Memories of the Internet Worm - 25 years later

Filed Under: Featured, Malware

Today is the 25th birthday of the infamous Internet Worm.

From the name alone, you can tell how different the malware scene was back in 1988.

Back in that era, the Brain virus, which was from Pakistan, was unusual for having such a usefully descriptive name. (It changed the volume labels of infected diskettes to (C) BRAIN.)

Viruses often ended up with technically unhelpful names like Jerusalem, based on where they came from - and some people even called that one the Israeli virus, because malware was rare enough that even naming a virus after a whole country was unlikely to lead to ambiguity.

And so it was with the Internet Worm - the Internet Worm, if you don't mind, not merely an internet worm.

After all, there hadn't been an internet worm before; if ever there were another, well, the bridge of what to call it could be crossed at that time.

The Internet Worm is also known by another name of a sort you are unlikely to see today: you will see it referred to as the Morris Worm, after its author, Robert Tappan Morris.

→ Morris's late father, as it happens, also named Robert, worked for the NSA. A lot of this story sounds eerily familiar, even 25 years later.

Malware tends not to be named after its authors these days because their identities are rarely known - and they like to keep it that way.

Morris, however, could hardly deny being the author of the Internet Worm, because he received a criminal conviction for writing and releasing it - he was on probation for three years, did 400 hours of community service, and paid a fine of just over $10,000.

How it spread

The worm employed numerous techniques that are used to this day by cybercriminals, with three main tricks up its sleeve for spreading:

  1. It tried to exploit a stack overflow vulnerability in the system service fingerd.
  2. It tried to exploit a debug option commonly but wrongly enabled in the mail server sendmail.
  3. It tried to guess other users' passwords.

The password guessing started off with various permutations of the user's login name and real name, so that for a user called Paul Ducklin with a username of duck, the worm would try:

duck
duckduck
Paul
Ducklin
paul
ducklin
kcud

If none of those worked, it would use a short dictionary that it carried around with it:

char *wds[] = {
  "academia", "aerobics", "airplane", "albany",
  "albatross", "albert", "alex", "alexander",
  "algebra", "aliases", "alphabet", "amorphous",
  . . . .
  "outlaw", "oxford", "pacific", "painless",
  "pakistan", "papers", "password", "patricia",
  "penguin", "peoria", "percolate", "persimmon",
  . . . .
  "wizard", "wombat", "woodwind", "wormwood",
  "yacov", "yang", "yellowstone", "yosemite",
  "zimmerman",
  0
};

What have we learned?

It would be nice to be able to say that a password cracking list of the sort shown would be useless in 2013, but experience suggests that many people are still as careless as in 1988.

Last year, for example, when Dutch industrial group Philips suffered a database breach, we quickly recovered the following choices from the dumped password hashes:

1234
12345
123456
123457 -- nice try, but no cigar!
00000000
philips -- five appearances
ph1lips -- nice try, but no cigar!
password -- no list complete without it
qwerty -- ditto
seguro -- Spanish for "secure", it isn't

→ In a delightful historical loopback, the author of the original crypt program for Unix, which introduced the storage and validation of passwords as hashes rather than plaintext, was Robert Morris's father, Robert Morris.

Stack overflows, on the other hand, aren't quite the security disaster they used to be.

The stack is used to store arguments passed into, temporary variables used during, and the address to jump to when when returning from system functions.

Back in 1988, if you could reliably overflow one of those temporary variables on the stack, rewrite the return address, and add some malicious shellcode, you had a very good chance of RCE, or Remote Code Execution.

That's because you could put your shellcode right on the stack and run it.

There are occasional legitimate reasons for generating temporary stack code and jumping to it, and in 1988, most operating systems permitted it, in case you ever needed to do so.

These days, most operating systems mark the stack non-executable, to make it harder to run shellcode stored there; they also perform various regular runtime checks to look out for unauthorised tampering with stack values such as return addresses.

Could it happen again?

Received wisdom suggests that the Internet Worm infected about 10% of the 60,000 computers connected to the internet in 1988.

That sort of penetration was probably exceeded by various network worms of the early 2000s, such as CodeRed, Nimda and Slammer; in the last few years, however, viruses of that replicative power just haven't been seen.

One reason is the success and the ubiquity of the internet itself: malware writers just don't need to use network-spreading viruses (self-replicating malware) these days.

Instead of sending malware out into the world to find unprotected systems and break in from the outside, cybercrooks these days can simply place their malicious content on a website, and wait for the world to come to them.

That's simpler to do, and makes it easy to change the malware as often as you like - you can even serve up a completely different sample for each visitor.

It also bypasses many firewalls, because they're typically configured to allow connections from the inside to the web, even if they religiously block all inbound connections from the outside.

What can we learn?

Three straightforward things that you should have been doing in 1988 are still well worth doing today:

  • Pick decent passwords. Use a password manager if you have trouble remembering them all.
  • Patch regularly, so that already-known vulnerabilities simply aren't available to the crooks.
  • Review your system configuration, removing permissions and turning off options which are unsuitable for production use.

One last thing to remember.

The magic pixie dust that made UNIX immune to viruses and other malware...it escaped forever on 02 November 1988.

Image of earthworm courtesy of Shutterstock.

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog