Internet Worm

Alias:---
Strain:---
detected when:2-November-1988
where:Cornell University, USA
Classification:The Worm consists of two parts: two binary modules (one VAX
Length:about 3200 lines of C-code

Preconditions

Operating System(s):4BSD-derived versions of UNIX (SunOS, Ultrix)
Version/Release:---
Computer model(s):Sun 3 systems, VAX systems
Caroname:Internet_Worm

Attributes

Easy identification:unusual files in /usr/tmp directory, unusual messages appear in special log files such as the SENDMAIL handling agent, infected systems become heavily loaded with running processes

Type of Infection:

After locating a host which can be infected, the following steps are performed: (1) Check that the host is not the local host, and has not been marked as immune or infected, and that its address can be located. If no address is found, it is marked as immune in a list. (2) Check for other worms, waiting one second. (3) Try to infect using "rsh". This attack will succeed when the remote machine has a "hosts.equiv" file or the user has a ".rhosts" file that allows remote execution without a password. If successfull the worm copies the vector program to the remote machine. (4) If that fails, try using "sendmail". The worm uses the debug option of "sendmail", which enables debugging mode during the connection. In the debugging mode it is possible to mail a message directly to a process instead of a user. The worm tries to send the vector program to the shell which runs it. (5) If that fails, try using "fingerd". The worm sends a string of 536 bytes to the finger daemon, causing the stack to be overwritten on VAX systems due to a bug. The worm modifies the return address and when the function returns it executes the shell. On successfull infection, the vector program is installed on the remote machine and compiled under the name "sh", so if the worm runs on a host it looks like the shell "sh" to those running "ps".

Infection Technique:The worm spreads over the network, targeting Sun Microsystems, Sun 3 systems (running SunOS) and VAX systems (running Ultrix).
Infection Trigger:The local host is infected if the worm connects from a remote system (see: Type of Infection) and manages to crack one user account on the local host.
Storage Media affected:Filesystem directory: /usr/tmp
Interrupts hooked:The worm was created on one system by copying from another system, making use of flaws in utility programs (rexec/rsh, finger, sendmail). (1) Attacking Authenticity: Attacking passwords: Once connected to a host, the worm attempts to break user accounts from the /etc/passwd file by guessing obvious passwords, such as user name or none at all, then by comparing the password against a 432 word dictionary and the dictionary in /usr/dict/words, finally it tries to attack accounts which trust other machines via the ".rhosts" mechanism.
Stealth:
Tunneling/Selfprot:
Oligo/Polymorphism:
Encoding Method:The worm checks for other worms, as a part of a mechanism to prevent over-infection of a particular host. This control facility fails. If the worm has run for more than 12 hours it tries to reinfect hosts which may have been cleared of their infection.
Damage:Although the worm does not attempt to destroy any data or to transmit any information from infected systems to other sites, a cracked user account could be called a damage as well.
Damage Trigger:---
Particularities:---
Similarities:---

Agents

Countermeasures:Although the bugs that the worm used are now (1993) fixed, possible attempts to stop the worm could be: * patching out the debug command in sendmail (rather than completly turn off the mail service) * shutting down the finger daemon or fixing the finger daemon required source code * requiring new passwords for all users who had passwords which the worm could guess * creating a directory /usr/tmp/sh since the delete command that the worm used (rm -f) doesn't remove directories so that the delete fails. * setting the global variable "pleasequit" which the worm checks (* renaming the C compiler and linker which is drastic) (* isolating the host from the network, which is even more drastic)
Standard means:

Acknowledgements

Location:Virus Test Center, University of Hamburg, Germany
Classification by:Stefan Kelm, Wolfram Schmidt
Documentation by:Stefan Kelm, Wolfram Schmidt
Date:08-March-1994
Information Source:(1) Eugene H. Spafford: "The Internet Worm Program: An Analy

(c) 1996 Virus-Test-Center, University of Hamburg