1 / 26

C risis And A ftermath

C risis And A ftermath. Eugene H. Spafford 발표자 : 손유민. C ontents. Introduction How the worm operated Crisis and Aftermath. W hat is worm?. Worm - self-replicating computer program - propagate over the network - run without user intervention - cause serious harm to the network &

holleb
Download Presentation

C risis And A ftermath

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Crisis And Aftermath Eugene H. Spafford 발표자: 손유민

  2. Contents • Introduction • How the worm operated • Crisis and Aftermath

  3. What is worm? • Worm - self-replicating computer program - propagate over the network - run without user intervention - cause serious harm to the network & system resources

  4. Compare of Worm vs. Virus

  5. Morris Worm • When: November 2, 1988 • Where: MIT • What happened? - Infect Sun 3 systems and VAX computer running variants of 4 BSD UNIX ⇒ Systems became so loaded that they were unable to continue any processing!!!

  6. How the worm operated • Took advantage of ① the flaws in standard s/w installed on UNIX - fingered - sendmail - password mechanism ② a mechanism used to simplify the sharing of resources in local area networks - rsh, rexec

  7. Fingered • Finger - UNIX daemon which allows users to obtain information about other user over TCP/IP - The worm broke fingered program by “buffer overrun” - The worm exploited gets() call - Causes the program to return to worm program code → The worm can run alone!!

  8. Sendmail • Sendmail - mailer program to route mail in a heterogeneous network • By debug option, tester can run programs to display the state of the mail system without sending mail or establishing a separate login connection • Worm use debug option to invoke set of commands instead of user address

  9. Password Mechanism in UNIX • Password mechanism - When user log-on ① Insert password ② User-provided password is encrypted ③ Compare to previously encrypted password ④ If match, we get a accessibility

  10. Rsh & Rexec • rsh and rexec are remote command execution services ① rsh - client IP, user ID ② rexec - user ID, Password

  11. High-level Description • Main program - Collects information on other machines in the network - Reading public configuration files - Running system utility programs • Vector program - Program which install main program - Connects back to the infecting machine, transfers the main worm binary - Deleted automatically

  12. Step 1. • Socket for Vector program - A socket was established - Randomly generates - Challenge string - Magic number - Random file name

  13. Step 2. • Vector program

  14. Step 3. • File Transfer - Vector program connects to the server - Transfer 3 files - Worm: ① Binary for Sun 3 ② Binary VAX machine - Source code of vector program - The running vector program becomes a shell with its input, output connected to the server

  15. Step 4. • Infect Host - For each object files, the worm tires to build an executable object - If successively execute, the worm kills the command interpreter and shuts down the connect - Otherwise it clear away all evidence of the attempt at infection

  16. Step 5. • Hide Worm - New worm hides itself - Obscuring its argument vector - Unlinking the binary version of itself - Killing its parent - Read worm binary into memory and encrypt - And delete file from disk

  17. Step 6. • Gathering Information - The worm gathers information - Network interface - Hosts to which the local machines was connected - Using ioctl, netstat - It built lists of these in memory

  18. Step 7. • Reachability - Tries to infect some from the list - Check reachability using telnet,rexec

  19. Step 8. • Infection Attempts - Attack via rsh - /usr/bin/rsh, /bin/rsh (without password checking) - If success, go to Step 1 and Step 2.1

  20. Step 8. (Cont’d) • Infection Attempts - Finger - Connects to finger daemon - ① Passes specially constructed 536 bytes ② buffer overflow ③ stack overwritten ④return address changed - execve(“/bin/sh”, 0 , 0) - If success, go to Step 1 and Step 2.1

  21. Step 8. (Cont’d) • Infection Attempts - Connection to SMTP (sendmail) - Step 2.2

  22. Step 9. • Password Cracking - ① Collect information - /etc/hosts.equiv and /.rhosts - /etc/passwd - .forward - ② Cracking passwd using simple choices - ③ Cracking passwd with an internal dictionary of words - ④ Cracking passwd with /usr/dict/words

  23. Step 10. • When Password Broken - Brake into remote machines - Read .forward, .rhosts of user accounts - Create the remote shell - Attempts to create a remote shell using rexec service - rexec to current host then try rsh command to remote host

  24. Characteristics • Checks if other worms running - One of 7 worms become immortal • Fork itself and Kill parent - No excessive CPU time • Change pid, scheduling priority • Re-infect the same machine every 12 hours • There are no code to explicitly damage any system and no mechanism to stop

  25. Aftermath • Morris Worm is the first worm • Around 6000 major UNIX machines were infected ( 10% of the network at that time) • Important nation-wide gateways were shutdown • Topic debated - punishment

  26. Aftermath • Robert T. Morris arrested - Says he just wanted to make a tool to gauge the size of the internet - 3 years of probation, a fine($10,050), community service(400 hours) • CERT(Computer Emergency Response Team) was established

More Related