1 / 37

The Internet Worm Crisis and Aftermath

The Internet Worm Crisis and Aftermath. Miyu Nakagawa Cameron Smithers Ying Han. Introduction. On November 2, 1988, the Internet came under attack from within. Sometime after 5 p.m., a worm program was executed on one or more hosts connected to the Internet.

baba
Download Presentation

The Internet Worm Crisis and Aftermath

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Internet Worm Crisis and Aftermath Miyu Nakagawa Cameron Smithers Ying Han

  2. Introduction • On November 2, 1988, the Internet came under attack from within. • Sometime after 5 p.m., a worm program was executed on one or more hosts connected to the Internet. • This program collected host, network, and user information, then used bugs present in those systems’ software. • After breaking in, the program would replicate itself and the replica would attempt to infect other systems in the same manner.

  3. Introduction • On November 3, 1988, personnel at the University of California at Berkeley and Massachusetts Institute of Technology (MIT) had “captured” copies of the program and began to analyze it. • By 5 a.m., less than 12 hours after the program was first discovered on the network, the Computer Systems Research Group at Berkeley had developed a set of steps to temporary halt its spread.

  4. Introduction • The suggestions were published in mailing lists and on the Usenet. • By about 9 p.m., another simple effective method of stopping the invading program, without terminating system utilities, was discovered at Purdue and also widely published. • Software patches were posted by the Berkeley Group at the same time to mend all the flaws that enabled the program to invade systems.

  5. How the Worm Operated • The worm took advantage of: • flaws in standard software installed on many UNIX systems. • a mechanism used to simplify the sharing of resources in LAN.

  6. How the Worm Operated • There are three main attacks of the worm: • Finger program • Sendmail program • Password mechanism

  7. Finger Program • The finger program is a utility that allows user to obtain information about other users. • The finger program is intended to run as a daemon or background process. • This daemon program accepts connections from remote programs, reads a single line of input, and send back output.

  8. Finger Program • The worm broke fingerd program by overrunning the buffer the daemon used for input. • The standard C language I/O library has a few routines that read input without checking for bounds on the buffer involved, such as gets() call. • The worm exploited this gets() call. • The input overran the buffer allocated for it and rewrote the stack frame which altered the behavior of the program.

  9. Sendmail Program • The sendmail program is a mailer designed to route mail in a heterogeneous network. • The sendmail daemon listens on a TCP port, sending and receiving electronic mail to and from other servers. • When such an attempt occurs, the daemon enters into a dialog with the remote mailer to determine sender, receiver, delivery instructions, and message contents.

  10. Sendmail Program • The worm broke the sendmail program by using the debugging option in the code. • First, it would issue the DEBUG command to sendmail and then specify a set of commands instead of a user address. • This is only allowed in debugging option. • Using this option, testers can run programs to display the state of the mail system without sending mail or establishing a separate login connection.

  11. Passwords • The password mechanism was the key attack of the worm. • The worm was able to determine passwords because the encrypted password of each user was in a publicly readable file.

  12. Passwords • Password mechanism in UNIX systems Password Encryption Standard algorithm encrypted Previously encrypted password result compare • When a match occurs, access is allowed.

  13. Passwords • The worm took advantage of the accessibility of the password file and the fact that users tend to choose common words as their password. • The worm encrypted lists of common words, including the standard online dictionary, using a fast version of the password algorithm and then compared the result against the contents of the password file. • Some sites reported that over 50% of their passwords were quickly broken by this simple approach.

  14. Passwords • ways to reduce the risk of such attacks: • to have a shadow password file. • save the encrypted password in a shadow file that is readable only by the system administrators, and privileged call performs password encryptions and comparisons with an appropriate timed delay. • to add mechanism to check for repeated password attempts from the same process, resulting in some form of alarm being raised.

  15. Passwords • to change the utility that sets user passwords. • The program could be strengthened in such a way that it would reject any choice of a word currently in the online dictionary or based on the account name.

  16. Passwords • The worm also took advantage of the use of trusted logins. • In UNIX system, it is possible to for a user to specify a list of host/login name pairs that are assumed to be ‘trusted’ in the sense that a remote access from that host/login pair is never asked for a password

  17. Passwords • The worm used this mechanism. • Once the worm found such likely candidates, it tried to instantiate itself in those machines by using the remote execution facility.

  18. General Overview of Worm • Targeted Sun 3 systems and VAX + 4 BSD • Worm targets host until 1 of 3 attacks succeeds. • /bin/sh shell is obtained • Can parse instructions over network • Worm compiles & executes ‘bootstrap’ program on host

  19. General Overview of Worm • Bootstrap connects back to worm, downloads worm objects • Worm connects to host, links worm objects together, runs worm • Searches for new hosts to infect, cracks passwords in /etc/passwd, infects new hosts

  20. Finger Exploit • Attacked Sun 3 systems only running finger daemon • Buffer overflow in gets() system call • Stack was overwritten • Exec() system call was executed, replacing fingerd process with /bin/sh shell • Fingerd turned into a shell

  21. Sendmail Exploit • Debug feature parses commands • Relied on lazy sysadmins • Command to execute /bin/sh shell was fed to sendmail • Sendmail daemon turned into a shell

  22. Password Exploit • /etc/passwd file was world readable • Contained pairs of username + password hashes • Dictionary passwords and permutations were fed into a hash function • If any matched, the password was cracked

  23. Password Exploit • Obtain privileges of user using his or her password • Open certain files to discover new hosts • Connect to hosts using ‘passwordless’ rsh • Relied on principal of users having only one password • On successs, a shell was obtained

  24. Bootstrap Stage • Once the shell was obtained, finger, sendmail, and password cases are all the same • Infecting computer compiles and executes bootstrap program • Establishes connection back to worm, gets object files for two architectures, source for bootstrap program

  25. Bootstrap Stage • Turn into a shell with exec() • Worm instructs to link correct object to run on architecture • The worm on the host computer is then executed

  26. Operation of Worm (initialize) • Hides execution of itself, ensure survival • Delete arguments after copying them to another buffer to prevent displaying • Change process name to 'sh' • Kill the parent process • Unlink program binary file

  27. Operation of Worm (initialize) • Read worm objects and bootstrap source file in from stored arguments • Solves problem of replicating itself • Discover currently connected hosts, sort for priority • 1) Gateways • 2) Hosts on local net • 3) Hosts on other nets

  28. Operation of Worm (initialize) • Tries to attack other hosts • Send shell instructions to host, compile and execute bootstrap • Listen on socket for host to connect back • Send worm object files and bootstrap to host • Send shell instructions to execute worm • Mark host as "infected“, otherwise “can’t infect”

  29. Operation of Worm (Main loop) • Read /etc/passwd password file • When another copy of the worm is discovered • Communicate with other worm, randomly decide who will quit • Attack passwords with dictionary and random attacks using hash function • Discover more hosts in files using username / password information • Attack hosts like in previous slide • Watch time, clear host flags of "can't infect" and "infected" every 12 hours • Go to beginning of loop

  30. Operation of Worm • Time divided between cracking passwords and attacking new hosts • Cracking hosts could take a really long time with complicated passwords, maybe forever • Population control • Distributed nature requires balance • Attempts to prevent discovering execution and obtaining worm code

  31. Aftermath • The Internet worm was huge at the time • First of its kind • Around 6000 major UNIX machines were infected (around 10% of the Internet) • The worm caused machines to operate at close to their capacity • Important nation-wide gateways were shutdown

  32. Who? • Identified as Robert T. Morris by the New York Times • 23 year old doctoral student at Cornell University at the time • His father is the National Computer Security Center’s chief scientist (NSA) • Morris released the worm from MIT to conceal the fact that it was from Cornell

  33. Why? • Many speculation at the time on his motive • Worm contained no code to cause any damage to systems • Worm had no code to stop the spread of the worm • True motive • use it as a tool to gauge the size of the internet

  34. Consequences • Some people think Morris should not be punished • system administrator or operator should be punished • Morris was the first person to be indicted under the Computer Fraud and Abuse Act of 1986 • Sentenced to three years’ probation, a fine of $10,050, and 400 hours of community service

  35. Consequences • Morris received his Ph. D. in computer science from Harvard University in 1999 • Morris is a professor at MIT right now

  36. Effects • Establishment of Computer Emergency Response Team (CERT) by Defense Advanced Research Projects Agency (DARPA) at the Software Engineering Institute at Carnegie Mellon University • Worm made people think more about ethics and laws concerning access to computers

  37. Questions?

More Related