jump to navigation

Protecting Against Worms November 7, 2013

Posted by louloizides in Security.

The article “The internet worm program: an analysis” by Eugene H. Spafford analyzed the first worm, which was written by Robert Morris in 1988 [1][2]. Unlike a virus, Spafford states, a worm is a complete program that copies itself in its entirety instead of injecting itself into another executable.

Additionally, Spafford didn’t appear to be impressed by the worm. He thought the code wasn’t clever and appeared to be unfinished. He had very harsh words to describe the quality of code. Furthermore he praised his colleagues who he believed were capable of writing better, possibly more malicious code but did not because they were dedicated professionals.

Whether or not Spafford was correct in his assessment of Morris’s code, this worm really did a great thing in killing the complacency that the computing community had regarding the security of the Internet. The worm itself didn’t do anything malicious other than eat up computer resources – which might have even been a mistake due to the fact that the worm tended to replicate itself multiple times on the same machine [3].

The article made these two key insights into the operation and success of Morris’s worm program that provide some insights into how to stop worms:

  • The worm attempted to discover passwords by brute force. It contained a list of commonly used hashed passwords to check against the public password file.
  • Morris discovered and reported a bug in fingerd a year before the worm was released. His worm exploited this bug.

The first point is related to how easy it is to break obvious passwords. Passwords aren’t encrypted. They’re hashed. This is a significant difference. Most strong encryption algorithms will generate a different string every time text is encrypted. A decryption key (in some cases the same as the encryption key) is required to decrypt the text. While strong, this means that the operating system would need to store a decryption key. Once someone has access to that key they automatically have a list of everyone’s password.

Hashing, however, is the process of converting a password to some other kind of text string that can’t be reverse engineered back into the password. The operating system can check for equivalent passwords, but there’s no way an attacker can find out what someone’s password is. The disadvantage, however, is that someone can easily hash a list of common passwords and then find out if anyone is using them. For example, there is a tool at [http://www.tobtu.com/lmntlm.php] that allows someone to hash any piece of text using the NTLM hash algorithm used to store Windows passwords. Encrypting a common password such as the word “password” always produces the same string.

The other point Spafford made was that a key bug exploited by Morris was reported a year earlier. The lesson here is simple – once bugs are found they need to be patched quickly before someone exploits them.

Most of the “viruses” I’ve personally seen on infected computers over the past decade or so have actually been worms. One common way worms tend to spread is by either replacing native components of an OS or adding new ones. Many of these worms exploited buffer overflows [4]. Newer versions of Windows, such as Windows Server 2003 and XP SP2+, however were compiled with buffer overflow protections [5]. This helped to slow the spread of these worms as well as reduce any impact the worms might have on those systems.

So in summary, some good strategies for protection against worms are:

  • Use hard to guess passwords
  • Patch bugs as soon as they’re found
  • Incorporate buffer overflow protection into OS components

On a side note – there are some great stories involving this worm that are described in the first three references below. There’s enough behind these stories to form the basis of a pretty good movie (maybe for dorks like myself anyway). The Washington Post article chronicles the interaction both Morris and Spafford and points out that Morris was very successful later in life. Reference three has a really great news report from 1988 on the worm and reactions from students at MIT. It’s worth watching.

1. Spafford, Eugine, “The Internet Worm Program: An Analysis”, Purdue University, 1988

2. Lee, Timothy, “How a grad student trying to build the first botnet brought the Internet to its knees”, Washington Post, Nov 1st, 2013, http://www.washingtonpost.com/blogs/the-switch/wp/2013/11/01/how-a-grad-student-trying-to-build-the-first-botnet-brought-the-internet-to-its-knees/, Retrieved on Nov 7th, 2013

3. Malenkovich, Serge, “Morris Worm Turns 25”, Kaspersky Blog, Nov 4th 2013, http://blog.kaspersky.com/morris-worm-turns-25/, Retrieved on Nov 7th 2013

4. “Virus alert about the Blaster worm and its variants”, http://support.microsoft.com/kb/826955, Retrieved on Nov 7th 2013

5. Litchfield, David, “Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server“, September 8th 2003, http://www.blackhat.com/presentations/bh-asia-03/bh-asia-03-litchfield.pdf



No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: