Legends of virus construction: the Great Worm

21 years ago an event occurred forever imprinted itself in the history of the Internet.

On November 2, 1988, 99 lines of code caused a two-day shock paralysis of the still young and inexperienced Internet security affairs.

About 6,000 VAX machines running SUN and BSD UNIX operating systems were infected with an unprecedented infection. Many administrators were forced to disable their wards in order to somehow stop the overload of computers and the spread of infection.
')
It was the Morris Worm or the common people simply the Great Worm. Because of the devastating consequences that he had on the Internet, both in terms of overall system downtime, and psychological impact on the idea of ​​safety and reliability on the network (by analogy with the Great Wolves of Tolkien). The surprise of the attack and some of the mechanisms built into the worm introduced many admins of that time into borderline emotional states. The reaction was smeared across the spectrum from “disable everything!” To panic “attack us!”

The creator and initiator of the worm, at that time a student at Cornell University, Robert Morris Jr. (the eldest at the time was doing the exact opposite, he served as scientific supervisor at NCSC (National Computer Security Center)) launched his monster from the MIT computer (prep.ai. mit.edu is an open access machine, so as not to draw attention to your university. Why he did it will always remain a mystery. According to his own statements, it was just an experiment that went out of control. However, strictly speaking, the Worm did not cause any direct damage.

A small list of attacked computers

MIT, University of Minnesota, North Carolina, University of Pittsburgh, RAND Corporation Machines, Stanford, Berkeley, Carnegie Mellon University, University of Maryland, University of Pennsylvania, Massachusetts University of Technology again, University of Colorado and Purdue University machines and many others .

Worm attack vectors

The worm used several different paths for propagation, which boil down to exploiting vulnerabilities and the simplest selection of access passwords.

The worm consisted of two parts: the loader (99 lines in C language) and the kernel, which consisted of two binary modules — the code compiled for BSD and the same code only for the Sun architecture. The names of all internal procedures had meaningful names (for example, doit or cracksome), which rather strongly facilitated the disassembly of binaries later on.

The worm injected its copy on remote computers and launched it. Every infected computer sought to infect and all other related machines. The worm was sharpened for use in BSD UNIX and SUN-3. Finding that such machines are connected to the infected, the worm was copied to a remote computer, launched there, seeking to gain maximum access to the information (using it only to continue hacking), and infect neighboring machines. Avaline-like propagating through an unprotected network, the worm multiplied its copies in full accordance with the theory of self-replicating mechanisms, the foundations of which were laid by John von Neumann.

At first, no one understood anything, but after a few hours the most advanced admins began to act, who, as best they could, someone disconnected their wards from the network and tried to reboot them hoping to remove the overload (which was completely in vain, because when the system was restarted created some more copies of himself and the system load only increased), someone rushed to panic sending messages to the mailing lists - “They are attacking us!” (which was also in vain, because the lists did not work for several hours due to the worm’s actions), and someone Looking for reasons for the instant distribution of the worm

In Berkeley in the evening of the same day they understand that the attack is conducted through rsh and sendmail. As a precaution, blocking of network services begins.

After some time, realizing the scale of the problem that has arisen, Morris informs his friends about an experiment that has gone out of control. After some time, anonymous posting appeared on the TCP-IP list, briefly describing how to stop the Worm. The author of the posting (Andy Sudduth) sent this message after a telephone conversation with Morris, but, due to the overload of networks and computers, the letter was not sent within about a day.

Soon, the attack vector of the worm began to be discovered independently by different people.

The first was the sendmail daemon. Kate Bostic sends a warning about the Worm and patches to sendmail to the TCP-IP mailing list, the 4bsd-ucb-fixes newsgroup and several system administrators.

The worm used the debug feature of the sendmail daemon, which set the debug mode for the current communication session. An additional feature of the debugging mode is to send messages with the recipient program, which runs on the remote machine and receives the message. This feature, not covered by the SMTP protocol, was used by developers to debug the program and was left in the working version by mistake.

Through sendmail, the worm infects two types of computers — VAX and Sun — so binary codes were sent for each architecture, both started, but only one could be executed. In computers of other architectures, programs could not function, although they absorbed system resources at the time of compilation.

A few hours later, it turned out that sendmail patches do not help, computers are infected in some other way. Due to the actions of the worm, MILNET and ARPANET are disconnected.

After a few more hours, different people in different laboratories independently discovered vulnerability and finished patches for the fingerd demon.

Fingerd code snippet:

{
char buf[512]:
...
gets(buf);
}

There is a classic buffer overflow situation (then, apparently, it was not yet a classic). The worm passed a specially prepared string of 536 bytes, which eventually called the execve function (“/ bin / sh”, 0, 0). Only VAX machines with 4.3 BSD operating system were attacked in this way, on Sun computers such attacks failed.

But that's not all. In Nix, both then and now there is a set of services for the remote execution of programs today for such purposes ssh is used, and then its place was taken by so-called r-programs. The most vulnerable point in them was the idea of ​​“trust” - computer users that were on the list of “trusted sites” had the right to run their programs on a “trusting” machine without any additional verification. In addition, the relationship of trust was often mutual. The worm tried to use the rsh remote interpreter's launch program to attack other machines with the received name and password of the current user or without authentication at all if the attacked machine “trusted” this.

So, the Worm penetrated the neighbors of the infected machine using a hole in sendmail, a hole in fingerd or “trust” and rsh. When a computer was attacked on an attacked computer, the loader, the command to compile and execute the loader, and erase all temporary files were thrown. Then the loader would pull in all three files and try to start one, then another body. If none of the two bodies started, the loader simply erased both themselves and itself, and stopped working.

When launched, the Worm disguised itself in every way - erasing its executable file, encrypted both bodies, read them into memory, and also erased it from the disk, and, as far as possible, modified information about itself in the process table.

Then, information was collected about the network interfaces of the infected computer and about the neighboring computers, and some of the neighbors were subjected to infection attempts. Those who managed to infect, were marked as infected; those that failed to infect - as "immune." Although here in the worm code, experts tend to perceive an error, since the code section responsible for preventing the reinfection of machines contained many errors.

This was key to the resilience of the worm: many machines were re-infected, the load on the systems and the network increased and became very tangible, often leading to a denial of service, with the result that the worm itself was detected and disarmed much faster than if repeated infections did not It was, although repeatedly infected machines spread the worm faster, probably proportional to the number of copies of the worm on the machine, which affected the lightning speed of the spread, and denials of service led to panic and some key nodes failed, causing the network to collapse into subnets for a while.

Passwords were selected in a rather simple, but at the same time, efficient way: four variations were used on the user's login, as well as a list of approximately 200-400 words. According to some reports, on individual computers, more than half of the passwords were opened in this way.

By the evening of November 5, the majority of the infected nodes were cured, patches were applied, and specialists at Berkeley prepared a breathless worm’s carcass.

By the time the FBI realized who was guilty of what had happened, Morris was already going to surrender.

Mark on history

For the computer community, it was a shock. The fundamentals of computer security were revised. The damage caused by the Morris Worm was estimated at about $ 100 million (such estimates should be treated very, very carefully, since what are the methods for estimating them, which parameters are considered and which are not, is unknown).

According to some information, the Worm is the only computer program in history which has pressed on the front pages materials about the presidential elections in the United States. Many institutions and organizations have disconnected from the Internet for several weeks and even months. Administrators, not presenting the real extent of the danger, decided to play it safe.

The most reasonable measure of countering hacking, provoked by the Worm, was the formation of CERT .

PS

In any software, there may be errors that threaten various vulnerabilities. Gradually, the Internet is dragging us deeper and deeper, causing a catastrophic dependence, meanwhile, the average user qualification falls below the baseboard. The user does not want to know anything about the computer (and this, of course, is not so scary, it is simply inevitable).

Here the system administrator must be vigilant, must constantly monitor the safety of their wards. However, alas, very often this is not the case and enikeyschiki sit at the posts of system administrators.

A good administrator is always paranoid.

To this topic:

→ Source Code of the Morris Worm
→ English wiki article about Worm
→ Russian wiki article about the Worm
→ Detailed analysis of the Worm device