1 / 24

The Internet Worm Incident

The Internet Worm Incident. Author: Eugene Spafford Presenter: Jason Small. What / Where / When. Approximately 10% of the 60,000 computers connected to the Internet were shut down from November 2 to November 4, 1988

min
Download Presentation

The Internet Worm Incident

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Internet Worm Incident Author: Eugene Spafford Presenter: Jason Small

  2. What / Where / When • Approximately 10% of the 60,000 computers connected to the Internet were shut down from November 2 to November 4, 1988 • Primarily, Sun and VAX machines were hit. Other machines were “infected,” but not out of commission

  3. Nomenclature • Virus ? • Worm ? • Who Cares?

  4. How - Methods of Entry • fingerd (VAX) • sendmail • rexec, rsh

  5. Methods of Entry - fingerd • After a connection is made to a finger daemon, the name of a user is sent by the client • fingerd did not expect that anyone would have a name longer than 512 bytes (good guess) • The gets command was used to retrieve this information • gets is passed a char* and returns characters from stdin until a newline or EOF is received

  6. fingerd – cont. • The worm sent 512 noops and 14 bytes of data • The data contained machine code to execute /bin/sh • sh reads and writes using stdio, which has been redirected to the remote computer by fingerd, giving the worm a prompt as user nobody (hopefully) • Only worked on VAX

  7. Methods of Entry - sendmail • Debug option was left enabled in many installations • Destination address is command to execute • Message body is input to programs • Worked on many different types of machines

  8. Methods of Entry - rsh • Gets a shell and proceeds as with finger

  9. Vector Program • Using either finger or sendmail, a “vector” or bootstrap program was sent over, compiled, and run • The vector program contacted the server and received a Sun binary, VAX binary and the source for the vector program

  10. Execution • Through the shell, the server runs the binary • If this fails, all associated files are deleted • Connection with the server is then ended • The new worm obscures its argument vector (renaming it ‘sh’), deletes the binary and kills its parent

  11. Execution • A list of possible victim machines is compiled using /etc/hosts.equiv, /.rhosts, users’ .forward and netstat. • Looks in users’.rhosts after an account is cracked • Then, attempts were made to connect to these machines using finger and sendmail

  12. “Cracksome” • Various passwords were tried on account in the /etc/passwd file • First, Naïve passwords such as (null), account, accountaccount, User, Name, user, name, and tnoucca • Second, an internally stored list of 432 words was tried • Third, all words in /usr/dict/words was tried

  13. Entry with user and password • Once a password is obtained, rexec and rsh are used to establish a connection to a remote machine • The worm then proceeds as with finger and sendmail • Oddly, telnet was only used to determine reachability

  14. Pleasequit? • Throughout execution, the worm would check for other worms running on the machine and would set the pleasequit variable to quit later on • One out of seven execution would not check and become “immortal”

  15. Camouflage - External • The executable was named sh • Periodically, the worm would fork and kill the parent • The executable was deleted after execution started • Core dump size set to 0 • Deletion of all associated files

  16. Camouflage - Internal • Constants used in the files were XORed with 0x81 • The internal password list had the high bit set (XOR w / 0x80) • Magic number exchange for vector program • “Random” file names

  17. What Went Wrong – the Worm • Pleasequit didn’t take effect immediately and provides a large window during which resources are used • If multiple worms were on a machine they may only know about there being one other

  18. What it didn’t do • Root usually not compromised • Programs needing a privileged port should be suid root and immediately after opening a port should setuid to another user such as “nobody” • Finger bug could have been exploited on Sun also • Didn’t spread to other networks • Didn’t delete files or leave a timebomb

  19. Odd Things of Note • Messages to ernie.berkeley.edu • “From disassembling the code, it looks like the programmer is really anally retentive about checking return codes, and, in addition, prefers to use array indexing instead of pointers to walk through arrays.” • The messages to ernie used TCP, not UDP, was the program finished?

  20. What Went Wrong – the People • Easily guessed passwords • Bad administration (sendmail, .rhosts) • Bad programming (finger) • Attempts at stopping it were slowed by the ultimate DoS attack, people disconnected. Emails took hours to get through, even when machines were connected

  21. What Went Right – the People • People used the phone and stayed up all night • The temporary solution which worked best was to mkdir /tmp/sh • The best solution was to change user passwords and patch the holes

  22. Outcome • Robert T. Morris was convicted of violating the computer Fraud and Abuse Act (Title 18), and sentenced to three years of probation, 400 hours of community service, a fine of $10,050, and the costs of his supervision.

  23. Outcome • He is currently an assistant professor at MIT http://www.pdos.lcs.mit.edu/~rtm/ • Robert T. Morris happens to be Robert T. Morris Jr., son of the head of NCSA, the public sector arm of the NSA • Computer Emergency Response Team (CERT) formed

  24. References • “The Internet Worm Incident” (Spafford) • “With Microscope and Tweezers” • RFC 1135: The Helminthiasis of the Internet • WWW.WORM.NET • The Cuckoo’s Egg, Cliff Stoll • http://www.2600.com/phrack/p49-14.html

More Related