Term Paper on Morris Worm

Akshay Jajoo CS 52600 - Information Security by Eugene H. Spafford

December 2017

A permanent copy of this A permanent copy of this document has been moved to the document has been moved to the following link. Please use that following link: Please use that for citations: https: for citations. https: //github.com/ajajoo/ //github.com/ajajoo/ morris-worm_term-paper/ morris-worm_term-paper/ blob/master/morris-worm_ blob/master/morris-worm_ term-paper.pdf term-paper.pdf

A permanent copy of this A permanent copy of this document has been moved to the document has been moved to the following link: Please use that following link: Please use that for citations. https: for citations. https: //github.com/ajajoo/ //github.com/ajajoo/ morris-worm_term-paper/ morris-worm_term-paper/ blob/master/morris-worm_ blob/master/morris-worm_ term-paper.pdf term-paper.pdf

1 AkshayJajoo/PurdueUniversity CS526/InfoSec/TermPaper-MorrisWorm/2

Abstract Purdue studied the worm and uncovered how it works and released some fixes and patches The Morris worm [10, 35] was one of the first within a day. Technical details of the patches worms spread via the . It was spread are discussed in §3. The worm also impacted on November 2, 1988, and changed how com- the way was perceived, puter security was viewed by computer pro- right from the formation of CERT to people fessionals as well as general public [3]. Since being more cautious and thoughtful about se- its inception the Morris worm has been stud- curity. Some people even term the episode as ied extensively from the security point of view the big bang of cybersecurity [23]. §4 and §5 [35, 26, 32, 10] and is still a point of interest talk more about learning and changes which [20, 24]. followed the event. At that time there were This term paper summarizes the effects, im- roughly 60,000 machines on the Internet, and pacts, and lessons learned from the episode. it is estimated that the episode resulted in a loss of $98 million. Another estimate says that by the time incident was isolated around 1 Overview 5-10 % machines on the Internet were victim- ized [3]. How drastic could such an incident On November 2, 1988 at around 6 PM a be with many companies and much of our day grad-student, Robert Mor- to day life activities solely relying on comput- ris [28, 29], launched a (see ers? §6 discusses this in detail. §7 is summary §8 for explanation of worm) with the in- and §8 talks about some other but related in- tention(he claims) of mapping the Inter- teresting facts and terminologies. net. The worm was self-replicating and self- propagating and took advantage of exploits in the services, described in detail in §2.1. Though Robert claims that the worm 2 Loopholes and Misfea- was only intended for educational purposes, tures the worm disrupted the whole Internet [20] ( more in §2.2). Being first of its kind, the inci- As soon as the worm was noticed individ- dent was very interesting for computer scien- ual researchers, University committees, and tist. Many researchers at Berkely, MIT and government agencies all started analyzing the

Page 2 of 18 AkshayJajoo/PurdueUniversity CS526/InfoSec/TermPaper-MorrisWorm/3 vulnerabilities exploited by the worm. [12, fixing some other security bugs in the 35, 6, 32]. This section discusses what went [32] accidentally a new mis- wrong and what were the loopholes? Which feature was introduced in it. The new exploits of BSD UNIX the worm took advan- bug was that if the sendmail is com- tage of to reach its target? Did Morris made piled with DEBUG flag on and if the some innocent mistakes in writing the repli- sender of a mail asks the daemon to go cating routine? Or was the worm intention- in debug mode by sending a debug com- ally designed to spread like forest fire? mand, then the sendmail allowed the sender to send a sequence of commands 2.1 Vulnerabilities Exploited instead of a recipients address. A com- bination of these two features was ex- Along with many other flaws, the episode ex- ploited in the worm. posed a few specific loopholes in services pro- vided by BSD-derived versions of UNIX. Re- 2. fingerd – The fingerd the utility was searchers, engineers and system administra- used to obtain general user informa- tors identified and reported [35, 32, 30] these tion like name, username and current bugs within 2 days of the outbreak. The fol- login status of other users on the sys- lowing vulnerabilities were exploited. tem. Like sendmail, fingerd also ran 1. Sendmail – Sendmail is a mailer pro- as a background daemon. The worm gram used to route emails on the Inter- exploited fingerd by overrunning the net. The program was capable of run- buffer the process used as its input. ning in various modes, one of them was The source of the bug was the gets rou- being a background daemon. In this tine in the standard C library. A call mode the program used to listen on a to gets writes input to a buffer and the TCP connection for an incoming mail. flaw was that the function implement- Sendmail allowed mail to be delivered ing gets assumed that the buffer passed to a process (the background daemon) to it is large enough for the input to be instead of the mailbox files, which was written. This fault was not only in gets, used for purpose like setting up auto- but also, exists in other input-output matic vacation responses. Also, while routines like scanf and fscanf.

Page 3 of 18 AkshayJajoo/PurdueUniversity CS526/InfoSec/TermPaper-MorrisWorm/4

3. rsh and rexec – rsh and rexec are ser- exploiting the fact that encrypted user vices which offer remote command in- were stored in a publically terpreters over a network. For au- readable file. However, in his technical thentication purposes Rsh used permis- report [35] Spafford says that the pass- sion files and a privileged source port words were not (he means in effect) en- whereas Rexec used passwords. The crypted as a block of zero bits were re- worm exploited the fact that there is peatedly encrypted using the user pass- a high possibility that a for a word and the result thus obtained was local user for an account on a remote stored in the publically readable file. machine will be same as its local pass- Interestingly Morris had done a case word. Another likelihood was that a study [25] on this before the attack. So, remote account for a user will have rsh breaking passwords was easy by guess- permission files for the local account of ing a list of passwords, then encrypting the user. The worm exploited above them and comparing the output with two ideas to penetrate into remote ma- the stored value. chines. Use of rsh was very simple – just look for an account on a remote 2.2 Innocence or not? machine for a user who is running the This subsection talks about the aspect that worm locally. Use of rexec was not that whether the intent was malicious or not. simpler. To use rexec for penetrating the worm used the local password to do Though the Cornell Commission [12] states a remote login. So for doing this the that the worm did not harm any user data worm had to crack local password first. or system files, it did make infected systems Following subsection discusses the pass- slow. However, the commission also does not word cracking. fail to mention that ”given Morris’s evident knowledge of systems and networks, he knew 4. Passwords – One of the key require- or clearly should have known that such a con- ments for the worm to be able to spread sequence was certain, given the design of the was to be able to break the password worm”. of its current host. This was done by The commission report also states that Mor-

Page 4 of 18 AkshayJajoo/PurdueUniversity CS526/InfoSec/TermPaper-MorrisWorm/5 ris made only minimal efforts to halt the Another interesting fact is that Eric All- worm once it started spreading and also ac- man, developer of the sendmail and deliver- cuses him of not informing any responsible mail, in a personal communication to Donn authority about it. However, according to Seeley said, ”The trap door resulted from two these press articles, Morris did try to talk to a distinct ’features’ that, although innocent by friend, Graham, and Harvard University who themselves, were deadly when combined(kind informed Andy Sudduth [20, 17]. Morris did of like binary nerve gas)” [32]. Exploit of suggest Sudduth some steps to protect Har- sendmail is another example of how innocent vard computers from the worm. Sudduth also mistakes can be harmful. says that after some time Morris again called him realizing that he had made a ’colossal’ mistake, asking him to publicly publish an 3 Overview of the Worm anonymous apology with instructions on how to fix things. However, Sudduth was also the and early actions first witness for the defense in the law-suit This section provides high-level overview of against the worm and, in response to a ques- working of the worm i.e. answers the follow- tion by prosecutor Mark D. Rasch, he said ing question, ”What exactly did the worm do [17] that ”He (Morris) wanted that I should that led it to cause an epidemic?”. This sec- keep it quiet(a major security bug in a file tion will also briefly discuss some of the early transfer program in the BSD UNIX), yes”. patches released to target this problem. This fact gives a reason to doubt that Morris might have had notorious intents. With above contrasting information, it is not The worm can be considered as divided clear whether Morris was only performing an into two major parts a bootstrap(vector) pro- innocent educational experiment with no ma- gram and a main program. The vector pro- licious intent. However, one thing is clear gram is a 99-line C program and the main even if it was an innocent act the Internet program is a large relocatable object file that had grown to such an extent that even inno- is compatible with VAX and Sun-3 systems cence can cause great damage. [32]. The bootstrap program is included in the appendix in [35].

Page 5 of 18 AkshayJajoo/PurdueUniversity CS526/InfoSec/TermPaper-MorrisWorm/6

3.1 Working of the worm 3.1.2 Why was performance of the in- fected machines degraded? 3.1.1 How does the worm spread? Infected machines slowed down because of Once the worm is established on a machine uncontrollable replication of the worm be- it then tries to locate a host and, most im- cause the worm was only using the main portantly, target accounts on the host to in- memory (see §3.1.3) for its entire processing, fect new machines which it then exploits via this lead to memory clogging [12] and resulted one of the loop holes discussed in §2 to pass in the machines slowing down. a copy of the worm to the remote machine. The worm tries to obtain the address of po- 3.1.3 How does it try to hide itself? tential target hosts by reading various system Following steps summarize some of the mas- tables like /etc/hosts.equiv and /.rhosts and querading steps taken by the worm described user files like .forward and .rhosts, ordered in [32] in such a way such that it reads files having the name of local machines first. It might be • On startup, the worm used to delete its doing this as local machines are more likely argument list and set the very first ar- to give access without authentication. For a gument as sh in an attempt to pretend fixed address the worm can try to penetrate to be a shell command interpreter. in one of the following ways: • Used to fork itself so that it doesn’t have to stay with the same process i.d. • Exploiting the bug in the finger server for very long. which lets the worm download its code • It read all the files which are part of the instead of a finger request and then worm program into memory and deletes tricking the server to execute it. them so that no evidence is left

• Using the bug in the debugging code of • Turns off core-dump generation, so that the sendmail SMTP mail service. if the worm program crashes no dump files, leaving evidences behind are gen- • Guessing passwords and then using rsh erated. This also helps in preventing and rexec analysis of the worm.

Page 6 of 18 AkshayJajoo/PurdueUniversity CS526/InfoSec/TermPaper-MorrisWorm/7

• While loading the worm file most of the on Nov. 2, 1988, via the mailing list “tcp- non-essential symbol table entries were [email protected]” [30]. Reports gave a detailed deleted to ensure that even if the worm timeline of the major events and actions from file is caught before deleting, it will be the assumed ”beginning” of the worm un- harder to guess what the routines are til its full decompiled code was installed at doing. Berkeley [32, 30].

3.1.4 What does it not do? On Thursday, Nov. 3 morning at 5:58 am several patches to fix the worm were released The program was a worm, and not a virus by Keith Bostic of UC Berkeley [19], one of (see §8.1 and §8.2 for difference in a worm and the key people in the history of BSD UNIX, a virus). It did not attempt to modify any via the tcp-ip mailing list which was also for- other program or files on the system. It also, warded by several others[32, 30]. E.H. Spaf- didn’t delete any system files [32, 12], and ford [13] from Purdue University analyzed in-fact did not attempt to incapacitate the the worm and released some patches in his system by deleting any of the already exist- detailed technical report on the worm[35]. ing files, it only deleted files created by itself. Patches for fingerd and sendmail are dis- It, also neither installed Trojan Horses nor cussed in detail in this section. transmitted decrypted passwords anywhere. It didn’t try to get superuser privileges. Nov. 8, 1988, on the Tuesday follow- ing the event, the National Computer Secu- 3.2 Early Actions and Patches rity Center(NCSC) called a meeting of scien- Scientist and engineers at major institutions tists, officers, faculty members from institu- like MIT, NASA, Purdue University, UC tions including the National Institute of Sci- Berkeley, and many others started realizing ence and Technology, the Defence Communi- that something was wrong late night on Nov. cation Agency, the DARPA, the Department 2, 1988, or early morning Nov. 3, 1988, and of Energy, the Ballistics Research Labora- started taking immediate action. The first tory, the Lawrence Livermore National Lab- formal public posting about the virus was oratory, the CIA, the UC Berkeley, the MIT, sent by Peter Yee of NASA Ames at 2:28 am, SRI International, the FBI, and various other

Page 7 of 18 AkshayJajoo/PurdueUniversity CS526/InfoSec/TermPaper-MorrisWorm/8 stake holders. The three fourth of the day also asked to look for string “debug” was spent in analyzing the event from the in the sendmail binary using the UNIX perspective of all the participants and the re- strings command and mentioned that maining time was used to discuss learnings if there is no presence of the string then from the event and what actions to be taken the version is definitely safe. [30]. Some of the actions taken by NCSC are discussed in section §5.2. The patch for sendmail can be found in the 3.2.1 Patches for sendmail appendix of this [35] report.

On the Thursday following the attack, Keith Bostic sent following two fixes or suggestions for sendmail: 3.2.2 Patches for fingerd 1. At 5:58 a.m. on the list tcp-ip@sri- nic.arpa which provided the compile On the Thursday night following the attack without the debug command fix to send- at 10:18 p.m., Bostic sent out a fix for fin- mail [30]. This posting also suggested gerd. Overall, this was the third fix posted to rename the UNIX C compiler(cc) by him. This fix had new source code for and loader(ld), this worked as the worm fingerd which used fgets instead of gets and needed the path to them to compile it- instead of return used exit. This bug-fix post self and helped in protecting against the also had another version of sendmail which non-sendmail attack. totally removed the debug command. See

2. At 11:12 a.m. on the list §8.4 to know more about why gets cannot be comp.4bsd.ucb-fixes. This fix suggested fixed. A patch for fingerd can be found in to use 0xff instead of 0x00 in the bi- the appendix of this [35] report. nary patch to the sendmail. This was needed to support the previous patch. On Friday, following the attack at 5:05 The previous patch was effective how- p.m., Bostic released his fourth bug-fix. This ever would have fallen to debug mode if fix was different than the previous ones, It an empty command line was sent. He was a fix to the worm [30].

Page 8 of 18 AkshayJajoo/PurdueUniversity CS526/InfoSec/TermPaper-MorrisWorm/9

4 Lessons Learnt stakeholders analyze the incident carefully and think about computer and network se- curity from all perspectives, and figure out Use of worm-like capability was not new in learnings from the episode for future safety this case researchers have tried it to enable [27], [30] etc. Some of the views put forward automated patches across by different people were contrasting. How- multiple networks[23]. This incident showed ever, based on my readings I found that there that, with technology advancement, unin- was more or less a general consensus among tended or undesirable consequences can fol- all the stakeholders regarding the following low. Being the first of its kind this event points. gave many lessons to scientists, engineers, Diversifying the options - If we make an technical agencies as well as general public. analogy with biological fact, biological ge- If we look at the broader timescale around netic diversity makes species more robust. this event, this was the time when the use of Having diversity in computer programs will the Internet was growing rapidly outside of make the network more robust as an attack research. Press reporting of the event (like exploiting flaws of any particular software this [17] and many others) made the gen- will have its effect limited only to machines eral public (non-research community) aware running or using that software, and will pre- of computer networking and, most impor- vent it from bringing the whole network tantly, it made many people aware of the down. fact that malicious computer programs can Least Privilege - The basic security prin- be written [21] and also made the commu- ciple of least privilege says that any entity nity aware of computer and network secu- should only be given just enough privilege rity issues and a widespread concern grew to carry out the work they are supposed to. out among people that whether the network There was a consensus among people that no which many essential things like trans- the principle of least privilege should not be portation, commerce, and high-risk services ignored for computer security. Ignoring this like national defense and space missions rely might lead to disasters. upon is secure. The shocking slowdown of the Defense Mechanism - Defense mechanisms system and the awareness created made gov- should be installed at end-hosts, in this par- ernment agencies, universities, and all other

Page 9 of 18 AkshayJajoo/PurdueUniversity CS526/InfoSec/TermPaper-MorrisWorm/10

ticular event the network performed well and spiked. Now, 29 years later, we are in a world faults were in the application programs. where are mostly known as someone Need of a Response and coordinating who does money related fraud or steals digital team - Just like for any other critical situa- information and uses it for some unintended tion there should be an emergency response purpose. The Morris worm has become a his- team for responding to computer security tory lesson, a forerunner that put everyone on threats guard from a demon (However, if executed No limited connectivity - Researchers out- even now the worm will still need daemons right denied suggestions of limiting the con- for carrying out its task! Pun intended). nectivity and agreed to the argument that As discussed earlier in this section, the ”the cure shouldn’t be worse than the dis- event gave many immediate lessons but have ease” [30]. Limiting connectivity will nega- we been able to keep up with learnings the tively impact the progress of the research. forerunner gave us. Have we learned a hid- den lesson, that if things can then they will go wrong? Have we been able to scale up 4.1 Have we really learned? – the learnings and concern for computer and network security with growing use of digital Status after 29 years devices and computer networks? In my opin- In that period, 1988 - 1990, for spreading ion, the answer is yes and no. To me, it seems the worm which slowed down some machines that in many cases we are on the ”best ef- Morris was sentenced to 3 years of Proba- fort” mode for computer and network secu- tion and $3276 to cover the cost of the pro- rity. Many core-technical companies do un- bation, a fine of $10,500 and 400 hours of derstand the importance of security and are community service. There was a sense of working towards making systems and designs urgency among people – many technologies more secure. They have dedicated teams and security-related(including non-computer working towards product security [7]. System security) agencies met within days of the designers are taking care of security issues in event[27]. Teams like CERT were created advance while designing new systems or ar- and many other actions described in §5 were chitecture. Security considerations in the de- taken, public awareness on network security sign of ICN and NDN [37, 5] are great ex-

Page 10 of 18 AkshayJajoo/PurdueUniversity CS526/InfoSec/TermPaper-MorrisWorm/11 amples. Anti-virus and anti- have a able to correctly sense and measure the risk big market, and many products with varying involved with the digital world as it is still prices, features and options available. They very new. People do not use security fea- are also being widely used by people. tures as one of the selection criteria for digi- tal products. Or maybe agencies still believe However, there are still many attacks hap- and agree with the statement that ”It may be pening and the number is increasing day by more expensive to prevent such attacks than day. If we take a look at some of the top data it is to clean up after them” [30]. When the breach attacks of 21st century [36] more than worm incident happened most of the people 70% of the victim companies are not core using computers and networks were profes- technical companies and are just using tech- sionals and had significant knowledge of de- nology as a tool for their business. Attacks sign and working of the system. However, to- like Wanna Cry ransomeware [38], which are day this not at all the case computers are just of much greater impact and severity as com- like any other equipment and many people pared to the Morris Worm, are occurring. In with little, if any, knowledge about how sys- many cases, we are not even able to track tem works are using it. There has been no sig- the attacker, a conviction is out of the ques- nificant step taken yet to educate such people. tion. Very few digital products(excluding Schools and other public and private institu- those which are specifically designed for secu- tions do arrange time-to-time fire drills, and rity) highlight security features in the prod- drills to handle other disaster events. How- uct description. The following could be the ever, I am not aware of or have heard of potential reasons behind the above problems computer security drills. Even many Com- that either leadership of the non-core tech puter Science departments do not have a sin- companies and other regulatory authorities gle mandatory course on computer security are not aware of or are not able to judge or [1]. However there are a large number of va- willfully ignore to acknowledge the severity of cancies for cybersecurity experts, as per [18] risks involved in the computer security. Le- every year in the United States., 40,000 jobs gal policies are not strong enough or detailed for information security analysts go unfilled, and precise enough to capture the computer and institutions are struggling to fill 200,000 security requirements [16, 11]. Another po- other cyber-security related positions. I am tential reason could be that people are not

Page 11 of 18 AkshayJajoo/PurdueUniversity CS526/InfoSec/TermPaper-MorrisWorm/12 not sure about lack of awareness but there will equally impede the free flow of informa- definitely is lack of attention to computer se- tion.” The statement clearly shows the dis- curity. Computer security is not getting the appointment of the community on observing importance it should. the breach of trust. This incident made a lot of people outside the academic commu- 5 What changed? nity aware of the fact that malicious software could be written. From being a closed and Before the incident the Internet was a closed trusted community of researchers the Inter- community, and ethical and responsible be- net started becoming a large community, and havior and good intent were assumed. The it had to accept uncontrollable sociopaths as worm episode changed people’s behavior and it members. Computer science departments attitude towards computer security. Various all across the world started defining the ap- actions were taken by different organizations propriate and inappropriate usage of the In- [10, 6], government agencies, and universities, ternet resources. and of course, an event with such huge impact will definitely bring some changes in practice 5.2 Changes in system and perspective of people. This section dis- This subsection discusses more concrete and cusses these changes following the event. administrative changes and other objective changes made in response to the episode. 5.1 Changes in perspective There were many administrative actions sug- Post worm people had this sense that the gested and taken [10, 6, 27]. Like the for- Internet is no longer a closed community. mation of Computer Emergency Response As published in an interview by Intel news Team(CERT) at Carnegie Mellon University room [21] – The day after the worm an awful with funding support from DARPA. CERT lot of people were shocked that such abuse was formed by organizing computer scientists could happen. This is evident from the fol- with aim of isolating such problems and pre- lowing statement in [12] ”A community of venting them from happening in the future. scholars should not have to build walls as Though the firewall technology already ex- high as the sky to protect reasonable expecta- isted before the event, it saw a surge after the tion of privacy, particularly when such walls disturbing event [26]. Some people at DEC

Page 12 of 18 AkshayJajoo/PurdueUniversity CS526/InfoSec/TermPaper-MorrisWorm/13 started putting an effort into corporate net- 6 Cost Analysis: then work protection. and now In a report to the Chairman of Subcom- mittee on Telecommunications and Finance, This section subjectively discusses the direct Committee on Energy and Commerce, House or indirect costs incurred due to the worm of Representatives US General Accounting and what it would cost for such an event in Office recommended formation of an intera- today’s scenario. With approximately only gency group including agencies funding re- 6000 (10% of total machines) [12] machines search networks on the Internet, under the being affected and the size of the network be- coordination of President’s Science Advisor, ing only 60,000 machines, use of computers with following goals (extracted from the re- was esoteric and primarily for research, with port [6]). high chances of the attacker not having crim- inal intent the losses were in millions of dol- lars. Experts estimated that the per machine 1. provide Internet-wide security policy, loss could be up to $53,000 [9] and another direction and coordination. estimate in [12] said around 6000 machines were infected, so the total loss could be as high as $318 million. 2. support ongoing efforts to enhance In- In contrast today there are 1) billions of dig- ternet security. ital devices in use and most of them are con- nected to the Internet, 2) more than 51% of total world population 3) Computers are be- 3. obtain the involvement of Internet ing used widely ranging trivial day to day users, software vendors, technical ad- work like managing traffic, listening to music, visory groups, and federal agencies re- and education to high-risk tasks like medical garding security issues. treatment, national and internal security. A large number of businesses entirely depend on 4. become an integral part of the structure computers and network 4) cyber-attacks be- that emerges to manage the National ing made with criminal intent [38, 36]. It is Research Network. hard to imagine what will be the impact of

Page 13 of 18 AkshayJajoo/PurdueUniversity CS526/InfoSec/TermPaper-MorrisWorm/14 an attack involving 10% of total machines on worm showed. An attack like this was in- the Internet. It could simply break traffic in evitable, had Morris not done it someone else an entire city, state or maybe of whole na- would have. New upcoming systems are now tion. It could bring down several businesses more cautious about security, ICN is an ex- or can even lead to large number of deaths if ample. However, that is not enough as dis- medical systems or security systems get into cussed in §4.1 we are not yet fully ready to ef- ambit of the attack. ficiently tackle cyber attacks like [38]. Other According to cyber risk modeling from than specialized training, there is pressing Cyence [2], economic losses from a recent need to make general masses and policy mak- cyber attack, WannaCry ransomeware, [38], ers realize the importance of computer and could reach $4 billion. The attack began on Internet security. 12th May 2017 and impacted just 300,000 de- vices(less than 0.01% of total digital devices) and 200,000 people (less than .003%) of world 8 Appendix population [38]. Even if extrapolate linearly the losses due to an attack involving 10% of 8.1 What is a computer worm? total devices on the network could be as high as $4 trillion. The concept of self-propagating worm pro- gram was first described by John Brunner in 7 Summary his fictional novel The Shockwave Rider [4]. Worm in the novel was used as a tool for tak- This study compels me to agree to the state- ing revenge! [8]. A computer worm is a com- ment (or its variations) by Prof. Spafford plete piece of program that replicates itself that “The only truly secure system is one in order to spread to other machines. Cer- that is powered off, cast in a block of concrete tainly, other than the very weak claim made and sealed in a lead-lined room with armed in [34] that warm might have been written guards and even then I have my doubts” [21]. to take subconscious revenge on his father. I Any new system starting with a closed group didn’t find any source claiming that Morris will have to deal with security issues as it wrote the worm to take revenge. More about expands. This is precisely what the Morris worms here [39].

Page 14 of 18 AkshayJajoo/PurdueUniversity CS526/InfoSec/TermPaper-MorrisWorm/15

8.2 What is a computer virus? linux man page of gets [14].

A computer virus is a malicious software. On Never use gets(). Because it is execution, it replicates itself by ”infecting” impossible to tell without know- other programs i.e. by inserting its own code ing the data in advance how many into other computer programs. These in- characters gets() will read, and fected programs can include data files or sys- because gets() will continue to tem programs or even boot sector of the hard store characters past the end of drive. the buffer, it is extremely dan- gerous to use. It has been used 8.3 Robert Morris’s father was to break computer security. Use chief for computer security! fgets() instead. Robert Tapan Morris’s father, Robert Mor- ris, was a computer scientist at Bell labs and helped in designing Multics and Unix References and later he became chief scientist at Na- [1] Bachelor of Science Degree Require- tional Computer Security Center, a division ments. https : / / www . cs . purdue . of the NSA. Some people claim [3] that Ju- edu / undergraduate / curriculum / nior Robert was trying to get away from his bachelor.html. father’s image and have one of his own. [2] Jonathan Berr. ”WannaCry” ran- 8.4 gets cannot be fixed. somware attack losses could reach dol- lar 4 billion. https://www.cbsnews. We can say that functions implementing APIs com / news / wannacry - ransomware - like gets will be insecure-by-design. Since attacks - wannacry - virus - losses/. these function will only get a pointer to a May 2017. buffer( char* ) and not the size of the buffer and since there is no implicit size bound to a [3] Larry Boettger. The Morris Worm: buffer in C, it will be impossible for the func- How it Affected Computer Security and tion to bound the size of data being read. Lessons Learned by it. https://www. This point is very clearly explained in the giac.org/paper/gsec/405/morris-

Page 15 of 18 AkshayJajoo/PurdueUniversity CS526/InfoSec/TermPaper-MorrisWorm/16

worm-affected-computer-security- [10] Peter J. Denning. The Internet Worm. lessons-learned/100954. 2000. Tech. rep. Research Institute for Ad-

[4] John Brunner. The Shockwave Rider. vanced Computer Science, NASA Ames 1975. Research Center, 1989.

[5] Jeff Burke et al. “Securing instru- [11] Myriam Dunn Cavelty. “From Cyber- mented environments over content- Bombs to Political Fallout: Threat Rep- centric networking: the case of light- resentations with an Impact in the ing control and NDN”. In: Computer Cyber-Security Discourse”. In: Inter- Communications Workshops (INFO- national Studies Review 15.1 (2013), COM WKSHPS), 2013 IEEE Confer- pp. 105–122. doi: 10 . 1111 / misr . ence on. IEEE. 2013, pp. 394–398. 12023. eprint: /oup / backfile / content _ public / journal / isr / 15 / [6] Ralph V. Carlone. Computer Secu- 1 / 10 . 1111 / misr . 12023 / 2 / 15 - 1 - rity: Virus highlights Need for Im- 105.pdf. url: +%20http://dx.doi. proves Internet Management. Tech. org/10.1111/misr.12023. rep. United States General Accounting Office, Washington, D.C. 20548, 1989. [12] T. Eisenberg et al. “The Cornell Com- mission: On Morris and the Worm”. [7] Google Cloud. Google’s Security Cul- In: Commun. ACM 32.6 (June 1989), ture. https://gsuite.google.com/ pp. 706–709. issn: 0001-0782. doi: 10. learn - more / security / security - 1145/63526.63530. url: http://doi. whitepaper/page-2.html. acm.org/10.1145/63526.63530. [8] Computer Worm History. https : / / [13] Eugene Howard Spafford Wikipedia en.wikipedia.org/wiki/Computer_ page. https : / / en . wikipedia . org / worm\#History. wiki/Gene_Spafford. [9] Computing’s 11 Smartest Super- Viruses-And The Damage They [14] gets(3) - Linux man page. https : / / . Wrought. https://www.fastcompany. linux.die.net/man/3/gets com / 3015224 / computings - 11 - [15] Global Internet Usage. https : / / smartest-super-viruses-and-the- en . wikipedia . org / wiki / Global _ damage-they-wrought. Feb. 2013. Internet_usage.

Page 16 of 18 AkshayJajoo/PurdueUniversity CS526/InfoSec/TermPaper-MorrisWorm/17

[16] Lene Hansen and Helen Nissenbaum. com / editorials / lessons - from - “Digital disaster, cyber security, and the - first - computer - virus - the - the Copenhagen School”. In: Interna- morris-worm/. 2013.

tional studies quarterly 53.4 (2009), [22] Morris worm. https : / / en . pp. 1155–1175. wikipedia.org/wiki/Morris_worm.

[17] Herald-Journal. http : / / media . [23] Morris Worm Turned on Cyber Secu- syracuse.com/vintage/other/2016/ rity 25 years Ago. http://www.njvc. 01 / 20 / Testifies \ %20merged . pdf. com / blogs / morris - worm - turned - 1990. cyber - security - 25 - years - ago.

[18] Jeff Kauflin. The Fast-Growing Job 2013. With A Huge Skills Gap: Cyber Secu- [24] Morris Worm Turns 25. https://www. rity. https : / / www . forbes . com / kaspersky.com/blog/morris-worm- sites / jeffkauflin / 2017 / 03 / 16 / turns-25/3065/. 2003.

the - fast - growing - job - with - a - [25] Robert Morris and Ken Thompson. huge- skills- gap- cyber- security. “Password Security: A Case History”. Mar. 2017. In: Commun. ACM 22.11 (Nov. 1979), [19] Keith Bostic Wikipedia page. https : pp. 594–597. issn: 0001-0782. doi: 10. //en.wikipedia.org/wiki/Keith_ 1145/359168.359172. url: http:// Bostic. doi . acm . org / 10 . 1145 / 359168 . 359172. [20] Timothy B. Lee. How a grad student trying to build the first botnet brought [26] Hilarie Orman. “The Morris worm: A the internet to its knee. https : / / fifteen-year perspective”. In: IEEE Se- www.washingtonpost.com/news/the- curity & Privacy 99.5 (2003), pp. 35– switch / wp / 2013 / 11 / 01 / how - a - 43. grad - student - trying - to - build - [27] Proceedings of the virus post-mortem the - first - botnet - brought - the - meeting. Ft. George Meade, MD, Nov. internet-to-its-knees/. 2000. 1988.

[21] Lessons from the 1st major computer [28] Robert Morris Homepage. https : / / virus. https : / / newsroom . intel . pdos.csail.mit.edu/archive/rtm/.

Page 17 of 18 AkshayJajoo/PurdueUniversity CS526/InfoSec/TermPaper-MorrisWorm/18

[29] Robert Morris Wikipedia page. https: [35] Eugene H. Spafford. The Internet //en.wikipedia.org/wiki/Robert_ Worm Program: An analysis. Tech. rep. Tappan_Morris. Purdue University, West Lafayette, IN,

[30] Jon A. Rochlis and Mark W. Eichin. USA, 1988. “With Microscope and Tweezers: The [36] The 16 biggest data breaches of the 21st Worm from MIT’s Perspective”. In: century. https : / / www . csoonline . Commun. ACM 32.6 (June 1989), com/article/2130877/data-breach/ pp. 689–698. issn: 0001-0782. doi: 10. the - 16 - biggest - data - breaches - 1145/63526.63528. url: http://doi. of-the-21st-century.html. 2017. acm.org/10.1145/63526.63528. [37] Reza Tourani et al. “Security, pri- [31] Donn Seeley. A tour of the worm. http: vacy, and access control in information- / / www . cs . unc . edu / ~jeffay / centric networking: A survey”. In: courses / nidsS05 / attacks / seely - IEEE Communications Surveys & Tu- RTMworm-89.html. torials (2017). [32] Donn Seeley. A tour of the worm. Tech. rep. 1989. [38] Wanna Cry ransomeware attack. https://en.wikipedia.org/wiki/ [33] E. H. Spafford. “Crisis and Aftermath”. WannaCry_ransomware_attack. In: Commun. ACM 32.6 (June 1989),

pp. 678–687. issn: 0001-0782. doi: 10. [39] Nicholas Weaver et al. “A Taxonomy 1145/63526.63527. url: http://doi. of Computer Worms”. In: Proceedings acm.org/10.1145/63526.63527. of the 2003 ACM Workshop on Rapid [34] Eugene H Spafford. “A Failure to Malcode. WORM ’03. Washington, DC, Learn from the Past”. In: Computer Se- USA: ACM, 2003, pp. 11–18. isbn: 1- curity Applications Conference, 2003. 58113-785-0. doi: 10 . 1145 / 948187 . Proceedings. 19th Annual. IEEE. 2003, 948190. url: http://doi.acm.org/ pp. 217–231. 10.1145/948187.948190.

Page 18 of 18