slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
The Internet Worm: Crisis and aftermath Presented by :Dheeraj Segapalli PowerPoint Presentation
Download Presentation
The Internet Worm: Crisis and aftermath Presented by :Dheeraj Segapalli

Loading in 2 Seconds...

play fullscreen
1 / 20

The Internet Worm: Crisis and aftermath Presented by :Dheeraj Segapalli - PowerPoint PPT Presentation

  • Uploaded on

The Internet Worm: Crisis and aftermath Presented by :Dheeraj Segapalli. References. E. Spafford, "The Internet Worm: Crisis and Aftermath," Communications of the ACM , vol. 32, no. 6, June 1989, pp. 678-682. Contents. Introduction to Morris Internet worm

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'The Internet Worm: Crisis and aftermath Presented by :Dheeraj Segapalli' - nerice

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
The Internet Worm:

Crisis and aftermath

Presented by :Dheeraj Segapalli


E. Spafford, "The Internet Worm: Crisis and Aftermath," Communications of the ACM, vol. 32, no. 6, June 1989, pp. 678-682.

  • Introduction to Morris Internet worm
  • Difference between worm and virus
  • Flaws
  • Function of the worm
  • Aftermath of the Morris worm
  • Conclusion
  • On the evening of 2 November 1988, someone infected the Internet with a wormprogram.
  • That program exploited flaws in utility programs in systems based on BSD-derived versions of UNIX
  • This program eventually spread to thousands of machines, and disrupted normal activities and Internet connectivity for many days
  • One of the most noticeable effect was that systems became more and more loaded with running processes as they became repeatedly infected.
virus vs worm
Virus Vs Worm
  • A virus is a piece of code that adds itself to other programs, including operating systems
  • Virus cannot run independently, host program is required to run it.
  • Alters system file or any other file that is to be used in future.
  • until the user (inadvertently) activates the virus or the altered file is called, the virus is unable to do any activity
  • It needs to be carried from one computer to another.
  • A wormis a program that can run by itself and can propagate a fully working version of itself to other machines.
  • When a worm gains access to a computer (usually by breaking into it over the internet) it launches a program which searches for other internet locations, infecting them if it can.
  • At no time does the worm need user assistance in order to operate its programming.
flaws and misfeatures
Flaws and Misfeatures

Fingered and gets

The finger program is a utility that is used to find the information of the other users

The bug exploited to break fingerd involved overrunning the buffer the daemon used for input.

  • The gets call takes input to a buffer without doing any bounds checking; this was the call exploited by the Worm.

Send Mail: The sendmail program is a mailer designed to route mail in a heterogeneous internet work.

  • The program operates in a number of modes, but the one of most interest is when it is operating as a daemon process. In this mode, the program is ‘‘listening’’ on a TCP port (#25) for attempts to deliver mail using standard Internet protocols, principally SMTP (Simple Mail Transfer Protocol).
  • When such a request is detected, the daemon enters into a dialog with the remote mailer to determine sender, recipient, delivery instructions, and message contents.
  • The bug exploited in sendmail had to do with functionality provided by a debugging option in the code.
  • First, it sets it's own the "zeroth" argument to sh. Which changes the process name of the running worm to sh.
  • This is the same process name as a Bourne Shell, which is a common process used by users to input data into their terminals
  • Worm does is set the maximum core dump size to zero bytes
  • The worm also reads the current time at this point and stores this for seeding the random number generator
  • It is believed that it might have been executed with the -p flag, followed by a decimal number
  • The worm uses the names of the object files that it needs in order to operate at full capacity in the rest of the command line arguments.
  • If it fails to load any one of these object files, the worm quits
initialization measures
Initialization Measures
  • The Worm then checks to see that it has successfully loaded the file l1.c.
  • This is the file that the Worm will use later to infect other systems

erases the text of the argument array to further hide any evidence of it's presence.Worm then scans the network interfaces of the machine it is on, getting the flags and addresses of each interface

  • The worm loads the network mask which allows the Worm to determine what internet address are used by the local network.
  • The Worm then kills the process given in the -p option changing the current process group to avoid killing itself
doit routine
DoIt routine
  • Once the Worm enters the doit routine, it runs a series of procedures designed to search for and connect to other hosts
  • Using a random number (seeded by the current time), the Worm then determines whether or not to check for itself. There is a one in seven chance that it will not.
  • If the Worm does not check for itself, it will go ahead and continue. This one in seven chance was originally added to make the Worm more difficult to kill
  • The first copy of the Worm on any one machine would check for itself; all subsequent copies skip the test entirely
  • Then the worm proceeds to PRIMARY LOOP of the program
the infect routine
The Infect Routine
  • This routine is used by the Worm to infect target machines with copies of itself. It runs 3 of the 4 attack routines
  • The tasks of this routine are:
  • Make sure that it hasn't just been asked to infect the machine that the Worm is currently running on
  • Make sure that the host it is asked to infect is not marked as immune from previous attempts
  • makes sure that the address it was given to infect actually exists
  • Finally, begins the assault .
  • First if calls other_sleep with an argument of 1, then it attempts its attack routines. In order of preference, the attacks are:Try_rsh :
  • Create duplicate process to remotely execute on the target machine.
  • If it succeeds then it returns file descriptors to main worm to receive new worm process.
  • This function has no protection against overwriting the buffer into which it reads the argument string.The Worm calls fingerd with a 536 character argument.
  • This overwrites the 512 character buffer of the fingerd function.
  • The additional 24 characters end up overwriting the system stack which controls next opening up command interpreter functions which the worm then uses to pull itself the target system.


  • If either of the first two techniques succeed, the routine sendWorm is called which sends a set of object files to the target machine, including the program l1.c, which then opens a connection to the original Worm, allowing the Worm to create a duplicate process in the new machine, which begins its life as before.
When the program was being designed, a DEBUG flag was included with it in order to facilitate testing of the program.
  • One of the capabilities of this flag was that it allowed someone to send mail to a process, rather than a user account. when the program was finished and compiled for distribution, this feature was never removed.The worm takes advantage of this flag with a carefully constructed recipient string
  • This string sets up a command that deletes the header of the message being sent, passes the body of the message to a command interpreter to subsequently compile a copy of code that opens a connection and pulls a copy of the Worm process onto the new computer
cracking passwords
Cracking Passwords
  • The routine cracksome was called to break into user accounts with inadequate passwords
  • It consists of four phases

Phase 0

  • The Worm read through the file /etc/hosts.equiv, if it was present
  • The Worm then read through the file /.rhosts searching for other machines to break into at a later time
  • The Worm then reads in the file /etc/passwd
  • The Worm will then use the the /etc/passwd file to find personal .forward files, used to forward mail to other machines
Phase 1
  • At this point, the Worm begins serious work on breaking into user accounts
  • In each case, the worm will choose a possible password, encrypt it using its own encryption algorithm, and then compare the result against the encrypted password found in the /etc/passwd file.
  • The different password attempts in phase 1 are:
  • Null password
  • User name
  • Last name
  • First name
  • Reverse of last ,first names
  • second value in the GECOS string found in /etc/passwd. This is often a nickname
  • For every 500 accounts the worm calls the other-sleep function.
  • If the Worm is able to crack a password, it calls the attack-user function
Phase 2
  • The worm contains of small dictionary of passwords.
  • The words of this dictionary were encrypted and exclusive or'ed with hexadecimal 80 (128) in order to confuse people trying to decompile the program.
  • After the entire Worm dictionary is checked, the Worm proceeds on to phase 3.
  • Phase 3
  • As a last resort, the Worm would open up the file /usr/dict/words, which is a huge file on most systems forming an on line dictionary .
  • After the entire dictionary had been tested, the flow of control would return to the main loop in the doit function
other sleep function
Other_sleep function
  • It was this function that was in charge of detecting other worms in the system and this was called with an integer as its argument
  • checks the global variable other_fd, if negative it waits until the time specified by the argument otherwise, listen for the presence of other worms.
  • The pleasequit variable was the indicator that the Worm was supposed to quit at the end of its next cycle of doit. However, this still means that the Worm must finish up everything that it was doing before it will even consider quitting.

Flaws in other_sleep

  • If several Worms infected a clean machine at once, all of them would attempt to look for listening worms .
  • If several Worms started at once in the presence of a running Worm, and the running Worm looses in the decision as to which process quits
  • If a machine is heavily loaded (which happened quite a bit under the influence of the Worm) it could cause too much lag time to occur between the exchange of "magic numbers" between two Worms
  • Morris chose to make pleasequit percentage of Worms 1 in 7 .
aftermath the morris worm
Aftermath the Morris worm
  • Following measures are necessary:
  • First, access to certain files should be only granted to those who need access
  • variety of different computers running on their network
  • sharing of research
  • Beware of reflex reactions to computer problems
  • It is clear from the code that the worm was deliberately

designed to do two things infect as many machines as possible,

and be difficult to track and stop.

  • The code was apparently unfinished
  • There were many bugs and mistakes in the code
  • It does contain clever exploitations of different

flaws in system utilities