The Internet Worm Incident Eugene H. Spafford Attack Format –Worm vs. Virus Attack Specifications –Worm operation –Infection and propagaion Topics for Discussion –Major Security Flaws that were exploited, etc. Brief Chronology of reaction
Attack Format Worm vs. Virus Worm: –A program that can run independently and can propagate a fully working version of itself to other machines Virus: –Code that injects itself into other programs. It cannot run independently –its “host” program must run to activate it
Worm Format Worm is named by its method of propagation Worms are not necessarily bad! It wriggles from machine to machine, but could do useful work –Clean up –Compare security experience across machines –Accumulate application data related to people on a 24 hour schedule
Attack Specifications Overview Infected the Internet on November 2 nd, 1988 Systems affected –Unix BSD (4 variants) Sun Microsystems Sun 3 DEC VAX Systems Note that one strength of the net (& computer systems in general) lies in heterogeneity
Attack Specifications Overview (Cont) Net community surprised at pervasiveness –UVa was affected Overall effect was heavily loaded machines -- they stopped doing productive work End Result –Less than 5% of the machines on an insecure network were affected for less than a few days –Slowed and occasionally crashed the infected machines
Generalized Worm Operation Two main parts: –Bootstrap or Vector Program Acts as a hook. It is injected first. It contacts the infected “server” and uploads the main program. It then complies and runs the main program –Main Program Collected data on other networked machines to which the current machine could connect The main program then used 3 main attacks to infect other systems with the bootstrap
Main Program Method of Attacks Fingerd and gets –Overran the finger command input buffer -- wrote stack –On Vax machines this resulted in a remote shell for the worm via the TCP connection by overwriting part of the stack. Sendmail –Issued a DEBUG option often left usable by administrators for testing the mail service. It gained access to the mail server and onto the system. Then continued with infection of system.
Main Program Method of Attacks cont… Passwords –Worm read through etc/hosts.equiv and /.rhosts to find names other machines –Also read /etc/passwd and.forward for account information –Then, attempted to crack passwords using several different methods
Passwords The worm first tried simple choices. For example: Account, User Name, Tnuocca (acct backwards), etc. including lowercase variations Next it tested the passwords against an internal dictionary of 432 words Finally, it tested the passwords against an online dictionary using upper and lower case variations
Timeline A long several of days Commenced 5pm, 2 November, 1988 Spread rapidly –8am (3 Nov) UVa CS machines fully loaded doing nothing Systems started disconnecting from net Afternoon (3 Nov) sys admins exchanging attack halt patches
Timeline (cont) 11:30 pm (3 Nov) DCA inhibits mailbridges between ArpaNet and MilNet Attack method getting to be understood Software patches posted via mailing lists Nov 4: Perpetrator identified, Robert Morris at Cornell By Nov 8 (one week later), most machines were re-connected to Net; traffic patterns were normal –3 weeks later some machines still not back
Hiding Worm checked for copies of self –attempted to connect to others via predetermined TCP socket –Told others to quit One in 7 worms never checked -- ah, immortality Worm forked and killed parent ==> one process ID did not appear to be the CPU time hog
Aftermath Damage was loss of (stolen) resources Motive was, I suppose, just to try it Cornell Provost labels actions unethical-- suspended for a year Debate at the time -- some considered hacking to be “ok” -- “its there!” Court case
Aftermath (cont) Worm halted because informal communication between sys admins and research community Evidenced clear need for community reaction capability Prompted DARPA to create CERT -- Computer Emergency Response Team (CMU)