attacked two linked networks operated by the Department of Defense.

One, the Advanced Research Projects Agency Network (ARPANET), ties together university researchers and industrial contractors exchanging nonclassified information. The second, MILNET, is for the exchange of nonclassified information among military locations.

The two are interconnected through Department of Defense computers.

The affected computers use the Unix operating system. Created at AT&T; Bell Laboratories in the early 1970s, Unix is a collection of programs that allows a computer to run. It instructs the machine how to interpret keystrokes from the keyboard, display characters on the monitor, store and recover files from memory, and send data to a printer.

The New York Times, citing anonymous sources, reported today that the younger Morris flew to Washington Friday and is planning to hire a lawyer. The sources reportedly said Morris would also meet with the Defense Communications Agency, in charge of the ARPANET system.

The newspaper also quoted Morris’ father as saying in an interview that the virus episode might have a beneficial effect in raising public awareness of the computer network’s vulnerability and in making operators more careful.

Pentagon officials said Friday that the virus had been isolated and an antidote program against further damage had been written, freeing Defense Department computer experts and officials to ponder the addition of new security measures for the computer network.

But they insisted that the computer networks over which defense secrets and sensitive military communications travel were not affected and remain relatively immune to such attacks.

Classified information is contained on three special networks that are not linked to each other or to other systems. Information cannot be exchanged between the secure systems electronically or on disks or tapes. It must be entered manually through a keyboard.

“We believe we have sufficient safeguards in (protecting) classified systems,” said Dr. Raymond S. Colladay, director of the Defense Advanced Research Projects Agency. “We can implement those systems on the (the unclassified network) but it’s a matter of cost.”

Colladay said that “the damage was in lost time. There was no damage or loss of files.”

Some 52,000 computers in the NASA research community alone had to be disconnected from the network in order to check for presence of the virus. A NASA spokesman estimated the time required to bring the computers back on line at 140 man-years.

Anti-Viral Software

However, NASA’s damage was minimized by new anti-viral software and computer cut-off procedures instituted over the summer after an incident in which an insidious delayed-reaction virus, or “Trojan Horse,” breached the Jet Propulsion Laboratory’s network.

Officials at the RAND Corp. in Santa Monica believe similar measures limited damage to their system. Those include a new central computer capable of screening out some viruses and shutting off their access, said RAND spokesman Jess Cook.

In interviews Friday, investigators pieced together this story:

The virus was noticed at about 9 p.m. Wednesday by Cliff Stoll, in charge of computers at Harvard University, and traced to messages that came out of RAND six hours earlier. Stoll believes the program contained a timer set to trigger a reaction 12 hours after each computer was infected.

Meanwhile, at the University of Pittsburgh the virus entered the system at 8:27 p.m., according to Robert Hoffman, manager of computer systems. By 8:56 p.m., when the university system was shut down, the virus was already heading to another computer.

At the Lawrence Berkeley National Laboratory in California at 9:16 p.m., computer scientist Craig Lares was working on a problem involving a massive telescope to be built in Hawaii. Suddenly, a message flashed: “Demon tried to log on. Permission denied.”

Demon Standard Term

Demon is a standard term on the network for a program that operates without the user requesting it. The message had come from another computer in the building. Twenty-nine minutes later, the same message reappeared. This time, it came from a computer within the lab.

Lares and other scientists said the program was trying to guess secret passwords that allow users to sign onto the computers. One possibility was the program then would send the passwords back to whoever originated the program.

“It was trying to guess passwords,” said David L. Wasley, manager of data communication and network services at UC Berkeley. “It was trying various simple words, just at random, without any apparent purpose other than to get them.”

Chuck Cole, deputy computer security manager at Lawrence Livermore National Laboratory, was at home in bed at 1:30 a.m. Thursday when his phone rang. It was one of his top computer scientists, Russell Brand, calling about the problem.

“Oh, my God, why me?” was Cole’s response.

“Very early . . . we realized it was going to be a national incident,” Cole said. “They could see it was going to attack the whole network. There were no bounds. It was spreading in a very exponential manner.”

But the programmer made one mistake, investigators say.

The programmer failed to enable the virus to determine whether a computer was already infected. Computers thus became infected 40 or 50 times within an hour. That overtaxed the system and slowed it down, leading to the virus’ detection.

In the end, because the virus resided only in the computer’s memory and never became a part of its software, scientists found that if they isolated their computers from the network and shut them down, the virus would be gone when they turned the computers on again.

On Friday, FBI officials said they had launched an inquiry to into whether there were violations of federal laws like the Computer Fraud and Abuse Act. That 1986 law forbids unauthorized access to a government computer and financial and other institutions.

Penalties for violations include fines of up to $250,000 and up to a year in prison.

Despite the breach, some officials doubt the need for additional security.

Charles R. Redmond, a NASA spokesman, said NASA does not favor putting further restrictions on access to the system. “We feel this is the strength of American science,” he said, referring to the system’s accessibility. “We do not want to change access to the system.”

But experts say further efforts will be necessary to combat a threat that is only just beginning to emerge from the arcana of computer journals.

“The situation is analogous to developing an efficient national highway system to link cities towns and homes,” said NASA data systems manager Anthony Villasenor. “But people’s homes can be invaded if they leave their doors open.”

Efforts to prevent future viral attacks should focus less on wiping them out at the source than on inoculating potential victims, Villasenor added. Operators should also institute procedures for minimizing the potential damage should viruses spread, he said.

“It is the first of the really big scares,” said Chuck Cole of Lawrence Livermore National Laboratory. “It could have been a malicious virus and done some bad things like wipe out data files.”

Contributing to this story were Times staff writers Melissa Healy and Ronald J. Ostrow in Washington, Dan Morain in San Francisco, Linda Roach Monroe in San Diego and Lee Dye and Anne C. Roark in Los Angeles.