The Internet Worm Crisis and Aftermath Miyu Nakagawa Cameron Smithers Ying Han

Introduction On November 2, 1988, the Internet came under attack from within. On November 2, 1988, the Internet came under attack from within. Sometime after 5 p.m., a worm program was executed on one or more hosts connected to the Internet. Sometime after 5 p.m., a worm program was executed on one or more hosts connected to the Internet. This program collected host, network, and user information, then used bugs present in those systems’ software. This program collected host, network, and user information, then used bugs present in those systems’ software. After breaking in, the program would replicate itself and the replica would attempt to infect other systems in the same manner. After breaking in, the program would replicate itself and the replica would attempt to infect other systems in the same manner.

Introduction On November 3, 1988, personnel at the University of California at Berkeley and Massachusetts Institute of Technology (MIT) had “captured” copies of the program and began to analyze it. On November 3, 1988, personnel at the University of California at Berkeley and Massachusetts Institute of Technology (MIT) had “captured” copies of the program and began to analyze it. By 5 a.m., less than 12 hours after the program was first discovered on the network, the Computer Systems Research Group at Berkeley had developed a set of steps to temporary halt its spread. By 5 a.m., less than 12 hours after the program was first discovered on the network, the Computer Systems Research Group at Berkeley had developed a set of steps to temporary halt its spread.

Introduction The suggestions were published in mailing lists and on the Usenet. The suggestions were published in mailing lists and on the Usenet. By about 9 p.m., another simple effective method of stopping the invading program, without terminating system utilities, was discovered at Purdue and also widely published. By about 9 p.m., another simple effective method of stopping the invading program, without terminating system utilities, was discovered at Purdue and also widely published. Software patches were posted by the Berkeley Group at the same time to mend all the flaws that enabled the program to invade systems. Software patches were posted by the Berkeley Group at the same time to mend all the flaws that enabled the program to invade systems.

How the Worm Operated The worm took advantage of: The worm took advantage of: flaws in standard software installed on many UNIX systems.flaws in standard software installed on many UNIX systems. a mechanism used to simplify the sharing of resources in LAN.a mechanism used to simplify the sharing of resources in LAN.

How the Worm Operated There are three main attacks of the worm: There are three main attacks of the worm: Finger program Finger program Sendmail program Sendmail program Password mechanism Password mechanism

Finger Program The finger program is a utility that allows user to obtain information about other users. The finger program is a utility that allows user to obtain information about other users. The finger program is intended to run as a daemon or background process. The finger program is intended to run as a daemon or background process. This daemon program accepts connections from remote programs, reads a single line of input, and send back output. This daemon program accepts connections from remote programs, reads a single line of input, and send back output.

Finger Program The worm broke fingerd program by overrunning the buffer the daemon used for input. The worm broke fingerd program by overrunning the buffer the daemon used for input. The standard C language I/O library has a few routines that read input without checking for bounds on the buffer involved, such as gets() call.The standard C language I/O library has a few routines that read input without checking for bounds on the buffer involved, such as gets() call. The worm exploited this gets() call. The worm exploited this gets() call. The input overran the buffer allocated for it and rewrote the stack frame which altered the behavior of the program. The input overran the buffer allocated for it and rewrote the stack frame which altered the behavior of the program.

Sendmail Program The sendmail program is a mailer designed to route mail in a heterogeneous network. The sendmail program is a mailer designed to route mail in a heterogeneous network. The sendmail daemon listens on a TCP port, sending and receiving electronic mail to and from other servers. The sendmail daemon listens on a TCP port, sending and receiving electronic mail to and from other servers. When such an attempt occurs, the daemon enters into a dialog with the remote mailer to determine sender, receiver, delivery instructions, and message contents. When such an attempt occurs, the daemon enters into a dialog with the remote mailer to determine sender, receiver, delivery instructions, and message contents.

Sendmail Program The worm broke the sendmail program by using the debugging option in the code. The worm broke the sendmail program by using the debugging option in the code. First, it would issue the DEBUG command to sendmail and then specify a set of commands instead of a user address. First, it would issue the DEBUG command to sendmail and then specify a set of commands instead of a user address. This is only allowed in debugging option. This is only allowed in debugging option. Using this option, testers can run programs to display the state of the mail system without sending mail or establishing a separate login connection. Using this option, testers can run programs to display the state of the mail system without sending mail or establishing a separate login connection.

Passwords The password mechanism was the key attack of the worm. The password mechanism was the key attack of the worm. The worm was able to determine passwords because the encrypted password of each user was in a publicly readable file. The worm was able to determine passwords because the encrypted password of each user was in a publicly readable file.

Passwords Password mechanism in UNIX systems Password mechanism in UNIX systems Password Encryption Standard algorithm result Previously encrypted password compare encrypted  When a match occurs, access is allowed.

Passwords The worm took advantage of the accessibility of the password file and the fact that users tend to choose common words as their password. The worm took advantage of the accessibility of the password file and the fact that users tend to choose common words as their password. The worm encrypted lists of common words, including the standard online dictionary, using a fast version of the password algorithm and then compared the result against the contents of the password file. The worm encrypted lists of common words, including the standard online dictionary, using a fast version of the password algorithm and then compared the result against the contents of the password file. Some sites reported that over 50% of their passwords were quickly broken by this simple approach. Some sites reported that over 50% of their passwords were quickly broken by this simple approach.

Passwords ways to reduce the risk of such attacks: ways to reduce the risk of such attacks: to have a shadow password file.to have a shadow password file. save the encrypted password in a shadow file that is readable only by the system administrators, and privileged call performs password encryptions and comparisons with an appropriate timed delay. save the encrypted password in a shadow file that is readable only by the system administrators, and privileged call performs password encryptions and comparisons with an appropriate timed delay. to add mechanism to check for repeated password attempts from the same process, resulting in some form of alarm being raised.to add mechanism to check for repeated password attempts from the same process, resulting in some form of alarm being raised.

Passwords to change the utility that sets user passwords.to change the utility that sets user passwords. The program could be strengthened in such a way that it would reject any choice of a word currently in the online dictionary or based on the account name. The program could be strengthened in such a way that it would reject any choice of a word currently in the online dictionary or based on the account name.

Passwords The worm also took advantage of the use of trusted logins. The worm also took advantage of the use of trusted logins. In UNIX system, it is possible to for a user to specify a list of host/login name pairs that are assumed to be ‘trusted’ in the sense that a remote access from that host/login pair is never asked for a password In UNIX system, it is possible to for a user to specify a list of host/login name pairs that are assumed to be ‘trusted’ in the sense that a remote access from that host/login pair is never asked for a password

Passwords The worm used this mechanism. The worm used this mechanism. Once the worm found such likely candidates, it tried to instantiate itself in those machines by using the remote execution facility. Once the worm found such likely candidates, it tried to instantiate itself in those machines by using the remote execution facility.

General Overview of Worm Targeted Sun 3 systems and VAX + 4 BSD Targeted Sun 3 systems and VAX + 4 BSD Worm targets host until 1 of 3 attacks succeeds. Worm targets host until 1 of 3 attacks succeeds. /bin/sh shell is obtained /bin/sh shell is obtained Can parse instructions over networkCan parse instructions over network Worm compiles & executes ‘bootstrap’ program on host Worm compiles & executes ‘bootstrap’ program on host

General Overview of Worm Bootstrap connects back to worm, downloads worm objects Bootstrap connects back to worm, downloads worm objects Worm connects to host, links worm objects together, runs worm Worm connects to host, links worm objects together, runs worm Searches for new hosts to infect, cracks passwords in /etc/passwd, infects new hosts Searches for new hosts to infect, cracks passwords in /etc/passwd, infects new hosts

Finger Exploit Attacked Sun 3 systems only running finger daemon Attacked Sun 3 systems only running finger daemon Buffer overflow in gets() system call Buffer overflow in gets() system call Stack was overwritten Stack was overwritten Exec() system call was executed, replacing fingerd process with /bin/sh shell Exec() system call was executed, replacing fingerd process with /bin/sh shell Fingerd turned into a shell Fingerd turned into a shell

Sendmail Exploit Debug feature parses commands Debug feature parses commands Relied on lazy sysadmins Relied on lazy sysadmins Command to execute /bin/sh shell was fed to sendmail Command to execute /bin/sh shell was fed to sendmail Sendmail daemon turned into a shell Sendmail daemon turned into a shell

Password Exploit /etc/passwd file was world readable /etc/passwd file was world readable Contained pairs of username + password hashes Contained pairs of username + password hashes Dictionary passwords and permutations were fed into a hash function Dictionary passwords and permutations were fed into a hash function If any matched, the password was cracked If any matched, the password was cracked

Password Exploit Obtain privileges of user using his or her password Obtain privileges of user using his or her password Open certain files to discover new hosts Open certain files to discover new hosts Connect to hosts using ‘passwordless’ rsh Connect to hosts using ‘passwordless’ rsh Relied on principal of users having only one password Relied on principal of users having only one password On successs, a shell was obtained On successs, a shell was obtained

Bootstrap Stage Once the shell was obtained, finger, sendmail, and password cases are all the same Once the shell was obtained, finger, sendmail, and password cases are all the same Infecting computer compiles and executes bootstrap program Infecting computer compiles and executes bootstrap program Establishes connection back to worm, gets object files for two architectures, source for bootstrap program Establishes connection back to worm, gets object files for two architectures, source for bootstrap program

Bootstrap Stage Turn into a shell with exec() Turn into a shell with exec() Worm instructs to link correct object to run on architecture Worm instructs to link correct object to run on architecture The worm on the host computer is then executed The worm on the host computer is then executed

Operation of Worm (initialize) Hides execution of itself, ensure survival Hides execution of itself, ensure survival Delete arguments after copying them to another buffer to prevent displaying Delete arguments after copying them to another buffer to prevent displaying Change process name to 'sh' Change process name to 'sh' Kill the parent process Kill the parent process Unlink program binary file Unlink program binary file

Operation of Worm (initialize) Read worm objects and bootstrap source file in from stored arguments Read worm objects and bootstrap source file in from stored arguments Solves problem of replicating itselfSolves problem of replicating itself Discover currently connected hosts, sort for priority Discover currently connected hosts, sort for priority 1) Gateways1) Gateways 2) Hosts on local net2) Hosts on local net 3) Hosts on other nets3) Hosts on other nets

Operation of Worm (initialize) Tries to attack other hosts Tries to attack other hosts Send shell instructions to host, compile and execute bootstrap Send shell instructions to host, compile and execute bootstrap Listen on socket for host to connect back Listen on socket for host to connect back Send worm object files and bootstrap to host Send worm object files and bootstrap to host Send shell instructions to execute worm Send shell instructions to execute worm Mark host as "infected“, otherwise “can’t infect” Mark host as "infected“, otherwise “can’t infect”

Operation of Worm (Main loop) Read /etc/passwd password file Read /etc/passwd password file When another copy of the worm is discovered When another copy of the worm is discovered Communicate with other worm, randomly decide who will quitCommunicate with other worm, randomly decide who will quit Attack passwords with dictionary and random attacks using hash function Attack passwords with dictionary and random attacks using hash function Discover more hosts in files using username / password information Discover more hosts in files using username / password information Attack hosts like in previous slide Attack hosts like in previous slide Watch time, clear host flags of "can't infect" and "infected" every 12 hours Watch time, clear host flags of "can't infect" and "infected" every 12 hours Go to beginning of loop Go to beginning of loop

Operation of Worm Time divided between cracking passwords and attacking new hosts Time divided between cracking passwords and attacking new hosts Cracking hosts could take a really long time with complicated passwords, maybe foreverCracking hosts could take a really long time with complicated passwords, maybe forever Population control Population control Distributed nature requires balanceDistributed nature requires balance Attempts to prevent discovering execution and obtaining worm code Attempts to prevent discovering execution and obtaining worm code

Aftermath The Internet worm was huge at the time The Internet worm was huge at the time First of its kind First of its kind Around 6000 major UNIX machines were infected (around 10% of the Internet) Around 6000 major UNIX machines were infected (around 10% of the Internet) The worm caused machines to operate at close to their capacity The worm caused machines to operate at close to their capacity Important nation-wide gateways were shutdown Important nation-wide gateways were shutdown

Who? Identified as Robert T. Morris by the New York Times Identified as Robert T. Morris by the New York Times 23 year old doctoral student at Cornell University at the time 23 year old doctoral student at Cornell University at the time His father is the National Computer Security Center’s chief scientist (NSA) His father is the National Computer Security Center’s chief scientist (NSA) Morris released the worm from MIT to conceal the fact that it was from Cornell Morris released the worm from MIT to conceal the fact that it was from Cornell

Why? Many speculation at the time on his motive Many speculation at the time on his motive Worm contained no code to cause any damage to systems Worm contained no code to cause any damage to systems Worm had no code to stop the spread of the worm Worm had no code to stop the spread of the worm True motive True motive use it as a tool to gauge the size of the internetuse it as a tool to gauge the size of the internet

Consequences Some people think Morris should not be punished Some people think Morris should not be punished system administrator or operator should be punishedsystem administrator or operator should be punished Morris was the first person to be indicted under the Computer Fraud and Abuse Act of 1986 Morris was the first person to be indicted under the Computer Fraud and Abuse Act of 1986 Sentenced to three years’ probation, a fine of $10,050, and 400 hours of community serviceSentenced to three years’ probation, a fine of $10,050, and 400 hours of community service

Consequences Morris received his Ph. D. in computer science from Harvard University in 1999 Morris received his Ph. D. in computer science from Harvard University in 1999 Morris is a professor at MIT right now Morris is a professor at MIT right now

Effects Establishment of Computer Emergency Response Team (CERT) by Defense Advanced Research Projects Agency (DARPA) at the Software Engineering Institute at Carnegie Mellon University Establishment of Computer Emergency Response Team (CERT) by Defense Advanced Research Projects Agency (DARPA) at the Software Engineering Institute at Carnegie Mellon University Worm made people think more about ethics and laws concerning access to computers Worm made people think more about ethics and laws concerning access to computers

Questions?