mx_umm_m20m 0 1 Arpanet as a Backbone arpanet Milnet Berkeley Unix computer local area network lisually ethernet I Sun mx compute l x running Unix I Sun Sun What holes did the Virus exploit - Sendmail Utility to copy network packets into mail files Sometimes used to move packets into processes news feeds - Finger Daemon Utility to find out where someone is The virus was specifically designed for Unix 4 3BSD it could not spread to non-unix computers like a VMS system or an IBM PC Sun workstations Vaxj tl's andVax 8800's were hit NO 800A i cl ELLIS S tllA EHJ OJ LI 5 SWSINVHOHIN MOVLLV 380 EEHSNVELL SJJ EIAVH OJ Ll 3 IN LL EDIVIN Si di O 9 810le SLI TIV HOLINOW SEHFICIOIN ANVW CHINE 1X08 EICIOC LEEISNI LI OJ AELL SLNEIINEDEIS CICIV WVNISEIO 300C EIMVW EIGOO EINIHOVIN A8 EICIOO 3H1 EICIIH SAVM SDHIA SENDMAIL BUG SENDMAIL MOVES NETWORK PACKETS INTO MAIL FILES TRANSFERS NETWORK TRAFFIC INTO MAIL FILES CAN MOVE TRAFFIC INTO CERTAIN PROCESSES FOR NETNEWS FEEDS 0 WHEN COMPILES WITH DEBUG IS SET LETS YOU SEND TRAFFIC INTO ANY PROCESS THROUGH A UNIX PIPE WITHOUT CHECKING RECEIVE TO MAIL BODY DATA TO SEND TO THE PROCESS 0 SUN BERKELEY UNIX DISTRIBUTED ENABLED ED THIS BUG WAS IN 20 000 COMPUTERS PASSWORD GUESSING VIRUS ATTEMPTTO GUESS PASSWORDS BY READING THE LISTS OF USERS NAMES AND PERMUTATIONS OF THEIR NAMES 14 Quick Reaction Across the Nation - UC Berkeley- Experimental Computing Center for Disease Control - Stanford Ballistics Research Lab - MIT Lawrence Berkeley Labs Lawrence Livermore Labs Univ Rochester Harvard-Smithsonian Center for Astophysics Stamping it Out - Initial cures disconnect from networks reboot standalone erase the files disable sendmail boot nearby computers especially virus used other holes fingerd password crackinj very frustrating Hard to communicate with other sites many disconnected from network all the virus packets saturated some nets nobody was coordinating - Hard to understand tough to disassembly 15 Problem virus reinfected from nearby computers rhosts Exploiting a hole in Sendmail Arpanet Data packets from another computer Unix Computer Sendfnail Program Normal Pipe File for Commands a Electronic to the Mail computer Normally data goes through the mailer into mail files Data can be sent as commands to special programs When Debug is enabled data can be sent as commands any program 17 HOW MANY COMPUTERS THESE ARE GUESSES I KNOW OF NO CENSUS 0 HOW MANY COMPUTERS ARE ON THE ABOUT 100 CLASSA NODES CLASS A NODESARE EXPLICITLY TARGETED 0 HOW MANY NODES ON THE ABOUTA HUNDRED PER CLASS A PERCENTAGEVWERE 10% 50% AT ABOUT 80% NONE OF OUR DISKLESS NODES BUT THEN THEY WERE USELESS WHEN THE FILESERVER WAS DEAD AT LAWRENCE BERKELEY LABS ABOUT 50% WERE INFECTED 0 so ABOUT 1000 TO 10 000 COMPUTERS WERE HIT Virus or Worm Virus Self replicating program that infects other programs Worm Program that snakes through computers copying itself from one system to another Purists would call this a worm not a virus Makes nodifference to me 19 Previous Viruses Hacks 2 '84 - 88 On personal computers replication by infecting programs Medium of transport oppy discs 8 phone lines to bulletin boards 86 - '87 Intruders manually break into computers - to embarrass companies wreck programs or steal information Medium of transport dial-up phone lines networks '87 IBM Christmas tree virus Replication by distributing a command file to many people Each person executes the file it mails itself to many others Medium of transport SNA networks Bitnet '88 Arpa'ri' et virus self replicates by entering Unix systems breaking security to obtain a root shell Medium of transport networks Arpanet Milnet local area networks asThis is the first virus to spread automatically across the networks The first virus to exploit multipleisecurily holes REAL EFFECTS 0 HOW MUCH DAMAGE WAS 10 000 PEOPLE LOSTZ DAYS OF AT $2 000 000 0 INDIRECTCOSTS - OPERATIONS DISRUPTED SCHEDULES DELAYED CONSCIOUSNESS RAISING ABOUT COMPUTER SECURITY DID THIS GUY DO LISA FAVOR BY SHOWING OUR WAS IT A MONTH AGO COVER OF TIM MAGAZIN WAS ABOUT 22 What to learn Networking makes the problem much worse - Our society depends heavily on interlinked computers military university commercial systems are intertwined There's no central coordinating center or clearing house for emergencies - Nobody's in charge of our networks - Security holes are subtle introduced from strange sources and exploited by competent aware people This document is from the holdings of The National Security Archive Suite 701 Gelman Library The George Washington University 2130 H Street NW Washington D C 20037 Phone 202 994-7000 Fax 202 994-7005 nsarchiv@gwu edu