The Internet Worm IncidentEugene H. Spafford

Attack Format– Worm vs. Virus

Attack Specifications– Worm operation– Infection and propagaion

Topics for Discussion– Major Security Flaws that were exploited, etc.

Brief Chronology of reaction

Attack FormatWorm vs. Virus

Worm:– A program that can run independently and can

propagate a fully working version of itself to other machines

Virus:– Code that injects itself into other programs.

It cannot run independently –its “host” program must run to activate it

Worm Format Worm is named by its method of propagation Worms are not necessarily bad! It wriggles from machine to machine, but

could do useful work– Clean up– Compare security experience across machines– Accumulate application data related to people on

a 24 hour schedule

Attack SpecificationsOverview

Infected the Internet on November 2nd, 1988 Systems affected

– Unix BSD (4 variants)• Sun Microsystems Sun 3• DEC VAX Systems

Note that one strength of the net (& computer systems in general) lies in heterogeneity

Attack SpecificationsOverview (Cont)

Net community surprised at pervasiveness– UVa was affected

Overall effect was heavily loaded machines -- they stopped doing productive work

End Result– Less than 5% of the machines on an insecure network

were affected for less than a few days– Slowed and occasionally crashed the infected machines

Generalized Worm Operation Two main parts:

– Bootstrap or Vector Program• Acts as a hook. It is injected first. It contacts the

infected “server” and uploads the main program.• It then complies and runs the main program

– Main Program• Collected data on other networked machines to

which the current machine could connect• The main program then used 3 main attacks to infect

other systems with the bootstrap

Main ProgramMethod of Attacks

Fingerd and gets– Overran the finger command input buffer -- wrote stack– On Vax machines this resulted in a remote shell for the

worm via the TCP connection by overwriting part of the stack.

Sendmail– Issued a DEBUG option often left usable by

administrators for testing the mail service. It gained access to the mail server and onto the system. Then continued with infection of system.

Main ProgramMethod of Attacks cont…

Passwords– Worm read through etc/hosts.equiv and /.rhosts

to find names other machines– Also read /etc/passwd and .forward for account

information– Then, attempted to crack passwords using

several different methods

Passwords The worm first tried simple choices. For example:

Account, User Name, Tnuocca (acct backwards), etc. including lowercase variations

Next it tested the passwords against an internal dictionary of 432 words

Finally, it tested the passwords against an online dictionary using upper and lower case variations

Timeline A long several of days Commenced 5pm, 2 November, 1988 Spread rapidly

– 8am (3 Nov) UVa CS machines fully loaded doing nothing

Systems started disconnecting from net Afternoon (3 Nov) sys admins exchanging

attack halt patches

Timeline (cont) 11:30 pm (3 Nov) DCA inhibits mailbridges

between ArpaNet and MilNet Attack method getting to be understood Software patches posted via mailing lists Nov 4: Perpetrator identified, Robert Morris at

Cornell By Nov 8 (one week later), most machines were

re-connected to Net; traffic patterns were normal– 3 weeks later some machines still not back

Hiding Worm checked for copies of self

– attempted to connect to others via predetermined TCP socket

– Told others to quit One in 7 worms never checked -- ah,

immortality Worm forked and killed parent ==> one

process ID did not appear to be the CPU time hog

Aftermath Damage was loss of (stolen) resources Motive was, I suppose, just to try it Cornell Provost labels actions unethical--

suspended for a year Debate at the time -- some considered

hacking to be “ok” -- “its there!” Court case

Aftermath (cont) Worm halted because informal

communication between sys admins and research community

Evidenced clear need for community reaction capability

Prompted DARPA to create CERT -- Computer Emergency Response Team (CMU)