LinuxSA Mailing list archives

  From: Mark Newton <newton@atdot.dotat.org>
  To  : Alan Kennington <akenning@dog.topology.org>
  Date: Tue, 30 Mar 1999 15:00:07 +0930 (CST)

Re: Viruses

Alan Kennington wrote:

 > There was a theory at the time fo the internet worm
 > that the creators were planning to wipe out everyone's disks.

That's a new one.  The Internet worm is probably one of the most analysed
attacks in history, different from most in that its creator is well-known.
I don't think you'll find that there was ever much suspicion of that.

The worm was written by Robert Tappan Morris Jr (Robert Tappan Morris Sr
was deputy director of the CIA or something stupid like that at the
time).  He was a child prodigy, had a PhD before age 18, and took an
interest in security.

The worm was written as a combination of a practical joke and a
demonstration of what would happen if sysadmins ignored security 
advisories.  It exploited a couple of holes which had been known for
ages to spread itself, notably a stack overflow bug in fingerd and
the "WIZ" debugging command in sendmail.  Once it entered a system,
it looked in /etc/hosts and /etc/hosts.equiv to find hostnames for
neighbouring systems and infected them too.

RTM intended to limit it to one invocation per infected system, but
during testing the worm "escaped" from the computer science terminal
lab where he'd been writing it;  the code needed to limit it had not
been written.

It was limited to Suns and Vaxes because the bootstrap code used to
"infect" a new system was written in assembly language (and he'd used
an artifact of the VAX assembly language environment to combine both
architectures into a single program).

According to RTM, there was never any intention to do anything harmful
with the worm other than have it lie dormant until a pre-arranged 
signal, at which point it'd pop up console messages to tell sysadmins
that they'd been infected.

See The Cuckoo's Egg by Clifford Stoll for more info;  there are loads
of web sites about it too, including one that's bookmarked back at my
old Camtech account (sadly inaccessible) which provides a line-by-line
commented disassembly of the worm's code.

 > This could very likely have resulted in wiping all machines
 > int he world of the two vulnerable OS types.

Hardly.

 > Now the next time someone finds a "way in" over the net,
 > the same thing could happen all over again, but this time
 > they might not release it until it's fully developed and tested.

Good luck to them.  The differences between what we have now and what
they had then are:

  1.  Far more scrutiny given to security;
  2.  People actually care about security these days;
  3.  Far more OSs and architectures to infect.

I think it's unlikely that we'll ever see anything like the worm again
(touch wood).

   - mark

--------------------------------------------------------------------
I tried an internal modem,                    newton@atdot.dotat.org
     but it hurt when I walked.                          Mark Newton
----- Voice: +61-4-1620-2223 ------------- Fax: +61-8-83034403 -----

-- 
Check out the LinuxSA web pages at http://www.linuxsa.org.au/
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject