Computer Worms: Past, Present, and Future Craig Fosnock CISSP, MCSE, CNE East Carolina University
Total Page:16
File Type:pdf, Size:1020Kb
Computer Worms: Past, Present, and Future Craig Fosnock CISSP, MCSE, CNE East Carolina University Abstract: Internet computer worms have gone Computer Program: from a hypothetical theorem to very real and Is an example of computer software that very dangerous threat to computer networks. prescribes the actions ("computations") that They are even capable of affecting the are to be carried out by a computer. Most biggest network of our time, the Internet. programs consist of a loadable set of Starting from humble and beneficial instructions which determines how the beginnings computer worms are now the computer will react to user input when that plague of the Internet and can cause billions program is running, i.e., when the of dollars worth of damages in just a few instructions are 'loaded'. The term program hours, if not minutes. In this paper I will or computer program is used discuss the history of computer worms, their interchangeably with software and software past, present, and their possible future, but application. ("Computer Program," 2005) before we start this discussion about computer worms lets first define some Computer Virus: computer terminology. It is important that Is a self-replicating program that spreads by we have these definitions up front not only inserting copies of itself into other because we will need them to help explain executable code or documents. A computer the rest of this paper, it is also important to virus behaves in a way similar to a discuss this now because the term computer biological virus, which spreads by inserting virus is often used interchangeably to refer itself into living cells. Extending the to computer worms. This may cause analogy, the insertion of the virus into a confusion with some readers as this paper is program is termed infection, and the focusing on computer worms, not computer infected file (or executable code that is not viruses. I have chosen not to address viruses part of a file) is called a host. ("Computer because, although viruses take advantage of Virus," 2005) network services such as the Internet to spread, viruses are currently somewhat less Computer Worm: common than worms, and viruses do not Is a self-replicating computer program, seem to have emulated the scale of similar to a computer virus but unlike a disruptive behavior, and monetary damage virus which attaches itself to, and becomes that current computer worms are capable of part of, another executable program, a worm inflecting on today’s computer networks. is self-contained and does not need to be part of another program to propagate itself. In other words a typical computer virus is similar to a parasite and it requires a host. In this case the host is another executable program. A worm does not need a host, it can spread on its own. ("Computer Worm," 2005) I. The Past and played on the Internet or on your local computer. The "organisms" now called A. Background “warriors”that are used in the Core Wars is considered the forebear of the modern The roots of the modern computer computer virus including computer worms. virus go back to John Von Neumann. Von Neumann’s name because of his publication B. The First worms of the concept, was given to the von Neumann architecture. This architecture is The first computer worm was used in most non-parallel-processing created at the legendary Xerox PARC ( Palo computers. Almost every commercially Alto Research Center). For those of you available home computer, microcomputer who do not know this research center not and supercomputer is a von Neumann only created the first computer worm it gave machine. In 1949 von Neumann created the us the first personal computer, the first field of cellular automata only using pencil graphical user interface and the first laser and graph paper, when he presented a paper printer. The worm was created by John on the "Theory and Organization of Shoch. Shoch was a PARC engineer Complicated Automata." In this paper he working on his Stanford doctorate when he postulated that a computer program could created the worm. The program took its reproduce. The paper included a model of name from the "tapeworm," a program that what is now known as a computer virus. appeared in a popular science-fiction novel of the time by John Brunner called "The In the 1950s Bell Labs employees Shockwave Rider." This science-fiction gave life to von Neumann's theory in a game novel ironically helped to promote the they called "Core Wars." This game was concept of a replicating program more than created by H. Douglas McIlroy, Victor other more serious writings on the subject. Vysottsky, and Robert Morris, Sr. The object of the game was to unleash software Unlike the worm in the book "organisms" they called "self-altering Shockwave Rider which was used to destroy automata" that attacked, erased, and tried to a sinister computer network, the PARC propagate in a computer generated world. worm's intended purpose was save Shoch Each organism was a small program hours of tedious work. Shoch's doctoral consisting of well-defined instructions with research was an analysis of the traffic each of the instructions occupying a single patterns of PARC's Ethernet (another PARC cell in a memory array. In modern times this first) that linked 200 of its "Altos," personal computer-generated world is actually a computers. His idea was to arrange for linear looping array of memory cells called about 100 of the machines to spew bits into the "Core,” but in the 50's the word core the Ethernet simultaneously, then measure referred to magnetic core memory. The the ensuing electronic gridlock. ("Benefits," game was started when two programs were n.d) Rather than loading the same program loaded into random positions in the core. individually into every machine, he devised After a certain number of cycles, if neither the worm to do the loading automatically by program has quit executing, a tie was seeking out idle Altos computers and declared. If one program terminated, the transmitting the test program by wire to other was declared the winner. The primary those that signaled they were available. The objective behind the game was to write an test proved successful and soon he turned organism that could terminate all the his thoughts from communicating directly opponent processes. Re-energized and with each machine to instructing them to popularized by A.K. Dewdney through his talk among themselves. Shoch eventually series of articles in Scientific American, was able to invest his worm with the ability Core Wars and its variants can still be found to seek out idle Altos, boot up a host machine through the network and replicate as we should all know by now that this ruse by sending copies of itself from machine to is still an effective means of computer worm machine, remaining in communication with distribution. When the user executing the its dispersed offspring. script it would cause a Christmas tree to appear on the terminal and then it mailed One night, however, something itself to everyone on the user's NAMES file unexpectedly went wrong. Shoch and two including any distribution lists. When it colleagues had set a small worm loose in the finished sending itself to all addressees, it PARC Ethernet to test a control function, erased itself from the original victim's and went home. At some point the program computer. When new recipients received became corrupted so badly it crashed its and activated their copies of Christma Exec, host computer. Sensing it had lost a the scenario would repeat, flooding the segment, the control worm sent out a tendril network with Christma Exec messages. The to another idle Alto. That host crashed, and flood of traffic created left parts of the IBM the next, and the next. For hours, the worm network unusable on December 10 and 11 spread through the building until scores of until it was finally brought under control. machines were disabled. The next day the (Henry, 2003) down machines did not cause any alarm as Altos frequently crashed for no reason. Even with the introduction of two Soon, however, it became obvious that this fully functional worms, most people still was no random occurrence. Summoned to treated computer worms as an obscure the lab Shoch and his colleagues could not theoretical problem. That perception of stop the worm and eventually they had no worms took a dramatic turn in late-1988, choice but to eradicate the worm with a when a college student, and son of the failsafe software mechanism that Shoch had above mentioned and co-creator of the pre loaded as insurance against some “Core Wars” Robert Morris, Sr. unleashed unpredictable disaster. ("Benefits," n.d) the infamous "Internet Worm," otherwise known as the Morris worm or the “Great The next worm started out as a joke worm,” on the new and unsuspecting or innocent prank, but is among the first and Internet. most notable worms to qualify as a network exploit. The worm was launched from The Morris worm was a “Multi Germany on December 9, 1987. This date is Mode” worm that attacked DEC VAX well before the Internet was officially born. servers running Sun and BSD operating The worm originated on the German EARN systems. It exploited weak passwords along network, propagated through connected with known vulnerabilities in the send mail Bitnet sites and eventually worked its way application and Unix utilities fingerd and through Bitnet connections to wreak havoc rsh/rexec. Although not, written to cause on the IBM Internal File Transfer Network damage a bug in Robert’s software allowed (otherwise known as VNET) in the United the worm to reinfect individual servers States.