291 lines
16 KiB
Text
291 lines
16 KiB
Text
==Phrack Inc.==
|
|
|
|
Volume Two, Issue 22, File 8 of 12
|
|
|
|
"]}`"`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\
|
|
\`\`\ \`\`\
|
|
\`\ A Report On The InterNet Worm \`\
|
|
\`\ \`\
|
|
\`\ By Bob Page \`\
|
|
\`\ \`\
|
|
\`\ University of Lowell \`\
|
|
\`\ Computer Science Department \`\
|
|
\`\ \`\
|
|
\`\ November 7, 1988 \`\
|
|
\`\`\ \`\`\
|
|
\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\
|
|
|
|
|
|
Here's the truth about the "Internet Worm." Actually it's not a virus -
|
|
a virus is a piece of code that adds itself to other programs, including
|
|
operating systems. It cannot run independently, but rather requires that its
|
|
"host" program be run to activate it. As such, it has a clear analog to
|
|
biologic viruses -- those viruses are not considered live, but they invade host
|
|
cells and take them over, making them produce new viruses.
|
|
|
|
A worm is a program that can run by itself and can propagate a fully working
|
|
version of itself to other machines. As such, what was loosed on the Internet
|
|
was clearly a worm.
|
|
|
|
This data was collected through an emergency mailing list set up by Gene
|
|
Spafford at Purdue University, for administrators of major Internet sites -
|
|
some of the text is included verbatim from that list.
|
|
|
|
The basic object of the worm is to get a shell on another machine so it can
|
|
reproduce further. There are three ways it attacks: sendmail, fingerd, and
|
|
rsh/rexec.
|
|
|
|
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|
|
|
|
The Sendmail Attack:
|
|
|
|
In the sendmail attack, the worm opens a TCP connection to another machine's
|
|
sendmail (the SMTP port), invokes debug mode, and sends a RCPT TO that requests
|
|
its data be piped through a shell. That data, a shell script (first-stage
|
|
bootstrap) creates a temporary second-stage bootstrap file called x$$,l1.c
|
|
(where '$$' is the current process ID). This is a small (40-line) C program.
|
|
|
|
The first-stage bootstrap compiles this program with the local cc and executes
|
|
it with arguments giving the Internet hostid/socket/password of where it just
|
|
came from. The second-stage bootstrap (the compiled C program) sucks over two
|
|
object files, x$$,vax.o and x$$,sun3.o from the attacking host. It has an
|
|
array for 20 file names (presumably for 20 different machines), but only two
|
|
(vax and sun) were compiled in to this code. It then figures out whether it's
|
|
running under BSD or SunOS and links the appropriate file against the C library
|
|
to produce an executable program called /usr/tmp/sh - so it looks like the
|
|
Bourne shell to anyone who looked there.
|
|
|
|
|
|
The Fingerd Attack:
|
|
|
|
In the fingerd attack, it tries to infiltrate systems via a bug in fingerd, the
|
|
finger daemon. Apparently this is where most of its success was (not in
|
|
sendmail, as was originally reported). When fingerd is connected to, it reads
|
|
its arguments from a pipe, but doesn't limit how much it reads. If it reads
|
|
more than the internal 512-byte buffer allowed, it writes past the end of its
|
|
stack. After the stack is a command to be executed ("/usr/ucb/finger") that
|
|
actually does the work. On a VAX, the worm knew how much further from the
|
|
stack it had to clobber to get to this command, which it replaced with the
|
|
command "/bin/sh" (the bourne shell). So instead of the finger command being
|
|
executed, a shell was started with no arguments. Since this is run in the
|
|
context of the finger daemon, stdin and stdout are connected to the network
|
|
socket, and all the files were sucked over just like the shell that sendmail
|
|
provided.
|
|
|
|
|
|
The Rsh/Rexec Attack:
|
|
|
|
The third way it tried to get into systems was via the .rhosts and
|
|
/etc/hosts.equiv files to determine 'trusted' hosts where it might be able to
|
|
migrate to. To use the .rhosts feature, it needed to actually get into
|
|
people's accounts - since the worm was not running as root (it was running as
|
|
daemon) it had to figure out people's passwords. To do this, it went through
|
|
the /etc/passwd file, trying to guess passwords. It tried combinations of: the
|
|
username, the last, first, last+first, nick names (from the GECOS field), and a
|
|
list of special "popular" passwords:
|
|
|
|
aaa cornelius guntis noxious simon
|
|
academia couscous hacker nutrition simple
|
|
aerobics creation hamlet nyquist singer
|
|
airplane creosote handily oceanography single
|
|
albany cretin happening ocelot smile
|
|
albatross daemon harmony olivetti smiles
|
|
albert dancer harold olivia smooch
|
|
alex daniel harvey oracle smother
|
|
alexander danny hebrides orca snatch
|
|
algebra dave heinlein orwell snoopy
|
|
aliases december hello osiris soap
|
|
alphabet defoe help outlaw socrates
|
|
ama deluge herbert oxford sossina
|
|
amorphous desperate hiawatha pacific sparrows
|
|
analog develop hibernia painless spit
|
|
anchor dieter honey pakistan spring
|
|
andromache digital horse pam springer
|
|
animals discovery horus papers squires
|
|
answer disney hutchins password strangle
|
|
anthropogenic dog imbroglio patricia stratford
|
|
anvils drought imperial penguin stuttgart
|
|
anything duncan include peoria subway
|
|
aria eager ingres percolate success
|
|
ariadne easier inna persimmon summer
|
|
arrow edges innocuous persona super
|
|
arthur edinburgh irishman pete superstage
|
|
athena edwin isis peter support
|
|
atmosphere edwina japan philip supported
|
|
aztecs egghead jessica phoenix surfer
|
|
azure eiderdown jester pierre suzanne
|
|
bacchus eileen jixian pizza swearer
|
|
bailey einstein johnny plover symmetry
|
|
banana elephant joseph plymouth tangerine
|
|
bananas elizabeth joshua polynomial tape
|
|
bandit ellen judith pondering target
|
|
banks emerald juggle pork tarragon
|
|
barber engine julia poster taylor
|
|
baritone engineer kathleen praise telephone
|
|
bass enterprise kermit precious temptation
|
|
bassoon enzyme kernel prelude thailand
|
|
batman ersatz kirkland prince tiger
|
|
beater establish knight princeton toggle
|
|
beauty estate ladle protect tomato
|
|
beethoven euclid lambda protozoa topography
|
|
beloved evelyn lamination pumpkin tortoise
|
|
benz extension larkin puneet toyota
|
|
beowulf fairway larry puppet trails
|
|
berkeley felicia lazarus rabbit trivial
|
|
berliner fender lebesgue rachmaninoff trombone
|
|
beryl fermat lee rainbow tubas
|
|
beverly fidelity leland raindrop tuttle
|
|
bicameral finite leroy raleigh umesh
|
|
bob fishers lewis random unhappy
|
|
brenda flakes light rascal unicorn
|
|
brian float lisa really unknown
|
|
bridget flower louis rebecca urchin
|
|
broadway flowers lynne remote utility
|
|
bumbling foolproof macintosh rick vasant
|
|
burgess football mack ripple vertigo
|
|
campanile foresight maggot robotics vicky
|
|
cantor format magic rochester village
|
|
cardinal forsythe malcolm rolex virginia
|
|
carmen fourier mark romano warren
|
|
carolina fred markus ronald water
|
|
caroline friend marty rosebud weenie
|
|
cascades frighten marvin rosemary whatnot
|
|
castle fun master roses whiting
|
|
cat fungible maurice ruben whitney
|
|
cayuga gabriel mellon rules will
|
|
celtics gardner merlin ruth william
|
|
cerulean garfield mets sal williamsburg
|
|
change gauss michael saxon willie
|
|
charles george michelle scamper winston
|
|
charming gertrude mike scheme wisconsin
|
|
charon ginger minimum scott wizard
|
|
chester glacier minsky scotty wombat
|
|
cigar gnu moguls secret woodwind
|
|
classic golfer moose sensor wormwood
|
|
clusters gorgeous morley serenity yaco
|
|
coffee gorges mozart sharks yang
|
|
coke gosling nancy sharon yellowstone
|
|
collins gouge napoleon sheffield yosemite
|
|
commrades graham nepenthe sheldon zap
|
|
computer gryphon ness shiva zimmerman
|
|
condo guest network shivers
|
|
cookie guitar newton shuttle
|
|
cooper gumption next signature
|
|
|
|
|
|
When everything else fails, it opens /usr/dict/words and tries every word in
|
|
the dictionary. It is pretty successful in finding passwords, as most people
|
|
don't choose them very well. Once it gets into someone's account, it looks for
|
|
a .rhosts file and does an 'rsh' and/or 'rexec' to another host, it sucks over
|
|
the necessary files into /usr/tmp and runs /usr/tmp/sh to start all over again.
|
|
|
|
Between these three methods of attack (sendmail, fingerd, .rhosts) it was able
|
|
to spread very quickly.
|
|
|
|
|
|
The Worm Itself:
|
|
|
|
The 'sh' program is the actual worm. When it starts up it clobbers its argv
|
|
array so a 'ps' will not show its name. It opens all its necessary files, then
|
|
unlinks (deletes) them so they can't be found (since it has them open, however,
|
|
it can still access the contents). It then tries to infect as many other hosts
|
|
as possible - when it sucessfully connects to one host, it forks a child to
|
|
continue the infection while the parent keeps on trying new hosts.
|
|
|
|
One of the things it does before it attacks a host is connect to the telnet
|
|
port and immediately close it. Thus, "telnetd: ttloop: peer died" in
|
|
/usr/adm/messages means the worm attempted an attack.
|
|
|
|
The worm's role in life is to reproduce - nothing more. To do that it needs to
|
|
find other hosts. It does a 'netstat -r -n' to find local routes to other
|
|
hosts & networks, looks in /etc/hosts, and uses the yellow pages distributed
|
|
hosts file if it's available. Any time it finds a host, it tries to infect it
|
|
through one of the three methods, see above. Once it finds a local network
|
|
(like 129.63.nn.nn for ulowell) it sequentially tries every address in that
|
|
range.
|
|
|
|
If the system crashes or is rebooted, most system boot procedures clear /tmp
|
|
and /usr/tmp as a matter of course, erasing any evidence. However, sendmail
|
|
log files show mail coming in from user /dev/null for user /bin/sed, which is a
|
|
tipoff that the worm entered.
|
|
|
|
Each time the worm is started, there is a 1/15 chance (it calls random()) that
|
|
it sends a single byte to ernie.berkeley.edu on some magic port, apparently to
|
|
act as some kind of monitoring mechanism.
|
|
|
|
|
|
The Crackdown:
|
|
|
|
Three main 'swat' teams from Berkeley, MIT and Purdue found copies of the VAX
|
|
code (the .o files had all the symbols intact with somewhat meaningful names)
|
|
and disassembled it into about 3000 lines of C. The BSD development team poked
|
|
fun at the code, even going so far to point out bugs in the code and supplying
|
|
source patches for it! They have not released the actual source code, however,
|
|
and refuse to do so. That could change - there are a number of people who want
|
|
to see the code.
|
|
|
|
Portions of the code appear incomplete, as if the program development was not
|
|
yet finished. For example, it knows the offset needed to break the BSD
|
|
fingerd, but doesn't know the correct offset for Sun's fingerd (which causes it
|
|
to dump core); it also doesn't erase its tracks as cleverly as it might; and so
|
|
on.
|
|
|
|
The worm uses a variable called 'pleasequit' but doesn't correctly initialize
|
|
it, so some folks added a module called _worm.o to the C library, which is
|
|
produced from: int pleasequit = -1; the fact that this value is set to -1 will
|
|
cause it to exit after one iteration.
|
|
|
|
The close scrutiny of the code also turned up comments on the programmer's
|
|
style. Verbatim from someone at MIT:
|
|
|
|
From disassembling the code, it looks like the programmer is really
|
|
anally retentive about checking return codes, and, in addition,
|
|
prefers to use array indexing instead of pointers to walk through
|
|
arrays.
|
|
|
|
Anyone who looks at the binary will not see any embedded strings - they are
|
|
XOR'ed with 81 (hex). That's how the shell commands are imbedded. The
|
|
"obvious" passwords are stored with their high bit set.
|
|
|
|
Although it spreads very fast, it is somewhat slowed down by the fact that it
|
|
drives the load average up on the machine - this is due to all the encryptions
|
|
going on, and the large number of incoming worms from other machines.
|
|
|
|
[Initially, the fastest defense against the worm is is to create a directory
|
|
called /usr/tmp/sh. The script that creates /usr/tmp/sh from one of the .o
|
|
files checks to see if /usr/tmp/sh exists, but not to see if it's a directory.
|
|
This fix is known as 'the condom'.]
|
|
|
|
|
|
Now What?
|
|
|
|
Most Internet systems running 4.3BSD or SunOS have installed the necessary
|
|
patches to close the holes and have rejoined the Internet. As you would
|
|
expect, there is a renewed interest in system/network security, finding and
|
|
plugging holes, and speculation over what will happen to the worm's creator.
|
|
|
|
If you haven't read or watched the news, various log files have named
|
|
the responsible person as Robert Morris Jr., a 23-year old doctoral student at
|
|
Cornell. His father is head of the National Computer Security Center, the
|
|
NSA's public effort in computer security, and has lectured widely on security
|
|
aspects of UNIX.
|
|
|
|
Associates of the student claim the worm was a 'mistake' - that he intended to
|
|
unleash it but it was not supposed to move so quickly or spread so much. His
|
|
goal was to have a program 'live' within the Internet. If the reports that he
|
|
intended it to spread slowly are true, then it's possible that the bytes sent
|
|
to ernie.berkeley.edu were intended to monitor the spread of the worm. Some
|
|
news reports mentioned that he panicked when, via some "monitoring mechanism"
|
|
he saw how fast it had propagated.
|
|
|
|
A source inside DEC reports that although the worm didn't make much progress
|
|
there, it was sighted on several machines that wouldn't be on its normal
|
|
propagation path, i.e. not gateways and not on the same subnet. These machines
|
|
are not reachable from the outside. Morris was a summer intern at DEC in '87.
|
|
He might have included names or addresses he remembered as targets for
|
|
infesting hidden internal networks. Most of the DEC machines in question
|
|
belong to the group he worked in.
|
|
|
|
The final word has not been written...
|
|
...it will be interesting to see what happens.
|
|
_______________________________________________________________________________
|