256 Security
The Worms Crawl In
In November 1988, an electronic parasite (a “worm”) disabled thousands
of workstations and super-minicomputers across the United States. The
worm attacked through a wide-area computer network called the Internet.
News reports placed the blame for the so-called “Internet Worm” squarely
on the shoulders of a single Cornell University graduate student, Robert T.
Morris. Releasing the worm was something between a prank and a wide-
scale experiment. A jury found him guilty of writing a computer program
that would “attack” systems on the network and “steal” passwords.
But the real criminal of the “Internet Worm” episode wasn’t Robert Morris,
but years of neglect of computer security issues by authors and vendors of
the Unix operating system. Morris’s worm attacked not by cunning, stealth,
or sleuth, but by exploiting two well-known bugs in the Unix operating
system—bugs that inherently resulted from Unix’s very design. Morris’s
program wasn’t an “Internet Worm.” After all, it left alone all Internet
machines running VMS, ITS, Apollo/Domain, TOPS-20, or Genera. It was
a strictly and purely a Unix worm.
One of the network programs, sendmail, was distributed by Sun Microsys-
tems and Digital Equipment Corporation with a special command called
DEBUG. Any person connecting to a sendmail program over the network
and issuing a DEBUG command could convince the sendmail program to
spawn a subshell.
The Morris worm also exploited a bug in the finger program. By sending
bogus information to the finger server, fingerd, it forced the computer to
execute a series of commands that eventually created a subshell. If the fin-
ger server had been unable to spawn subshells, the Morris worm would
have crashed the Finger program, but it would not have created a security-
breaking subshell.
Date: Tue, 15 Nov 88 13:30 EST
From: Richard Mlynarik <[email protected]>
To: UNIX-HATERS
Subject: The Chernobyl of operating systems
[I bet more ‘valuable research time’ is being ‘lost’ by the randoms
flaming about the sendmail worm than was ‘lost’ due to worm-inva-
sion. All those computer science ‘researchers’ do in any case is write
increasingly sophisticated screen-savers or read netnews.]
Date: 11 Nov 88 15:27 GMT+0100