Embed Size (px)
Citation preview
The Internet Worm The Internet Worm Crisis and Aftermath Crisis and Aftermath
Miyu NakagawaMiyu Nakagawa
Cameron SmithersCameron Smithers
Ying HanYing Han
IntroductionIntroduction
On November 2, 1988, the Internet came On November 2, 1988, the Internet came under attack from within.under attack from within.
Sometime after 5 p.m., a worm program was Sometime after 5 p.m., a worm program was executed on one or more hosts connected to executed on one or more hosts connected to the Internet.the Internet.
This program collected host, network, and This program collected host, network, and user information, then used bugs present in user information, then used bugs present in those systems’ software.those systems’ software.
After breaking in, the program would After breaking in, the program would replicate itself and the replica would attempt replicate itself and the replica would attempt to infect other systems in the same manner.to infect other systems in the same manner.
IntroductionIntroduction
On November 3, 1988, personnel at the On November 3, 1988, personnel at the University of California at Berkeley and University of California at Berkeley and Massachusetts Institute of Technology Massachusetts Institute of Technology (MIT) had “captured” copies of the (MIT) had “captured” copies of the program and began to analyze it.program and began to analyze it.
By 5 a.m., less than 12 hours after the By 5 a.m., less than 12 hours after the program was first discovered on the program was first discovered on the network, the Computer Systems Research network, the Computer Systems Research Group at Berkeley had developed a set of Group at Berkeley had developed a set of steps to temporary halt its spread. steps to temporary halt its spread.
IntroductionIntroduction
The suggestions were published in mailing The suggestions were published in mailing lists and on the Usenet.lists and on the Usenet.
By about 9 p.m., another simple effective By about 9 p.m., another simple effective method of stopping the invading program, method of stopping the invading program, without terminating system utilities, was without terminating system utilities, was discovered at Purdue and also widely discovered at Purdue and also widely published.published.
Software patches were posted by the Software patches were posted by the Berkeley Group at the same time to mend Berkeley Group at the same time to mend all the flaws that enabled the program to all the flaws that enabled the program to invade systems.invade systems.
How the Worm OperatedHow the Worm Operated
The worm took advantage of:The worm took advantage of:• flaws in standard software installed on flaws in standard software installed on
many UNIX systems.many UNIX systems.• a mechanism used to simplify the a mechanism used to simplify the
sharing of resources in LAN.sharing of resources in LAN.
How the Worm OperatedHow the Worm Operated
There are three main attacks of the There are three main attacks of the worm:worm:
Finger programFinger program Sendmail programSendmail program Password mechanismPassword mechanism
Finger ProgramFinger Program
The The fingerfinger program is a utility that allows program is a utility that allows user to obtain information about other user to obtain information about other users.users.
The The fingerfinger program is intended to run as a program is intended to run as a daemon or background process.daemon or background process.
This daemon program accepts connections This daemon program accepts connections from remote programs, reads a single line from remote programs, reads a single line of input, and send back output.of input, and send back output.
Finger ProgramFinger Program
The worm broke The worm broke fingerdfingerd program by program by overrunning the buffer the daemon used overrunning the buffer the daemon used for input. for input. • The standard C language I/O library has a few The standard C language I/O library has a few
routines that read input without checking for routines that read input without checking for bounds on the buffer involved, such as bounds on the buffer involved, such as gets()gets() call.call.
The worm exploited this The worm exploited this gets()gets() call. call. The input overran the buffer allocated for The input overran the buffer allocated for
it and rewrote the stack frame which it and rewrote the stack frame which altered the behavior of the program.altered the behavior of the program.
Sendmail ProgramSendmail Program
The The sendmailsendmail program is a mailer program is a mailer designed to route mail in a heterogeneous designed to route mail in a heterogeneous network.network.
The sendmail daemon listens on a TCP The sendmail daemon listens on a TCP port, sending and receiving electronic mail port, sending and receiving electronic mail to and from other servers.to and from other servers.
When such an attempt occurs, the daemon When such an attempt occurs, the daemon enters into a dialog with the remote mailer enters into a dialog with the remote mailer to determine sender, receiver, delivery to determine sender, receiver, delivery instructions, and message contents.instructions, and message contents.
Sendmail ProgramSendmail Program
The worm broke the The worm broke the sendmailsendmail program by program by using the debugging option in the code.using the debugging option in the code.
First, it would issue the DEBUG command First, it would issue the DEBUG command to to sendmailsendmail and then specify a set of and then specify a set of commands instead of a user address.commands instead of a user address.
This is only allowed in debugging option.This is only allowed in debugging option. Using this option, testers can run Using this option, testers can run
programs to display the state of the mail programs to display the state of the mail system without sending mail or system without sending mail or establishing a separate login connection.establishing a separate login connection.
PasswordsPasswords
The password mechanism was the key The password mechanism was the key attack of the worm.attack of the worm.
The worm was able to determine The worm was able to determine passwords because the encrypted passwords because the encrypted password of each user was in a publicly password of each user was in a publicly readable file.readable file.
PasswordsPasswords
Password mechanism in UNIX systemsPassword mechanism in UNIX systems
Password
Encryption Standard algorithm
resultPreviously encrypted
passwordcompare
encrypted
When a match occurs, access is allowed.
PasswordsPasswords The worm took advantage of the The worm took advantage of the
accessibility of the password file and the accessibility of the password file and the fact that users tend to choose common fact that users tend to choose common words as their password.words as their password.
The worm encrypted lists of common The worm encrypted lists of common words, including the standard online words, including the standard online dictionary, using a fast version of the dictionary, using a fast version of the password algorithm and then compared password algorithm and then compared the result against the contents of the the result against the contents of the password file.password file.
Some sites reported that over 50% of their Some sites reported that over 50% of their passwords were quickly broken by this passwords were quickly broken by this simple approach. simple approach.
PasswordsPasswords
ways to reduce the risk of such attacks:ways to reduce the risk of such attacks:• to have a shadow password file.to have a shadow password file.
save the encrypted password in a shadow save the encrypted password in a shadow file that is readable only by the system file that is readable only by the system administrators, and privileged call performs administrators, and privileged call performs password encryptions and comparisons with password encryptions and comparisons with an appropriate timed delay.an appropriate timed delay.
• to add mechanism to check for repeated to add mechanism to check for repeated password attempts from the same process, password attempts from the same process, resulting in some form of alarm being raised.resulting in some form of alarm being raised.
PasswordsPasswords
• to change the utility that sets user to change the utility that sets user passwords.passwords.
The program could be strengthened in such The program could be strengthened in such a way that it would reject any choice of a a way that it would reject any choice of a word currently in the online dictionary or word currently in the online dictionary or based on the account name.based on the account name.
PasswordsPasswords
The worm also took advantage of the use The worm also took advantage of the use of trusted logins. of trusted logins.
In UNIX system, it is possible to for a user In UNIX system, it is possible to for a user to specify a list of host/login name pairs to specify a list of host/login name pairs that are assumed to be ‘trusted’ in the that are assumed to be ‘trusted’ in the sense that a remote access from that sense that a remote access from that host/login pair is never asked for a host/login pair is never asked for a passwordpassword
PasswordsPasswords
The worm used this mechanism.The worm used this mechanism. Once the worm found such likely Once the worm found such likely
candidates, it tried to instantiate candidates, it tried to instantiate itself in those machines by using the itself in those machines by using the remote execution facility.remote execution facility.
General Overview of WormGeneral Overview of Worm
Targeted Sun 3 systems and VAX + 4 Targeted Sun 3 systems and VAX + 4 BSDBSD
Worm targets host until 1 of 3 Worm targets host until 1 of 3 attacks succeeds.attacks succeeds.
/bin/sh shell is obtained/bin/sh shell is obtained• Can parse instructions over networkCan parse instructions over network
Worm compiles & executes Worm compiles & executes ‘bootstrap’ program on host‘bootstrap’ program on host
General Overview of WormGeneral Overview of Worm
Bootstrap connects back to worm, Bootstrap connects back to worm, downloads worm objects downloads worm objects
Worm connects to host, links worm Worm connects to host, links worm objects together, runs worm objects together, runs worm
Searches for new hosts to infect, Searches for new hosts to infect, cracks passwords in /etc/passwd, cracks passwords in /etc/passwd, infects new hostsinfects new hosts
Finger ExploitFinger Exploit
Attacked Sun 3 systems only running Attacked Sun 3 systems only running finger daemonfinger daemon
Buffer overflow in gets() system callBuffer overflow in gets() system call Stack was overwrittenStack was overwritten Exec() system call was executed, Exec() system call was executed,
replacing fingerd process with /bin/sh replacing fingerd process with /bin/sh shell shell
Fingerd turned into a shellFingerd turned into a shell
Sendmail ExploitSendmail Exploit
Debug feature parses commandsDebug feature parses commands Relied on lazy sysadmins Relied on lazy sysadmins Command to execute /bin/sh shell Command to execute /bin/sh shell
was fed to sendmailwas fed to sendmail Sendmail daemon turned into a shellSendmail daemon turned into a shell
Password ExploitPassword Exploit
/etc/passwd file was world readable/etc/passwd file was world readable Contained pairs of username + Contained pairs of username +
password hashespassword hashes Dictionary passwords and Dictionary passwords and
permutations were fed into a hash permutations were fed into a hash functionfunction
If any matched, the password was If any matched, the password was crackedcracked
Password ExploitPassword Exploit
Obtain privileges of user using his or Obtain privileges of user using his or her passwordher password
Open certain files to discover new Open certain files to discover new hostshosts
Connect to hosts using Connect to hosts using ‘passwordless’ rsh‘passwordless’ rsh
Relied on principal of users having Relied on principal of users having only one passwordonly one password
On successs, a shell was obtainedOn successs, a shell was obtained
Bootstrap StageBootstrap Stage
Once the shell was obtained, finger, Once the shell was obtained, finger, sendmail, and password cases are all sendmail, and password cases are all the samethe same
Infecting computer compiles and Infecting computer compiles and executes bootstrap programexecutes bootstrap program
Establishes connection back to worm, Establishes connection back to worm, gets object files for two gets object files for two architectures, source for bootstrap architectures, source for bootstrap programprogram
Bootstrap StageBootstrap Stage
Turn into a shell with exec()Turn into a shell with exec() Worm instructs to link correct object Worm instructs to link correct object
to run on architectureto run on architecture The worm on the host computer is The worm on the host computer is
then executedthen executed
Operation of Worm (initialize)Operation of Worm (initialize)
Hides execution of itself, ensure Hides execution of itself, ensure survivalsurvival
Delete arguments after copying them Delete arguments after copying them to another buffer to prevent to another buffer to prevent displayingdisplaying
Change process name to Change process name to 'sh''sh' Kill the parent processKill the parent process Unlink program binary fileUnlink program binary file
Operation of Worm (initialize)Operation of Worm (initialize)
Read worm objects and bootstrap Read worm objects and bootstrap source file in from stored argumentssource file in from stored arguments• Solves problem of replicating itselfSolves problem of replicating itself
Discover currently connected hosts, Discover currently connected hosts, sort for prioritysort for priority• 1) Gateways1) Gateways• 2) Hosts on local net2) Hosts on local net• 3) Hosts on other nets3) Hosts on other nets
Operation of Worm (initialize)Operation of Worm (initialize)
Tries to attack other hostsTries to attack other hosts Send shell instructions to host, compile Send shell instructions to host, compile
and execute bootstrapand execute bootstrap Listen on socket for host to connect backListen on socket for host to connect back Send worm object files and bootstrap to Send worm object files and bootstrap to
hosthost Send shell instructions to execute wormSend shell instructions to execute worm Mark host as "infected“, otherwise “can’t Mark host as "infected“, otherwise “can’t
infect”infect”
Operation of Worm (Main loop)Operation of Worm (Main loop) Read /etc/passwd password fileRead /etc/passwd password file When another copy of the worm is discoveredWhen another copy of the worm is discovered
• Communicate with other worm, randomly decide who Communicate with other worm, randomly decide who will quitwill quit
Attack passwords with dictionary and random Attack passwords with dictionary and random attacks using hash functionattacks using hash function
Discover more hosts in files using username / Discover more hosts in files using username / password informationpassword information
Attack hosts like in previous slideAttack hosts like in previous slide Watch time, clear host flags of "can't infect" and Watch time, clear host flags of "can't infect" and
"infected" every 12 hours"infected" every 12 hours Go to beginning of loopGo to beginning of loop
Operation of WormOperation of Worm
Time divided between cracking Time divided between cracking passwords and attacking new hostspasswords and attacking new hosts• Cracking hosts could take a really long Cracking hosts could take a really long
time with complicated passwords, time with complicated passwords, maybe forever maybe forever
Population controlPopulation control• Distributed nature requires balanceDistributed nature requires balance
Attempts to prevent discovering Attempts to prevent discovering execution and obtaining worm codeexecution and obtaining worm code
AftermathAftermath
The Internet worm was huge at the timeThe Internet worm was huge at the time First of its kindFirst of its kind Around 6000 major UNIX machines were Around 6000 major UNIX machines were
infected (around 10% of the Internet)infected (around 10% of the Internet) The worm caused machines to operate at The worm caused machines to operate at
close to their capacityclose to their capacity Important nation-wide gateways were Important nation-wide gateways were
shutdownshutdown
Who?Who?
Identified as Robert T. Morris by the Identified as Robert T. Morris by the New New York TimesYork Times
23 year old doctoral student at Cornell 23 year old doctoral student at Cornell University at the timeUniversity at the time
His father is the National Computer His father is the National Computer Security Center’s chief scientist (NSA)Security Center’s chief scientist (NSA)
Morris released the worm from MIT to Morris released the worm from MIT to conceal the fact that it was from Cornellconceal the fact that it was from Cornell
Why?Why?
Many speculation at the time on his Many speculation at the time on his motivemotive
Worm contained no code to cause any Worm contained no code to cause any damage to systemsdamage to systems
Worm had no code to stop the spread of Worm had no code to stop the spread of the wormthe worm
True motiveTrue motive• use it as a tool to gauge the size of the use it as a tool to gauge the size of the
internetinternet
ConsequencesConsequences
Some people think Morris should not be Some people think Morris should not be punished punished • system administrator or operator should system administrator or operator should
be punishedbe punished Morris was the first person to be indicted Morris was the first person to be indicted
under the Computer Fraud and Abuse Act under the Computer Fraud and Abuse Act of 1986of 1986• Sentenced to three years’ probation, a Sentenced to three years’ probation, a
fine of $10,050, and 400 hours of fine of $10,050, and 400 hours of community servicecommunity service
ConsequencesConsequences
Morris received his Ph. D. in computer Morris received his Ph. D. in computer science from Harvard University in 1999science from Harvard University in 1999
Morris is a professor at MIT right nowMorris is a professor at MIT right now
EffectsEffects
Establishment of Computer Emergency Establishment of Computer Emergency Response Team (CERT) by Defense Response Team (CERT) by Defense Advanced Research Projects Agency Advanced Research Projects Agency (DARPA) at the Software Engineering (DARPA) at the Software Engineering Institute at Carnegie Mellon UniversityInstitute at Carnegie Mellon University
Worm made people think more about Worm made people think more about ethics and laws concerning access to ethics and laws concerning access to computerscomputers
Questions?Questions?
