Internet Worm

8/14/2019 Internet Worm

1/14

Ian Sommerville 2004 Software Engineering Case Studies Slide 1

The Internet Worm

Compromising the availability and

reliability of systems throughsecurity failure


2/14


What happened

q In November 1988, a program was deliberatelyreleased that spread itself throughout Digital VAXand Sun workstations across the Internet. Itexploited security vulnerabilities in Unix systems.

q In itself, the program did no damage but itsreplication and threat of damage caused extensiveloss of system service and reduced systemresponsiveness in thousands of host computers.

q

This program has become known as the InternetWorm.q This was the first widely distributed Internet security

threat.


3/14


Terminology

q A worm This is a program that can autonomously

spread itself across a network of computers.

q

A virus This is a program that can spread itself across anetwork of computers by attaching itself tosome other program or document.

q

A trapdoor This is a vulnerability in a program that allowsnormal security controls to be bypassed.


4/14


Consequences of the worm

q Strange files appeared in systems that were infected.q Strange log messages appeared in certain programs.q Each infection caused a number of processes to be

generated. As systems were constantly re-infected, thenumber of processes grew and systems becameoverloaded.

q Some systems (1000s) were shut down because of the

problems and because of the unknown threat ofdamage.


5/14


Worm description

q Program was made up of two parts A main program that looked for other machines that might

be infected and that tried to find ways of getting into thesemachines;

A vector program (99 lines of C) that was compiled andrun on the infected machine and which then transferredthe main program to continue the process of infection.

q Security vulnerabilities fingerd - an identity program in Unix that runs in the

background; sendmail - the principal mail distribution program;

Password cracking;

Trusted logins.


6/14


fingerd

q Written in C and runs continuously.q C does NOT have bound checking on arrays. fingerd

expects an input string but the writer of the worm

noticed that if a longer string than was allowed forwas presented, this overwrote part of memory.q By designing a string that included machine

instructions and that overwrote a return address, theworm could invoke a remote shell (a Unix facility)that allowed priviledged commands to be executed.


7/14Ian Sommerville 2004 Software Engineering Case Studies Slide 7

sendmail

q sendmail routes mail and the worm tookadvantage of a debug facility that was oftenleft on and which allowed a set of commands

to be issued to the sendmail program.q This allowed the worm to specify that

information should be transferred to newhosts through the mail system without havingto process normal mail messages.



Password cracking

q Unix passwords are encrypted and, in the encryptedform, are publicly available in /etc/passwd.

q The worm encrypted lists of possible passwords and

compared them with the password file to discoveruser passwords.q It used a list of about 400 common words that were

known to be used as passwords.q

It exploited fast versions of the encryption algorithmthat were not envisaged when the Unix scheme wasdevised.



Trusted logins

q On Unix, tasks can be executed on remotemachines.

q To support this, there is the notion of a trusted loginso that if a login command is issued to machine Z

from user Y in machine X then Z assumes that Xhas carried out the authentication and that Y istrusted; no password is required.

q The worm exploited this by looking for machines that

might be trusted. It did this by examining files thatlisted machines trusted by the current machine andthen assumed reciprocal trust.



Killing the worm

q The main effects of the worm were in the US andsystem managers worked for several days to deviseways of stopping the worm.

q

These involved devising modifications to theprograms affected so that the worm could notpropagate itself, distributing these changes,installing them then rebooting infected machines toremove worm processes.

q The process took several days before the net wascleared of infection.



What we learned

q Security vulnerabilities result from flaws andthese will always be with us. Problems canbe fixed but new problems can arise with

new versions of software.q Diversity is good - we need a heterogeneous

not a homogeneous network.q

Isolationism is not the answer - those sitesthat disconnected from the network wereamongst the last to resume service.



The perpetrator

q The perpetrator was a student at Cornell University.q He was discovered fairly quickly and charged.q His sentence was for a period of community service

and a $10, 000 fine This was relatively light as the major thrust of his defence

was that the program explicitly did not cause deliberatedamage and, in fact, he had tried (but failed) to ensurethat too many processes would not be generated on host

machines.



Warning

q Students before and since this infection have beencurious about security and have written experimentalprograms. Few of these students are wicked andmany of them are very competent programmers.

q However, the consequences of experiments that gowrong are now so great that network authorities donot distinguish between stupidity and malice. Thereare severe penalties for any experiments that

compromise system security.



Finding out more

q Communications of the ACM, 32 (6), June1989 has a number of articles on the Internetworm.

q Computer-related Risks. P. G. Neumann,Addison Wesley 1995. A compendium ofinformation about system failures that havecompromised safety, security and reliability.

q See Intranet web pages for links.

Internet Worm

Documents

Transcript of Internet Worm