1. The Internet Worm Incident Eugene H. Spafford  Attack Format –Worm vs. Virus  Attack Specifications –Worm operation –Infection and propagaion  Topics for Discussion –Major Security Flaws that were exploited, etc.  Brief Chronology of reaction

2. Attack Format Worm vs. Virus  Worm: –A program that can run independently and can propagate a fully working version of itself to other machines  Virus: –Code that injects itself into other programs. It cannot run independently –its “host” program must run to activate it

3. Worm Format  Worm is named by its method of propagation  Worms are not necessarily bad!  It wriggles from machine to machine, but could do useful work –Clean up –Compare security experience across machines –Accumulate application data related to people on a 24 hour schedule

4. Attack Specifications Overview  Infected the Internet on November 2 nd, 1988  Systems affected –Unix BSD (4 variants) Sun Microsystems Sun 3 DEC VAX Systems  Note that one strength of the net (& computer systems in general) lies in heterogeneity

5. Attack Specifications Overview (Cont)  Net community surprised at pervasiveness –UVa was affected  Overall effect was heavily loaded machines -- they stopped doing productive work  End Result –Less than 5% of the machines on an insecure network were affected for less than a few days –Slowed and occasionally crashed the infected machines

6. Generalized Worm Operation  Two main parts: –Bootstrap or Vector Program Acts as a hook. It is injected first. It contacts the infected “server” and uploads the main program. It then complies and runs the main program –Main Program Collected data on other networked machines to which the current machine could connect The main program then used 3 main attacks to infect other systems with the bootstrap

7. Main Program Method of Attacks  Fingerd and gets –Overran the finger command input buffer -- wrote stack –On Vax machines this resulted in a remote shell for the worm via the TCP connection by overwriting part of the stack.  Sendmail –Issued a DEBUG option often left usable by administrators for testing the mail service. It gained access to the mail server and onto the system. Then continued with infection of system.

8. Main Program Method of Attacks cont…  Passwords –Worm read through etc/hosts.equiv and /.rhosts to find names other machines –Also read /etc/passwd and.forward for account information –Then, attempted to crack passwords using several different methods

9. Passwords  The worm first tried simple choices. For example: Account, User Name, Tnuocca (acct backwards), etc. including lowercase variations  Next it tested the passwords against an internal dictionary of 432 words  Finally, it tested the passwords against an online dictionary using upper and lower case variations

10. Timeline  A long several of days  Commenced 5pm, 2 November, 1988  Spread rapidly –8am (3 Nov) UVa CS machines fully loaded doing nothing  Systems started disconnecting from net  Afternoon (3 Nov) sys admins exchanging attack halt patches

11. Timeline (cont)  11:30 pm (3 Nov) DCA inhibits mailbridges between ArpaNet and MilNet  Attack method getting to be understood  Software patches posted via mailing lists  Nov 4: Perpetrator identified, Robert Morris at Cornell  By Nov 8 (one week later), most machines were re-connected to Net; traffic patterns were normal –3 weeks later some machines still not back

12. Hiding  Worm checked for copies of self –attempted to connect to others via predetermined TCP socket –Told others to quit  One in 7 worms never checked -- ah, immortality  Worm forked and killed parent ==> one process ID did not appear to be the CPU time hog

13. Aftermath  Damage was loss of (stolen) resources  Motive was, I suppose, just to try it  Cornell Provost labels actions unethical-- suspended for a year  Debate at the time -- some considered hacking to be “ok” -- “its there!”  Court case

14. Aftermath (cont)  Worm halted because informal communication between sys admins and research community  Evidenced clear need for community reaction capability  Prompted DARPA to create CERT -- Computer Emergency Response Team (CMU)