Crisis and Aftermath Morris worm
Index What is Worm 4 Exploited flaws Component Algorithm Aftermath Morris Worm 4 Exploited flaws finger sendmail remote shell password Component Algorithm Vector program Seeking another victim Cracking password Avoiding detection Mistakes Aftermath
What is worm? Self replicating, designed to spread through the network. Data modification System overload Steal information What is different from Virus and Trojan horse? Virus need executable file to infect and spread. Trojan horse opens a backdoor while pretending as useful program.
Morris worm First internet worm ever made at 1998. Could only infect DEC VAX machines running 4BSD, and Sun-3 systems. Original purpose was to measure the size of internet. One mistake caused huge chaos all over the network. 6000 computers were infected. Which is about 10% of computers connected to network at that time. The U.S. Government Accountability Office put the cost of the damage at $100,000–10,000,000.
4 Exploited flaws - finger Originally used to obtain information of other users. Use flaws of C library to overflow input buffer. ex: gets() Writes 536 bytes to override finger buffer’s 512 byte. 24 bytes end up overwriting return address. Resulting in invoking a remote shell and executing privileged commands. Since it was unable to determine victim’s OS. Sun crashed instead.
4 Exploited flaws - sendmail Designed to send message between processes. Use DEBUG command to send a shell script and execute on the host. In normal mode it is not possible to do so. But debug option is left turned on for convenience. debug mode로 컴파일 하는 것?
4 Exploited flaws - remote shell UNIX uses trusted login to avoid typing password again and again. Look for remoted machine login list and assume reciprocal trust to find appropriate target. If A trusts B, B trusts A.
4 Exploited flaws - Password Accessing through figerd only allows you to run in daemon. Encrypted password file is readable but it’s not easy to decrypt. But, comparing the encrypted possible words with password file is possible. Dictionary attack to discover the password.
Component Vector program Main Program 99 lines in C code Downloads main program Main Program Retrieve information Look for other machines to attack.
Vector program 1. Socket is established for the vector program. 2. Vector program gets installed and executed via TCP connection(infected via rsh or finger) or SMTP(infected via sendmail) connection. 3. Connect to server worm to download following three files Sun 3 binary version worm VAX version worm Vector program source code 4. Running vector become a shell and tries to compile each received files. 5. Server closes the connection if host is infected. 1번은 remote랑 finger만 해당 5번에서는 추가적으로 작업 더 함
Seeking another victim 6. Gather information about connection and creates list for connected local machines. 7. Randomize list and use telnet or rexec port to determine reachability. 8. Tries to infect target with one of three methods a. rsh b. finger c. sendmail 8. 하나라도 성공하면 그만둠. 여기서 리니어를 사용해서 뭔가 전문성이 떨어짐.
Cracking password 9. Tries to break password and goes back to step 7 if it fails. a. Find the names of equivalent host and add account & password file into internal data structure. b. Attempt to broke user password with some guess like no password or toying with account name. c. Try password with words in internal dictionary. d. Try UNIX online dictionary. 10. Attempt to break into remote machines where user had accounts. a. Use account name from 9.a and cracked password to create remote shell. b. Use local user name and password to try rsh command. five state 라고도 한다. d는 다른 것이 모두 다 실패해야만 시행.
Avoiding detection Server disconnects from vector program if it does not send same magic number as before. After attempt to compile main worm: Fail: Delete all object files. Success: Kills its parents, read all the worm binary files into memory, encrypt it and delete it. Sometimes it kills itself and kills its parent. 한 프로세스가 CPU 오래차지하는 것처럼 보이는 것을 피하고 priority 높이기 위함. 하지만 완벽하지 않음. 버클리에 의심을 두기 위함이라는 말도 있다.
Mistakes Worms meet in predetermined TCP socket and randomly set pleasequit variable to 1 to avoid multiple worms run on same machine. However, worm does not quit until step 9.c Some fails to connect due to heavily loaded machines. Critically one out of seven worm become immortal and does not look for other worms to avoid fake worm’s signal. So it overwhelmed victim’s computer with multiple worms. Causing serious problems. It was supposed to send packet to ernie.berkeley.edu but it failed due to wrong code. 버클리에 의심을 두기 위함이라는 말도 있다.
Aftermath It did not Delete system's files, modify existing files, install trojan horses, record or transmit decrypted passwords, capture superuser privileges, etc…. However huge overload due to multiple worm caused chaos. Robert T. Morris get caught and sentenced to three years probation, 400 hours of community service, and a fine of $10,050 plus the costs of his supervision.