is a piece of code that adds itself to other programs, including operating systems. It cannot run independently, but rather requires that its "host" program be run to activate it. As such, it has a clear analog to biologic viruses -- those viruses are not considered live, but they invade host cells and take them over, making them produce new viruses. A worm is a program that can run by itself and can propagate a full working version of itself to other machines. As such, what was loosed on the Internet was clearly a worm. The basic object of the worm is to get a shell on another machine so it can reproduce further. There are three ways it attacks: sendmail, fingerd, and rsh/rexec. [hier volgt langdradige technische uitleg. Het komt er op neer dat de worm probeert om via het programma sendmail een opgestuurde C source te compileren (sendmail) en een sh op root bevoegdheid uit te voeren via een bug in "fingerd". Verder probeerde het systeem of er nog andere hosts op deze machine waren aangesloten, en zo ja dan werden ook deze geinfecteerd. Om hostnames uit user-directories te kunnen halen werden een groot aantal voor de hand liggende wachtwoorden geprobeerd (rsh/rexec).] THE CRACKDOWN: Three main 'swat' teams from Berkeley, MIT and Purdue found copies of the VAX code (the .o files had all the symbols intact with somewhat meaningful names) and disassembled it into about 3000 lines of C. The BSD development team poked fun at the code, even going so far to point out bugs in the code and supplying source patches for it! They have not released the actual source code, however, and refuse to do so. That could change - there are a number of people who want to see the code. |
Portions of the code appear incomplete, as if the program development was not yet finished. For example, it knows the offset needed to break the BSD fingerd, but doesn't know the correct offset for Sun's fingerd (which causes it to dump core); it also doesn't erase its tracks as cleverly as it might, and so on. The close scrutiny of the code also turned up comments on the programmer's style. Verbatim from someone at MIT: "From disassembling the code, it looks like the programmer is really anally retentive about checking return codes, and, in addition, prefers to use array indexing instead of pointers to walk through arrays." Anyone who looks at the binary will not see any embedded strings - they are XOR'ed with 81 (hex). That's how the shell commands are imbedded. The "obvious" passwords are stored with their high big set. Although it spreads very fast, it is somewhat slowed down by the fact that it drives the load average up on the machine - this is due to all the encryptions going on, and the large number of incoming worms from other machines. [Initially, the fastest defense against the worm is to create a directory called /usr/tmp/sh. The script that creates /usr/tmp/sh from one of the .o files checks to see if /usr/tmp/sh exists, but not to see if it's a directory. This fix is known as 'the condom'.] NOW WHAT? Most Internet systems running 4.3BSD or SunOs have installed the necessary patches to close the holes and have rejoined the Internet. As you would expect, there is a renewed interest in system/network security, finding and plugging holes, and speculation over what will happen to the worm's creator. |