rfc1135.txt

来自「RFC 的详细文档！」· 文本 代码 · 共 1,540 行 · 第 1/5 页

Network Working Group                                        J. Reynolds
Request for Comments: 1135                                           ISI
                                                           December 1989


                   The Helminthiasis of the Internet

Status of this Memo

   This memo takes a look back at the helminthiasis (infestation with,
   or disease caused by parasitic worms) of the Internet that was
   unleashed the evening of 2 November 1988.  This RFC provides
   information about an event that occurred in the life of the Internet.
   This memo does not specify any standard.  Distribution of this memo
   is unlimited.

Introduction

         ----- "The obscure we see eventually, the completely
         apparent takes longer." ----- Edward R. Murrow

   The helminthiasis of the Internet was a self-replicating program that
   infected VAX computers and SUN-3 workstations running the 4.2 and 4.3
   Berkeley UNIX code.  It disrupted the operations of computers by
   accessing known security loopholes in applications closely associated
   with the operating system.  Despite system administrators efforts to
   eliminate the program, the infection continued to attack and spread
   to other sites across the United States.

   This RFC provides a glimpse at the infection, its festering, and
   cure.  The impact of the worm on the Internet community, ethics
   statements, the role of the news media, crime in the computer world,
   and future prevention will be discussed.  A documentation review
   presents four publications that describe in detail this particular
   parasitic computer program.  Reference and bibliography sections are
   also included in this memo.

1.  The Infection

         ----- "Sandworms, ya hate 'em, right??" ----- Michael
         Keaton, Beetlejuice

   Defining "worm" versus "virus"

      A "worm" is a program that can run independently, will consume the
      resources of its host from within in order to maintain itself, and
      can propagate a complete working version of itself on to other
      machines.



Reynolds                                                        [Page 1]

RFC 1135           The Helminthiasis of the Internet       December 1989


      A "virus" is a piece of code that inserts itself into a host,
      including operating systems, to propagate.  It cannot run
      independently.  It requires that its host program be run to
      activate it.

      In the early stages of the helminthiasis, the news media popularly
      cited the Internet worm to be a "virus", which was attributed to
      an early conclusion of some in the computer community before a
      specimen of the worm could be extracted and dissected.  There are
      some computer scientists that still argue over what to call the
      affliction.  In this RFC, we use the term, "worm".

   1.1  Infection - The Worm Attacks

      The worm specifically and only made successful attacks on SUN
      workstations and VAXes running Berkeley UNIX code.

      The Internet worm relied on the several known access loopholes in
      order to propagate over networks.  It relied on implementation
      errors in two network programs: sendmail and fingerd.

      Sendmail is a program that implements the Internet's electronic
      mail services (routing and delivery) interacting with remote sites
      [1, 2].  The feature in sendmail that was violated was a non-
      standard "debug" command.  The worm propagated itself via the
      debug command into remote hosts.  As the worm installed itself in
      a new host the new instance began self-replicating.

      Fingerd is a utility program that is intended to help remote
      Internet users by supplying public information about other
      Internet users.  This can be in the form of identification of the
      full name of, or login name of any local user, whether or not they
      are logged in at the time (see the Finger Protocol [3]).

      Using fingerd, the worm initiated a memory overflow situation by
      sending too many characters for fingerd to accommodate (in the
      gets library routine).  Upon overflowing the storage space, the
      worm was able to execute a small arbitrary program.  Only 4.3BSD
      VAX machines suffered from this attack.

      Another of the worm's methods was to exploit the "trusted host
      features" often used in local networks to propagate (using rexec
      and rsh).

      It also infected machines in /etc/hosts.equiv, machines in
      /.rhosts, machines in cracked accounts' .forward files, machines
      cracked accounts' .rhosts files, machines listed as network
      gateways in routing tables, machines at the far end of point-to-



Reynolds                                                        [Page 2]

RFC 1135           The Helminthiasis of the Internet       December 1989


      point interfaces, and other machines at randomly guessed addresses
      on networks of first hop gateways.

      The Internet worm was also able to infect systems using guessed
      passwords, typically spreading itself within local networks by
      this method.  It tried to guess passwords, and upon gaining
      access, the worm was able to pose as a legitimate user.

   1.2  Festering - Password Cracking

      The worm festered by going into a password cracking phase,
      attempting to access accounts with obvious passwords (using clues
      readily available in the /etc/passwd file), such as: none at all,
      the user name, the user name appended to itself, the "nickname",
      the last name, the last name spelled backwards.  It also tried
      breaking into into accounts with passwords from a personalized 432
      word dictionary, and accounts with passwords in /usr/dict/words.

      Most users encountered a slowing of their programs, as the systems
      became overloaded trying to run many copies of the worm program,
      or a lack of file space if many copies of the worm's temporary
      files existed concurrently.  Actually, the worm was very careful
      to hide itself and leave little evidence of its passage through a
      system.  The users at the infected sites may have seen strange
      files that showed up in the /usr/tmp directories of some machines
      and obscure messages appeared in the log files of sendmail.

   1.3  The Cure

      Teams of computer science students and staff worked feverishly to
      understand the worm.  The key was seen to get a source (C
      language) version of the program.  Since the only isolated
      instances of the the worm were binary code, a major effort was
      made to translate back to source, that is decompile the code, and
      to study just what damage the worm was capable of.  Two specific
      teams emerged in the battle against the Internet worm: the
      Berkeley Team and the MIT team.  They communicated and exchanged
      code extensively.  Both teams were able to scrutinize it and take
      immediate action on a cure and prevent reinfection.  Just like
      regular medical Doctors, the teams searched, found and isolated a
      worm specimen which they could study.  Upon analyzing the specimen
      and the elements of its design, they set about to develop methods
      to treat and defeat it.  Through the use of the "old boy network"
      of UNIX system wizards (to find out something, one asks an
      associate or friend if they know the answer or who else they could
      refer to to find out the answer), email and phone calls were
      extensively used to alert the computer world of the program
      patches that could be used at sites to close the sendmail hole and



Reynolds                                                        [Page 3]

RFC 1135           The Helminthiasis of the Internet       December 1989


      fingerd holes.  Once the information was disseminated to the sites
      and these holes were patched, the Internet worm was stopped.  It
      could not reinfect the same computers again, unless the worm was
      still sitting in an infected trusted host computer.

      The Internet worm was eliminated from most computers within 48-72
      hours after it had appeared, specifically through the efforts of
      computer science staffs at the University research centers.
      Government and Commercial agencies apparently were slow in coming
      around to recognizing the helminthiasis and eradicating it.

2.  Impact

         ----- "Off with his head!!!" ----- The Red Queen,
         Alice in Wonderland

   Two lines have been drawn in the computer community in the aftermath
   of the Internet worm of November 1988.  One group contends that the
   release of the worm program was a naive accident, and that the worm
   "escaped" during testing.  Yet, when the worm program was unleashed,
   it was obvious it was spreading unchecked.  Another group argues that
   the worm was deliberately released to blatantly point out security
   defects to a community that was aware of the problems, but were
   complacent about fixing them.  Yet, one does not necessarily need to
   deliberately disrupt the entire world in order to report a problem.

   Both groups agree that the community cannot condone worm infestation
   whether "experimental" or "deliberate" as a means to heighten public
   awareness, as the consequences of such irresponsible acts can be
   devastating.  Meanwhile, several in the news media stated that the
   author of the worm did the computer community a favor by exposing the
   security flaws, and that bugs and security flaws will not get fixed
   without such drastic measures as the Internet worm program.

   In the short term, the worm program did heighten the computer
   community's awareness of security flaws.  Also, the "old boy network"
   proved it was still alive and well!  While networking and computers
   as a whole have grown by leaps and bounds in the last twenty years,
   the Internet community still has the "old boys" who trust and
   communicate well with each other in the face of adversity.

   In the long term, all results of the helminthiasis are not complete.
   Many sites have either placed restrictions on access to their
   machines, and a few have chosen to remove themselves from the
   Internet entirely.  The legal consequences of the Internet worm
   program as a computer crime are still pending, and may stay in that
   condition into the next decade.




Reynolds                                                        [Page 4]

RFC 1135           The Helminthiasis of the Internet       December 1989


   Yet, the problem of computer crime is, on a layman's level, a social
   one.  Legal statutes, which notoriously are legislated after the
   fact, are only one element of the solution.  Development of
   enforceable ethical standards that are universally agreed on in the
   computer community, coupled with enforceable laws should help
   eradicate computer crime.

3.  Ethics and the Internet

         ----- "If you're going to play the game properly,
         you'd better know every rule." ----- Barbara Jordan

   Ethical behavior is that of conforming to accepted professional
   standards of conduct; dealing with what is good or bad within a set
   of moral principles or values.  Up until recently, most computer
   professionals and groups have not been overly concerned with
   questions of ethics.

   Organizations and computer professional groups have recently, in the
   aftermath of the Internet worm, issued their own "Statement of
   Ethics".  Ethics statements published by the Internet Activities
   Board (IAB), the National Science Foundation (NSF), the Massachusetts
   Institute of Technology (MIT), and the Computer Professionals for
   Social Responsibility (CPSR) are discussed below.

   3.1  The IAB

      The IAB issued a statement of policy concerning the proper use of
      the resources of the Internet in January, 1989 [4] (and reprinted
      in the Communications of the ACM, June 1989).  An excerpt:

      The Internet is a national facility whose utility is largely a
      consequence of its wide availability and accessibility.
      Irresponsible use of this critical resource poses an enormous
      threat to its continued availability to the technical community.

      The U.S. Government sponsors of this system have a fiduciary
      responsibility to the public to allocate government resources
      wisely and effectively.  Justification for the support of this
      system suffers when highly disruptive abuses occur.  Access to and
      use of the Internet is a privilege and should be treated as such
      by all users of this system.

      The IAB strongly endorses the view of the Division Advisory Panel
      of the National Science Foundation Division of Network,
      Communications Research and Infrastructure which, in paraphrase,
      characterized as unethical and unacceptable any activity which
      purposely:



Reynolds                                                        [Page 5]

RFC 1135           The Helminthiasis of the Internet       December 1989


         (a) seeks to gain unauthorized access to the resources of the
             Internet,

         (b) disrupts the intended use of the Internet,

         (c) wastes resources (people, capacity, computer) through such
             actions,

         (d) destroys the integrity of computer-based information, and/or

         (e) compromises the privacy of users.

      The Internet exists in the general research milieu.  Portions of
      it continue to be used to support research and experimentation on
      networking.  Because experimentation on the Internet has the
      potential to affect all of its components and users, researchers
      have the responsibility to exercise great caution in the conduct
      of their work.  Negligence in the conduct of Internet-wide
      experiments is both irresponsible and unacceptable.

      The IAB plans to take whatever actions it can, in concert with
      Federal agencies and other interested parties, to identify and to