3. What’ssospecialaboutthisone?
➔Showed a fraction of its capabilities.
➔Estimated cost around $100,000-10,000,000.
➔Left around 6000 systems dead in the water.
➔Creator being the first in US to be convicted under
Computer Fraud and Abuse Act of 1986.
➔Intended to measure total users on the internet.
4. Thestory
➔6 pm EST,2 November 1988.
➔Sun Microsystems Sun 3 systems and VAX computers running
variants of 4 BSD1 UNIX.
➔Systems became more and more loaded with running
processes.
➔Eventually some of these machines could not continue any
processing.
5. Thestorycontd
➔The load average for a system is usually 1.
➔Load average greater than 5 causes delay in processing.
➔Load average reached 37 within two hours
6. whatdiditdo?
➔Transferred a copy of itself to other connected hosts.
➔Already infected systems were infected again.
➔The number of running instances of the program increased
dramatically.
➔Rendered systems unable to continue any processing.
➔Similar effect as that of a fork bomb.
7. cracksomeroutine
➔Four step process that finds new hosts and brute-forced
passwords.
➔Reads through the /etc/hosts.equiv and .rhosts files to
find new hosts.
➔Names of these hosts are marked for later use.
➔Uses the /etc/passwd file to find personal .forward
files.
➔Gets the locations of additional machines to attack.
8. Bruteforcingpasswords
➔Weak passwords
◆ No password.
◆ Username as password.
◆ Username appended to itself.
◆ Second value of GECOS string in /etc/passwd.
◆ Last name of user from GECOS string.
◆ Last name reversed.
◆ User name reversed.
9. dictionaryattack
➔Contained a built in dictionary of words which were
assumed to be possible passwords.
➔Encrypted using md5 algorithm and were compared with the
strings in /etc/passwd file.
➔If the resulting hashes were same, the attack_user method
was called.
➔Else, it would move on to a more difficult password
cracking method.
10.
11. Thelastresort
➔Open the /usr/dict/words file.
➔Contains many words used by the user.
➔Check each of these words as password.
➔Never got completed due to huge number of words in the
dictionary.
➔If successful, the attack_user routine was called.
➔Else, the machine was marked as immune and moved on to
infecting the other new found machines.
12. Howdiditspread?
➔The worm used a three pronged attack to compromise
systems and to propagate.
◆ Spreading over rexec and rsh.
◆ Exploiting the vulnerability in the fingerd program.
◆ Exploiting the bug in sendmail program.
➔These bugs have been fixed and are not exploitable today.
➔However, similar vulnerabilities still exist today.
13. Infectroutine
➔Called after the cracksome routine returns a host.
➔Check whether host returned is current host.
➔Check whether host returned is immune.
➔Start with try_rsh.
➔Move on to try_fingerd.
➔Move on to try_sendmail.
➔Mark target as immune.
14. rshandrexec
➔Services that allow other systems to execute commands
remotely.
➔Systems should be connected in a network.
➔Systems having pre-established trust relationships with
other systems.
➔Exploiting trust relationships between systems.
15. Fingerdaemonvulnerability
➔Program allows one to determine status of a given user on
a system.
➔Exploits technical flaw in the finger daemon program
which leads to RCE.
➔The instance running on the server takes in a message
from the client and stores it in a 512 byte buffer.
➔The message is read into the buffer using a gets
function.
16. Sendmailprogram
➔It listens for SMTP connections.
➔Exploited a bug in a functionality provided by the
sendmail program.
➔The recipient was a set of commands instead of a user
address.
➔Thus messages can be sent to a process rather than a
user.
➔This vulnerability was used by the program’s creators to
test it but was never removed.
17. try_rshmethod
➔The name of trusted hosts was saved in text files such as
/etc/hosts.equiv and .rhosts files.
➔Creates duplicate process which attempts to remotely
execute on target machine.
➔If successful, a copy of the worm is sent to the new
machine.
➔Else it moves on to the try_fingerd method
18. Try_fingerdmethod
➔The gets function is used to read a message from client
and to save it in a 512 byte buffer.
➔Exploited using buffer overflow attack.
➔A message of length 536 was sent.
➔The last 24 bytes overwrote the addresses on stack frame
and resulted in RCE.
➔Transferres a copy of itself onto the new machine.
➔If this failed, it moves on to the try_sendmail method.
19. Try_sendmailmethod
➔Send a mail to the sendmail program of the target machine
with an artificial recipient.
➔This string passes the body of mail to command
interpreter.
➔Interpreter compiles and executes a program code sent in
the body of the message.
➔Creates a reverse shell which connected back to the
infected machine.
➔Transferres a copy of itself onto the new machine .
20. Evasion
➔The worm spawns itself as a child process.
➔The child, which has a different process ID as compared
to the parent process, kills it.
➔The maximum size of core dump is set to zero.
➔It changes its own name to ‘sh’ to avoid detection.
21. Reasonsforsystemcrash
➔Figuring out whether an instance was already running on a
host.
➔Asking the host for an answer makes it extremely easy to
kill.
➔Used the current time as seed and generated a random
number.
➔Probability of infecting a particular host was 1/7.
22. review
1.Uses different methods to avoid detection.
2.Possible hosts found using the first step of cracksome
routine.
3.Password brute forcing.
4.Uses randomization to determine whether or not to infect
host, once correct password was found.
5.If the result is a go-ahead, the worm starts the infect
routine.
6.Else, it searches for other hosts.
23. Summary
➔Not intended at disabling machines.
➔Deployed with a purpose of finding out the total number
of users on the internet.
➔Worm never completed certain parts of its execution.
➔It was intended to be difficult to track and kill.
