[theamk]

Good point actually, the article says "late 1990's".. but most things would still work back then. I believe ldd, strace, procfs all existed back then. Python would not, but one could dump environment using perl or some unusual shell.

Keeping dotfiles in version control was be much more rare, so that detection method would not work back then.

But the shell variety was much greater back then, so the worm could end up on server with tcsh or ksh or rsh (the "restricted shell") which would render it inert. And there was a chance of ending up on Solaris box which would just throw errors about wrong architecture and cause immediate discovery.

Also, there were many more shared systems, so granting "sudo" access to everyone was much less frequent back then. And we could have friendly sysadmins examine someone's configs file if they ask for help, which would lead to discovery as well.

[wolfendin]

I think thres’s also been a large sea change in the thinking that happens in finding the reason for anomalous behavior. Nowadays remote compromise is one of the first things on my mind when troubleshooting but, back in the 90s it was much lower on the list. I think the tooling would have been there to find it easy, but I think getting in the mindset where it needs to be found would be harder.