Presentation is loading. Please wait.

Presentation is loading. Please wait.

Crisis and Aftermath Morris worm.

Published byAlison Anderson Modified over 5 years ago

Similar presentations

Presentation on theme: "Crisis and Aftermath Morris worm."— Presentation transcript:

1 Crisis and Aftermath Morris worm

2 Index What is Worm 4 Exploited flaws Component Algorithm Aftermath
Morris Worm 4 Exploited flaws finger sendmail remote shell password Component Algorithm Vector program Seeking another victim Cracking password Avoiding detection Mistakes Aftermath

3 What is worm? Self replicating, designed to spread through the network. Data modification System overload Steal information What is different from Virus and Trojan horse? Virus need executable file to infect and spread. Trojan horse opens a backdoor while pretending as useful program.

4 Morris worm First internet worm ever made at 1998.
Could only infect DEC VAX machines running 4BSD, and Sun-3 systems. Original purpose was to measure the size of internet. One mistake caused huge chaos all over the network. 6000 computers were infected. Which is about 10% of computers connected to network at that time. The U.S. Government Accountability Office put the cost of the damage at $100,000–10,000,000.

5 4 Exploited flaws - finger
Originally used to obtain information of other users. Use flaws of C library to overflow input buffer. ex: gets() Writes 536 bytes to override finger buffer’s 512 byte. 24 bytes end up overwriting return address. Resulting in invoking a remote shell and executing privileged commands. Since it was unable to determine victim’s OS. Sun crashed instead.

6 4 Exploited flaws - sendmail
Designed to send message between processes. Use DEBUG command to send a shell script and execute on the host. In normal mode it is not possible to do so. But debug option is left turned on for convenience. debug mode로 컴파일 하는 것?

7 4 Exploited flaws - remote shell
UNIX uses trusted login to avoid typing password again and again. Look for remoted machine login list and assume reciprocal trust to find appropriate target. If A trusts B, B trusts A.

8 4 Exploited flaws - Password
Accessing through figerd only allows you to run in daemon. Encrypted password file is readable but it’s not easy to decrypt. But, comparing the encrypted possible words with password file is possible. Dictionary attack to discover the password.

9 Component Vector program Main Program 99 lines in C code
Downloads main program Main Program Retrieve information Look for other machines to attack.

10 Vector program 1. Socket is established for the vector program.
2. Vector program gets installed and executed via TCP connection(infected via rsh or finger) or SMTP(infected via sendmail) connection. 3. Connect to server worm to download following three files Sun 3 binary version worm VAX version worm Vector program source code 4. Running vector become a shell and tries to compile each received files. 5. Server closes the connection if host is infected. 1번은 remote랑 finger만 해당 5번에서는 추가적으로 작업 더 함

11 Seeking another victim
6. Gather information about connection and creates list for connected local machines. 7. Randomize list and use telnet or rexec port to determine reachability. 8. Tries to infect target with one of three methods a. rsh b. finger c. sendmail 8. 하나라도 성공하면 그만둠. 여기서 리니어를 사용해서 뭔가 전문성이 떨어짐.

12 Cracking password 9. Tries to break password and goes back to step 7 if it fails. a. Find the names of equivalent host and add account & password file into internal data structure. b. Attempt to broke user password with some guess like no password or toying with account name. c. Try password with words in internal dictionary. d. Try UNIX online dictionary. 10. Attempt to break into remote machines where user had accounts. a. Use account name from 9.a and cracked password to create remote shell. b. Use local user name and password to try rsh command. five state 라고도 한다. d는 다른 것이 모두 다 실패해야만 시행.

13 Avoiding detection Server disconnects from vector program if it does not send same magic number as before. After attempt to compile main worm: Fail: Delete all object files. Success: Kills its parents, read all the worm binary files into memory, encrypt it and delete it. Sometimes it kills itself and kills its parent. 한 프로세스가 CPU 오래차지하는 것처럼 보이는 것을 피하고 priority 높이기 위함. 하지만 완벽하지 않음. 버클리에 의심을 두기 위함이라는 말도 있다.

14 Mistakes Worms meet in predetermined TCP socket and randomly set pleasequit variable to 1 to avoid multiple worms run on same machine. However, worm does not quit until step 9.c Some fails to connect due to heavily loaded machines. Critically one out of seven worm become immortal and does not look for other worms to avoid fake worm’s signal. So it overwhelmed victim’s computer with multiple worms. Causing serious problems. It was supposed to send packet to ernie.berkeley.edu but it failed due to wrong code. 버클리에 의심을 두기 위함이라는 말도 있다.

15 Aftermath It did not Delete system's files, modify existing files, install trojan horses, record or transmit decrypted passwords, capture superuser privileges, etc…. However huge overload due to multiple worm caused chaos. Robert T. Morris get caught and sentenced to three years probation, 400 hours of community service, and a fine of $10,050 plus the costs of his supervision.

Download ppt "Crisis and Aftermath Morris worm."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Computer Science CSC 405Dr. Peng Ning1 CSC 405 Introduction to Computer Security Topic 3. Program Security -- Part I.

Computer Science CSC 405Dr. Peng Ning1 CSC 405 Introduction to Computer Security Topic 3. Program Security -- Part I.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.

Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.
C risis And A ftermath Eugene H. Spafford 발표자 : 손유민.

C risis And A ftermath Eugene H. Spafford 발표자 : 손유민.
Communications of the ACM (CACM), Vol. 32, No. 6, June 1989

Communications of the ACM (CACM), Vol. 32, No. 6, June 1989
Week 6 - Friday.  What did we talk about last time?  Viruses and other malicious code.

Week 6 - Friday.  What did we talk about last time?  Viruses and other malicious code.
October 15, 2002Serguei A. Mokhov, 1 UNIX Security 2: A Quick Recap SOEN321 - Information Systems Security Revision 1.3 Date: September.

October 15, 2002Serguei A. Mokhov, 1 UNIX Security 2: A Quick Recap SOEN321 - Information Systems Security Revision 1.3 Date: September.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.

Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.
Exploits Dalia Solomon. Categories Trojan Horse Attacks Trojan Horse Attacks Smurf Attack Smurf Attack Port Scan Port Scan Buffer Overflow Buffer Overflow.

Exploits Dalia Solomon. Categories Trojan Horse Attacks Trojan Horse Attacks Smurf Attack Smurf Attack Port Scan Port Scan Buffer Overflow Buffer Overflow.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.

Silberschatz, Galvin and Gagne  Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.
1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.

1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.

Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.
The Internet Worm Crisis and Aftermath Miyu Nakagawa Cameron Smithers Ying Han.

The Internet Worm Crisis and Aftermath Miyu Nakagawa Cameron Smithers Ying Han.
Lecture 11, 20-755: The Internet, Summer 1999 1 20-755: The Internet Lecture 11: Secure services David O’Hallaron School of Computer Science and Department.

Lecture 11, : The Internet, Summer : The Internet Lecture 11: Secure services David O’Hallaron School of Computer Science and Department.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/031 A Real World Attack: wu-ftp Cao er kai ( 曹爾凱 )

Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/031 A Real World Attack: wu-ftp Cao er kai ( 曹爾凱 )

Similar presentations

Ads by Google