home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hackers Underworld 2: Forbidden Knowledge
/
Hackers Underworld 2: Forbidden Knowledge.iso
/
VIRUS
/
INTERNET.WRM
< prev
next >
Wrap
Text File
|
1989-10-21
|
15KB
|
351 lines
A REPORT ON THE INTERNET WORM
Bob Page
University of Lowell
Computer Science Department
November 7, 1988
[Because of the many misquotes the media have been
giving, this report is Copyright (c) Bob Page, all
rights reserved. Permission is granted to republish
this ONLY if you republish it in its entirety.]
Here's the scoop on the "Internet Worm". Actually it's
not a virus - a virus is a piece of code that adds
itself to other programs, including operating systems.
It cannot run independently, but rather requires that
its "host" program be run to activate it. As such, it
has a clear analog to biologic viruses -- those viruses
are not considered live, but they invade host cells and
take them over, making them produce new viruses.
A worm is a program that can run by itself and can
propagate a fully working version of itself to other
machines. As such, what was loosed on the Internet was
clearly a worm.
This data was collected through an emergency mailing
list set up by Gene Spafford at Purdue University, for
administrators of major Internet sites - some of the
text is included verbatim from that list. Mail was
heavy since the formation of the list; it continues to
be on Monday afternoon - I get at least 2-3 messages
every hour. It's possible that some of this information
is incomplete, but I thought you'd like to know what I
know so far.
The basic object of the worm is to get a shell on
another machine so it can reproduce further. There are
three ways it attacks: sendmail, fingerd, and
rsh/rexec.
THE SENDMAIL ATTACK:
In the sendmail attack, the worm opens a TCP connection
to another machine's sendmail (the SMTP port), invokes
debug mode, and sends a RCPT TO that requests its data
be piped through a shell. That data, a shell script
(first-stage bootstrap) creates a temporary
second-stage bootstrap file called x$$,l1.c (where '$$'
is the current process ID). This is a small (40-line) C
program.
The first-stage bootstrap compiles this program with
the local cc and executes it with arguments giving the
Internet hostid/socket/password of where it just came
from. The second-stage bootstrap (the compiled C
program) sucks over two object files, x$$,vax.o and
x$$,sun3.o from the attacking host. It has an array for
20 file names (presumably for 20 different machines),
but only two (vax and sun) were compiled in to this
code. It then figures out whether it's running under
BSD or SunOS and links the appropriate file against the
C library to produce an executable program called
/usr/tmp/sh - so it looks like the Bourne shell to
anyone who looked there.
THE FINGERD ATTACK:
In the fingerd attack, it tries to infiltrate systems
via a bug in fingerd, the finger daemon. Apparently
this is where most of its success was (not in sendmail,
as was originally reported). When fingerd is connected
to, it reads its arguments from a pipe, but doesn't
limit how much it reads. If it reads more than the
internal 512-byte buffer allowed, it writes past the
end of its stack. After the stack is a command to be
executed ("/usr/ucb/finger") that actually does the
work. On a VAX, the worm knew how much further from the
stack it had to clobber to get to this command, which
it replaced with the command "/bin/sh" (the bourne
shell). So instead of the finger command being
executed, a shell was started with no arguments. Since
this is run in the context of the finger daemon, stdin
and stdout are connected to the network socket, and all
the files were sucked over just like the shell that
sendmail provided.
THE RSH/REXEC ATTACK:
The third way it tried to get into systems was via the
.rhosts and /etc/hosts.equiv files to determine
'trusted' hosts where it might be able to migrate to.
To use the .rhosts feature, it needed to actually get
into people's accounts - since the worm was not running
as root (it was running as daemon) it had to figure out
people's passwords. To do this, it went through the
/etc/passwd file, trying to guess passwords. It tried
combinations of: the username, the last, first,
last+first, nick names (from the GECOS field), and a
list of special "popular" passwords:
aaa cornelius guntis noxious simon
academia couscous hacker nutrition simple
aerobics creation hamlet nyquist singer
airplane creosote handily oceanography single
albany cretin happening ocelot smile
albatross daemon harmony olivetti smiles
albert dancer harold olivia smooch alex
daniel harvey oracle smother alexander
danny hebrides orca snatch algebra dave
heinlein orwell snoopy aliases december
hello osiris soap alphabet defoe help
outlaw socrates ama deluge herbert oxford
sossina amorphous desperate hiawatha pacific
sparrows analog develop hibernia painless spit
anchor dieter honey pakistan spring
andromache digital horse pam springer
animals discovery horus papers squires
answer disney hutchins password strangle
anthropogenic dog imbroglio patricia stratford
anvils drought imperial penguin stuttgart
anything duncan include peoria subway aria
eager ingres percolate success ariadne
easier inna persimmon summer arrow edges
innocuous persona super arthur edinburgh
irishman pete superstage athena edwin isis
peter support atmosphere edwina japan
philip supported aztecs egghead jessica
phoenix surfer azure eiderdown jester
pierre suzanne bacchus eileen jixian
pizza swearer bailey einstein johnny
plover symmetry banana elephant joseph
plymouth tangerine bananas elizabeth joshua
polynomial tape bandit ellen judith
pondering target banks emerald juggle pork
tarragon barber engine julia poster
taylor baritone engineer kathleen praise
telephone bass enterprise kermit precious
temptation bassoon enzyme kernel prelude
thailand batman ersatz kirkland prince
tiger beater establish knight princeton
toggle beauty estate ladle protect
tomato beethoven euclid lambda protozoa
topography beloved evelyn lamination
pumpkin tortoise benz extension larkin puneet
toyota beowulf fairway larry puppet
trails berkeley felicia lazarus rabbit
trivial berliner fender lebesgue rachmaninoff
trombone beryl fermat lee rainbow tubas
beverly fidelity leland raindrop tuttle
bicameral finite leroy raleigh umesh bob
fishers lewis random unhappy brenda
flakes light rascal unicorn brian
float lisa really unknown bridget flower
louis rebecca urchin broadway flowers
lynne remote utility bumbling foolproof
macintosh rick vasant burgess football mack
ripple vertigo campanile foresight maggot
robotics vicky cantor format magic
rochester village cardinal forsythe malcolm
rolex virginia carmen fourier mark romano
warren carolina fred markus ronald water
caroline friend marty rosebud weenie
cascades frighten marvin rosemary whatnot
castle fun master roses whiting cat
fungible maurice ruben whitney cayuga
gabriel mellon rules will celtics gardner
merlin ruth william cerulean garfield mets sal
williamsburg change gauss michael saxon
willie charles george michelle scamper
winston charming gertrude mike scheme wisconsin
charon ginger minimum scott wizard
chester glacier minsky scotty wombat
cigar gnu moguls secret
woodwind classic golfer moose sensor
wormwood clusters gorgeous morley serenity yaco
coffee gorges mozart sharks yang coke
gosling nancy sharon yellowstone collins
gouge napoleon sheffield yosemite commrades
graham nepenthe sheldon zap computer gryphon
ness shiva zimmerman condo guest network
shivers cookie guitar newton shuttle
cooper gumption next signature
[I wouldn't have picked some of these as "popular"
passwords, but then again, I'm not a worm writer. What
do I know?]
When everything else fails, it opens /usr/dict/words
and tries every word in the dictionary. It is pretty
successful in finding passwords, as most people don't
choose them very well. Once it gets into someone's
account, it looks for a .rhosts file and does an 'rsh'
and/or 'rexec' to another host, it sucks over the
necessary files into /usr/tmp and runs /usr