The Internet Worm Incident Author: Eugene Spafford Presenter: Jason Small
What / Where / When • Approximately 10% of the 60,000 computers connected to the Internet were shut down from November 2 to November 4, 1988 • Primarily, Sun and VAX machines were hit. Other machines were “infected,” but not out of commission
Nomenclature • Virus ? • Worm ? • Who Cares?
How - Methods of Entry • fingerd (VAX) • sendmail • rexec, rsh
Methods of Entry - fingerd • After a connection is made to a finger daemon, the name of a user is sent by the client • fingerd did not expect that anyone would have a name longer than 512 bytes (good guess) • The gets command was used to retrieve this information • gets is passed a char* and returns characters from stdin until a newline or EOF is received
fingerd – cont. • The worm sent 512 noops and 14 bytes of data • The data contained machine code to execute /bin/sh • sh reads and writes using stdio, which has been redirected to the remote computer by fingerd, giving the worm a prompt as user nobody (hopefully) • Only worked on VAX
Methods of Entry - sendmail • Debug option was left enabled in many installations • Destination address is command to execute • Message body is input to programs • Worked on many different types of machines
Methods of Entry - rsh • Gets a shell and proceeds as with finger
Vector Program • Using either finger or sendmail, a “vector” or bootstrap program was sent over, compiled, and run • The vector program contacted the server and received a Sun binary, VAX binary and the source for the vector program
Execution • Through the shell, the server runs the binary • If this fails, all associated files are deleted • Connection with the server is then ended • The new worm obscures its argument vector (renaming it ‘sh’), deletes the binary and kills its parent
Execution • A list of possible victim machines is compiled using /etc/hosts.equiv, /.rhosts, users’ .forward and netstat. • Looks in users’.rhosts after an account is cracked • Then, attempts were made to connect to these machines using finger and sendmail
“Cracksome” • Various passwords were tried on account in the /etc/passwd file • First, Naïve passwords such as (null), account, accountaccount, User, Name, user, name, and tnoucca • Second, an internally stored list of 432 words was tried • Third, all words in /usr/dict/words was tried
Entry with user and password • Once a password is obtained, rexec and rsh are used to establish a connection to a remote machine • The worm then proceeds as with finger and sendmail • Oddly, telnet was only used to determine reachability
Pleasequit? • Throughout execution, the worm would check for other worms running on the machine and would set the pleasequit variable to quit later on • One out of seven execution would not check and become “immortal”
Camouflage - External • The executable was named sh • Periodically, the worm would fork and kill the parent • The executable was deleted after execution started • Core dump size set to 0 • Deletion of all associated files
Camouflage - Internal • Constants used in the files were XORed with 0x81 • The internal password list had the high bit set (XOR w / 0x80) • Magic number exchange for vector program • “Random” file names
What Went Wrong – the Worm • Pleasequit didn’t take effect immediately and provides a large window during which resources are used • If multiple worms were on a machine they may only know about there being one other
What it didn’t do • Root usually not compromised • Programs needing a privileged port should be suid root and immediately after opening a port should setuid to another user such as “nobody” • Finger bug could have been exploited on Sun also • Didn’t spread to other networks • Didn’t delete files or leave a timebomb
Odd Things of Note • Messages to ernie.berkeley.edu • “From disassembling the code, it looks like the programmer is really anally retentive about checking return codes, and, in addition, prefers to use array indexing instead of pointers to walk through arrays.” • The messages to ernie used TCP, not UDP, was the program finished?
What Went Wrong – the People • Easily guessed passwords • Bad administration (sendmail, .rhosts) • Bad programming (finger) • Attempts at stopping it were slowed by the ultimate DoS attack, people disconnected. Emails took hours to get through, even when machines were connected
What Went Right – the People • People used the phone and stayed up all night • The temporary solution which worked best was to mkdir /tmp/sh • The best solution was to change user passwords and patch the holes
Outcome • Robert T. Morris was convicted of violating the computer Fraud and Abuse Act (Title 18), and sentenced to three years of probation, 400 hours of community service, a fine of $10,050, and the costs of his supervision.
Outcome • He is currently an assistant professor at MIT http://www.pdos.lcs.mit.edu/~rtm/ • Robert T. Morris happens to be Robert T. Morris Jr., son of the head of NCSA, the public sector arm of the NSA • Computer Emergency Response Team (CERT) formed
References • “The Internet Worm Incident” (Spafford) • “With Microscope and Tweezers” • RFC 1135: The Helminthiasis of the Internet • WWW.WORM.NET • The Cuckoo’s Egg, Cliff Stoll • http://www.2600.com/phrack/p49-14.html