dillon@POSTGRES.BERKELEY.EDU (Matt Dillon) (11/06/88)
:First of all, the channel of infection is a gaping hole in sendmail that :isn't typical of UNIX mail systems. I didn't know about it, but I'm not :surprised. Many academic users leave daemons on their mailboxes that can :be used the same way... and I'm sure will. If you care to secure your system :this hole won't happen. : :Secondly, the channel that was used to transmit the worm was a deliberate :reduction in UNIX security, that basically turned a network into a single :machine as far as the worm was concerned. You pointed this out, and I :acknowledged that it was a problem if you let people with non-trusted machines :have shell access to yours. So don't do it. : :Finally, the worm was way more complex than any PC or Amiga worm needs to be. The UNIX/SUN worm, as decompiled here at Berkeley, attempted to break into a system as follows: (1) Use Sendmail bug (2) Attempt to guess passwords (3) Use the .rhosts of all accessed accounts to propogate. The Worm had a ~99 line bootstrap which was run on the remote machine, and proceded to re-connect to the already infected machine and download the actual worm, which is about 3000 lines of C code, aprox 45K of object before linking. The worm downloaded TWO object modules: (1) BSD 4.3 VAX object module, and (2) SUN 4.3 compatible object module. It then proceded to determine the type of machine it was on, and use the system's own loader (ld) to create an executable which could be run. The worm encrypted its data using a simple cipher. It is obvious that the designer spent a couple weeks, maybe months writing and testing it before releasing it. Whether releasing it was on purpose or not is not known. With almost cosmetic changes this worm could have been made almost undetectable. Most people caught it because it had a tendancy to run up the load on the machine 15+. In the same manner, if the worm had been destructive it could easily have destroyed Terrabytes of information. -Matt