INTERNET Worm (31-July-1993) Entry...............: INTERNET Worm Alias(es)...........: --- (Remark: wrongly named INTERNET Virus) Worm Strain.........: --- Worm detected when..: 2-November-1988 where.: Cornell University and more than 2,000-6,000 BSD-UNIX systems in USA (few outside) heavily affected (temporarily taken from net) Classification......: Worm distributed on UNIX systems (BSD versions on VAX, SunOS) connected to INTERNET, attacking legal user accounts Length of Worm......: About 3200 lines of C-code --------------------- Preconditions ------------------------------------ Operating System(s).: BSD-derived versions of UNIX (SunOS, Ultrix) Version/Release.....: --- Computer model(s)...: Sun systems, VAX systems --------------------- Attributes --------------------------------------- Easy Identification.: Unusual files in /usr/tmp directory, and unusual messages appear in special log files such as SENDMAIL handling agent. Infected systems become heavily loaded with running processes. Type of infection...: After locating a host which can be infected, the following steps are performed: (1) Check that host is not the local host, and that it has not been marked as immune or infected, and that it's address can be located. If no address is found, it is marked as immune in a list. (2) Check for other worms, waiting one second. (3) Try to infect host using "rsh". This attack will succeed when remote machine has a "hosts.equiv" file or user has a ".rhosts" file that allows remote execution without password. If successfull, worm copies vector program to the remote machine. (4) If that fails, try using "sendmail". Worm uses debug option of "sendmail", which enables debugging mode during connection. In debugging mode, it is possible to mail a message directly to a process which then creates another process, thereby inheriting fingerd privileges. Worm tries to send vector program to the shell which runs it. (5) If that fails, try using "fingerd". Worm sends a string of 536 bytes to finger daemon, causing stack overwrite on VAX systems due to a bug. Worm modifies return address, and upon return executes the shell. (6) Upon successfull infection, the vector program is installed on the remote machine and compiled under the name "sh". If worm runs on a host, it looks like the shell "sh" to those running "ps". (7) Once connected to a host, worm attempts to break user accounts from /etc/passwd file by guessing obvious passwords, such as user name or none at all, then by comparing the password against a 432 word dictionary and the dictionary in /usr/dict/words. Infection Trigger...: The local host is infected if worm connects from a remote system (see: Type of Infection) and manages to crack one user account on the local host or exploits some security hole of local host's operating system. Storage media affected: Filesystem directory: /usr/tmp Interrupts hooked...: --- Damage..............: Although the worm does not attempt to destroy any data or to transmit any information from infected systems to other sites, a cracked user account could be called a damage as well. Transient damage: worm activities add significant load (demand for storage and CPU) to attacked system and network nodes. Damage Trigger......: --- Particularities.....: 1) Worm is created on one system by copying from another system, making use of flaws in utility programs (rexec/rsh, finger, sendmail). 2) Worm tries to hide itself by changing its command line vectors, so that it looks like Bourne-Shell "sh" when running "ps" command. 3) Each of the binary files is read into memory, where it is encrypted (simply by XORing), and the original files are deleted from filesystem. 4) Worm forks itself, splitting into a parent and a child, nearly every three minutes. Then, parent process is killed so that neither pro- cess can be noticed as an excessive CPU user. 5) Worm checks for other worms, as a part of a mechanism to prevent over-infection of a particular host. This control facility fails, due to a programming error. If worm runs for more than 12 hours, it tries to reinfect hosts which may have been cleaned of their infection. 6) Worm author was located in Cornell university. He was subsequently suspended for some time from his university, and a New York State Court convicted him; punishment: 10,000$ and 400 hours of social work. Similarities........: --- --------------------- Agents ------------------------------------------ Countermeasures.....: The bugs that the worm exploited were meanwhile fixed so that the original worm may no longer work. Generally, possible attempts to stop this worm may be: (1) Patching out debug command in sendmail (rather than completly turning off mail service). (2) Shutting down the finger daemon or fixing the finger daemon required source code. (3) Requesting new passwords for all users who had passwords which worm could guess. (4) Creating a directory /usr/tmp/sh: delete command used by worm (rm -f) doesn't remove directories so that this delete and the creation of file "sh" fail. (5) Setting the global variable "pleasequit" which worm checks. (6) Drastic measure: renaming C compiler/linker. (7) Very drastic measure: Isolating an infected host from the network. Countermeasures successful: After this worm's attack on several thousand VAX or SUN systems, experts at several US centers developped means to stop worm propagation and clean infected systems. Standard means......: --- --------------------- Acknowledgement --------------------------------- Location............: Virus Test Center, University of Hamburg, Germany Classification by...: Stefan Kelm, Wolfram Schmidt Documentation by....: Stefan Kelm, Wolfram Schmidt Date................: 31-July-1993 Information Source..: (1) Eugene H. Spafford: "The Internet Worm Program: An Analysis", Purdue Technical Report CSD-TR-823, November 1988 (2) Mark W. Eichin, Jon A. Rochlis: "With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988", Massachusetts Institute of Technology, February 1989 (3) David Ferbrache, Gavin Shearer: "UNIX installation security and integrity", Blackwall Scientific Publications, 1992, pp 241-248 .