Bugtraq mailing list archives
Re: Internet Worm
From: crow!rik () uunet UU NET (Rik Farrow)
Date: Sat, 15 Oct 94 08:57:20 MST
For people interested in reading about the worm, here are a couple of references: D. Seeley, "A Tour of the Worm", USENIX Association 1989 Winter Proceedings pp 287-304, January, 1989. M. Eichin and J. Rochlis, "With Microscope and Tweezers", Massachusetts Institute of Technology (paper), February 9, 1989. These may both be available online (usenix.org has a server with some papers online, but I don't have locations. Perhaps someone else knows.) Here's a summary of what the worm did (based on notes I made for an article written in 1989): Worm start-up changes its name to sh (initially named something like x9834753) initializes random number generator sets maximum core dump size to zero arranges to die if remote connections fail process argument list if -p $$, kill parent process read list of files die if l1.c not in list of files removes files in list zeroes out argument list initialize worm's list of network interfaces call main loop Main loop (doit()) seed randon number generator with the time attack hosts: gateways, local nets, remote nets check_other() send_message() forever, do crack some passwords listen for 30 seconds crack more passwords change process id (fork) atack hosts: gateways, known hosts, remote and local nets listen 120 seconds reset hosts table if 12 hours have passed exit if pleasequit and cracking count > 10 send_message() attempts to send 1 byte datagram to ernie, but sets up a TCP socket for a UDP packet (ernie.berkeley.edu) (port 11357); seems to be a ruse cracking passwords reads /etc/hosts.equiv and /.rhosts for host to attack cracking passwords reads /etc/hosts.equiv and /.rhosts for host to attack reads password file, saving account name, encrypted password, home directory comment field tries fifty (50) passwords each time tries trivially broken passwords first null password account name accountname twice first name last name account name reversed after trivial phase, compares a list of favorite passwords against all encrypted passwords 432 words, probably based on locally cracked passwords sets counter here for exit test four hours later (at least), starts using /usr/dict/words changes upper to lower case would take four weeks to complete (at least) uses special password cracking algorithm worm's crypt ran nine times faster than 8600 crypt uses 2 words instead of 56 bytes for bits allows use of bit-field and shifting, which is faster other speedups include unrolling loops combining tables precomputing shifts and masks eliminating redundant initial and final permutations when performing the 25 applications of DES biggest improvement comes from combining permutations (using an indexed table to speed up the process) sendmail if sendmail was built with DEBUG flag set can request debug remotely by emulating SMTP gets shell sends shell script to run create l1.c bootstrap file compile and link l1.c execute l1.c fingerd takes advantage of TCP finger service finger provides information about a user based on info from /etc/passwd fingerd uses gets(), which copies the request into a buffer that is a local variable (part of the stack) sends 536 bytes, overflowing 512 bytes allocated on stack overwrites return address on stack with address in buffer address contains code to exec a shell that gets l1.c pushl $68732f store '/sh[NULL]' on stack pushl $6e69622f store '/bin' on stack movl sp,r10 save stack pointer in r10 pushl $0 store 0 on stack (arg 3) pushl $0 store 0 again (arg 2) pushl r10 store string address (arg 1) pushl $3 store argument count Password cracking was done to exploit rhosts. By cracking a password, the worm could assume the identity of another user, attempt to login to another host where this user identity was trusted, then it upload the shell script, which build l1.c, etc. Some systems still have debug in sendmail, obviously many still use .rhosts, and perhaps some have not replace fingerd with a version that replaced gets with fgets (which counts the characters it collects instead of looking for a NEWLINE or EOF). Rik Farrow
Current thread:
- Re: Internet Worm George Hodson (Oct 14)
- Re: Internet Worm James Seng (Oct 15)
- <Possible follow-ups>
- Re: Internet Worm Rik Farrow (Oct 15)
- Re: Internet Worm Brett Lymn (Oct 16)
- Re: Internet Worm Steve Davis (Oct 17)
- Re: Internet Worm Jonathan M. Bresler (Oct 17)
- Re: Internet Worm Perry E. Metzger (Oct 17)
- Re: Internet Worm Jonathan M. Bresler (Oct 17)
- Re: Internet Worm Perry E. Metzger (Oct 17)
- Re: Internet Worm Bennett Todd (Oct 17)
- Re: Internet Worm Perry E. Metzger (Oct 18)
- Re: Internet Worm Scott Schwartz (Oct 18)
- Re: Internet Worm Perry E. Metzger (Oct 18)
- Re: Internet Worm Steve Davis (Oct 17)