Embed Size (px)
Citation preview
Picking apart the
Morris WormBy
Jayakrishna Menon V
What is a worm?➔Different from a virus.
➔Travels between systems on its own.
➔Ability to replicate itself.
What’s so special about this one?➔Showed a fraction of its capabilities.
➔Estimated cost around $100,000-10,000,000.
➔Left around 6000 systems dead in the water.
➔Creator being the first in US to be convicted under Computer Fraud and Abuse Act of 1986.
➔Intended to measure total users on the internet.
The story➔6 pm EST,2 November 1988.
➔Sun Microsystems Sun 3 systems and VAX computers running variants of 4 BSD1 UNIX.
➔Systems became more and more loaded with running processes.
➔Eventually some of these machines could not continue any processing.
The story contd➔The load average for a system is usually 1.
➔Load average greater than 5 causes delay in processing.
➔Load average reached 37 within two hours
what did it do?➔Transferred a copy of itself to other connected hosts.
➔Already infected systems were infected again.
➔The number of running instances of the program increased dramatically.
➔Rendered systems unable to continue any processing.
➔Similar effect as that of a fork bomb.
cracksome routine➔Four step process that finds new hosts and brute-forced passwords.
➔Reads through the /etc/hosts.equiv and .rhosts files to find new hosts.
➔Names of these hosts are marked for later use.
➔Uses the /etc/passwd file to find personal .forward files.
➔Gets the locations of additional machines to attack.
Brute forcing passwords➔Weak passwords
◆ No password.
◆ Username as password.
◆ Username appended to itself.
◆ Second value of GECOS string in /etc/passwd.
◆ Last name of user from GECOS string.
◆ Last name reversed.
◆ User name reversed.
➔If successful, it calls the attack_user routine.
➔Else proceeds to crack passwords using dictionary attack.
dictionary attack➔Contained a built in dictionary of words which were assumed to be possible passwords.
➔Encrypted using md5 algorithm and were compared with the strings in /etc/passwd file.
➔If the resulting hashes were same, the attack_user method was called.
➔Else, it would move on to a more difficult password cracking method.
The last resort➔Open the /usr/dict/words file.
➔Contains many words used by the user.
➔Check each of these words as password.
➔Never got completed due to huge number of words in the dictionary.
➔If successful, the attack_user routine was called.
➔Else, the machine was marked as immune and moved on to infecting the other new found machines.
How did it spread?➔The worm used a three pronged attack to compromise systems and to propagate.
◆ Spreading over rexec and rsh.
◆ Exploiting the vulnerability in the fingerd program.
◆ Exploiting the bug in sendmail program.
➔These bugs have been fixed and are not exploitable today.
➔However, similar vulnerabilities still exist today.
Infect routine➔Called after the cracksome routine returns a host.
➔Check whether host returned is current host.
➔Check whether host returned is immune.
➔Start with try_rsh.
➔Move on to try_fingerd.
➔Move on to try_sendmail.
➔Mark target as immune.
rsh and rexec➔Services that allow other systems to execute commands remotely.
➔Systems should be connected in a network.
➔Systems having pre-established trust relationships with other systems.
➔Exploiting trust relationships between systems.
Finger daemon vulnerability➔Program allows one to determine status of a given user on
a system.
➔Exploits technical flaw in the finger daemon program which leads to RCE.
➔The instance running on the server takes in a message from the client and stores it in a 512 byte buffer.
➔The message is read into the buffer using a gets function.
Sendmail program➔It listens for SMTP connections.
➔Exploited a bug in a functionality provided by the sendmail program.
➔The recipient was a set of commands instead of a user address.
➔Thus messages can be sent to a process rather than a user.
➔This vulnerability was used by the program’s creators to test it but was never removed.
try_rsh method➔The name of trusted hosts was saved in text files such as /etc/hosts.equiv and .rhosts files.
➔Creates duplicate process which attempts to remotely execute on target machine.
➔If successful, a copy of the worm is sent to the new machine.
➔Else it moves on to the try_fingerd method
Try_fingerd method➔The gets function is used to read a message from client and to save it in a 512 byte buffer.
➔Exploited using buffer overflow attack.
➔A message of length 536 was sent.
➔The last 24 bytes overwrote the addresses on stack frame and resulted in RCE.
➔Transferres a copy of itself onto the new machine.
➔If this failed, it moves on to the try_sendmail method.
Try_sendmail method➔Send a mail to the sendmail program of the target machine with an artificial recipient.
➔This string passes the body of mail to command interpreter.
➔Interpreter compiles and executes a program code sent in the body of the message.
➔Creates a reverse shell which connected back to the infected machine.
➔Transferres a copy of itself onto the new machine .
➔If this also failed, the host was marked as immune.
Evasion➔The worm spawns itself as a child process.
➔The child, which has a different process ID as compared to the parent process, kills it.
➔The maximum size of core dump is set to zero.
➔It changes its own name to ‘sh’ to avoid detection.
Reasons for system crash➔Figuring out whether an instance was already running on a host.
➔Asking the host for an answer makes it extremely easy to kill.
➔Used the current time as seed and generated a random number.
➔Probability of infecting a particular host was 1/7.
review1.Uses different methods to avoid detection.
2.Possible hosts found using the first step of cracksome routine.
3.Password brute forcing.
4.Uses randomization to determine whether or not to infect host, once correct password was found.
5.If the result is a go-ahead, the worm starts the infect routine.
6.Else, it searches for other hosts.
Summary➔Not intended at disabling machines.
➔Deployed with a purpose of finding out the total number of users on the internet.
➔Worm never completed certain parts of its execution.
➔It was intended to be difficult to track and kill.
conclusion➔Historical importance.
➔Three attack vectors for infecting hosts.
➔Recognition of cyber security as a formal discipline.
➔Need for strong passwords.
