Networking | Programming | Security | Linux | Computer Science | About

The Internet Worm

The most famous (or infamous) computer worm is certainly the Internet worm (also known as the Morris worm). It was released by Robert Morris in November 1988. The worm infected approximately 10% of all computers connected to the Internet and was able to spread on BSD-derived versions of the UNIX operating system. The Internet worm attack made a broad community aware of security problems, which finally led to the founding of the CERT® Coordination Center (CERT/CC2) a group of network security experts providing 24-hour technical assistance for response to computer security incidents. CERT/CC developed from a small computer emergency response team at Carnegie Mellon University. CERT/CC is a founding member of the Forum of Incident Response and Security Teams (FIRST3) which has nearly 70 members from different countries.

Buffer Bounds Checking

The internet worm was designed to exploit some fundamental vulnerabilities. One vulnerability was related to the family of the C programming language routines (e.g., gets) which read input without checking for buffer bounds. That made it possible to overflow the input buffer of the finger (a utility for obtaining information about users) server daemon and overwrite parts of its stack. A stack keeps track of which routine calls which other routine so that the execution can return to the appropriate program location (return address) when an invoked routine is finished. The overflow resulted in a changed return address for the main rou- tine so that it pointed to the buffer on the stack. The instructions at that stack location were written by the worm. The solution to the problem was to replace all calls to dangerous routines with calls that did buffer bounds checking.

Sendmail's Debug Option

Another vulnerability exploited by the Internet worm was the debug option of sendmail. Sendmail is a program for routing and delivering e-mail in the Internet. The debug option is normally used in testing to verify that an e-mail has arrived at a host. Instead of specifying a recipient address, it is possible to specify a set of commands to be executed at the recipient host.

Password File

One of the frequently exploited vulnerabilities on UNIX systems, also used by the Internet worm, is the password file. On older versions of UNIX, the file was readable to everybody and contained entries of the following format:

userID, salt, crypt(salt, password)

The password, up to 8 printable characters, is selected by the user. The password is ASCII-encoded to yield a key input for the encryption routine crypt(). Salt is a 12-bit number (e.g. the time of the password creation). If an attacker obtains the password file, he can try a dictionary attack to guess a password. He can simply compute crypt(salt, password_candidate) and compare it to the values stored in the password file. Unfortunately, surprisingly many people choose passwords that can easily be guessed.

Possibilities for Protection

There are three possibilities for protection against the Internet worm:

userID and Processes

Another well-known vulnerability, but not exploited by the Internet worm, is that many system programs and their configuration files are owned by a common userID. This makes it possible to abuse all services as soon as the corresponding privileges are gained. Today's practice in UNIX systems is to assign a different userID to different system processes.

Published on Sun 22 November 1998 by Dan Little in Security with tag(s): worm