📄 http:^^www.columbia.edu^~cs1003^handouts^rfc1135
字号:
5) security attitudes and knowledge, 6) technical sophistication, 7) Cornell's involvement, 8) ethical considerations, 9) community sentiment, 10) and Cornell University's policies on computer abuse. The report concluded that the worm program's gathering of unauthorized passwords and the dissemination of the worm over a national network were wrong. The Commission also disclaimed that contrary to media reports, Cornell University DID NOT condone the worm infection, nor heralded the unleashing of the worm program as a heroic event. The Commission did continue to encourage the free flow of scholarly research and reasonable trust within the University/Research communities. A background on the worm program, methods of investigation, an introduction to the evidence, an interpretation and findings, acknowledgements, and an extensive appendices were also included in the Commission's report. 7.2 "With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988" Eichin and Rochlis' "With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988", provides a detailed dissection of the worm program. The paper discusses the major points of the worm program then reviews strategies, chronology, lessons and open issues, acknowledgements; also included are a detailed appendix on the worm program subroutine by subroutine, an appendix on the cast of characters, and a reference section. A discussion of the terms "worm" versus "virus" is presented. These authors concluded that it was a "virus" infection, not worm infection. Thus they use the term "virus" in their document. In Section 1, goals and targets by the teams of computer scientists were defined. There were three steps taken to find out the inner workings of the virus:Reynolds [Page 12]
RFC 1135 The Helminthiasis of the Internet December 1989 - isolating a specimen of the virus in a form which could be analyzed. - "decompiling" the virus, into a form that could be shown to reduce to the executable of the real things, so that the higher level version could be interpreted. - analyzing the strategies used by the virus, and the elements of its design, in order to find weaknesses and methods of defeating it. Major points were outlined of how the virus attacked and who it attacked: How it entered. Who it attacked. What it attacked. What it did NOT do. In Section 2, the target of the attacks by the virus were discussed. This included the sendmail debug mode, the finger daemon bug, rexec and passwords, rsh, trusted host features, and information flow. A description of the virus' self protection included how it covered its tracks, and what camouflage it used to go undetected to the machines and system administrators. Flaws were analyzed in three subjects: reinfection prevention, heuristics, and vulnerabilities not used. Many defenses were launched to stop the virus. Some were convenient or inconvenient for end users of the infected systems. Those mentioned in this document included: - full isolation from the network - turning off mail service - patching out the "debug" command in sendmail - shutting down the finger daemon - fixing the finger daemon - mkdir /usr/tmp/sh (a simple way to keep the virus from propagating)Reynolds [Page 13]
RFC 1135 The Helminthiasis of the Internet December 1989 - defining pleasequit (did not stop the virus) - renaming the UNIX C compiler and linker - requiring new passwords for all users After the virus was diagnosed, a tool was created which duplicated the password attack (including the virus' internal directory) and was posted to the Internet. System administrators were able to analyze the passwords in use on their system. Section 3 chronicles the events that took place between Wednesday, 2 November 1988 through Friday, 11 November 1988 (EST). In Section 4, lessons and open issues are viewed and discussed: - Connectivity was important. - The "old boy network" worked. - Late night authentication is an interesting problem. (How did you know that it really is MIT on the phone??) - Whom do you call (if you need to talk to the manager of the Ohio State University network at 3 o'clock in the morning)? - Speaker phones and conference calling proved very useful. - The "teams" that were formed and how they reacted to the virus is a topic for future study. - Misinformation and illusions ran rampant. - Tools were not as important as one would have anticipated. - Source availability was important. - The academic sites performed the best, better than government and commercial sites. - Managing the press was critical. General points for the future: - "We have met the enemy and he is us." (Alleged author of the virus was an insider.)Reynolds [Page 14]
RFC 1135 The Helminthiasis of the Internet December 1989 - Diversity is good. - "The cure shouldn't be worse than the disease." (It may be more expensive to prevent such attacks than is is to clean up after them.) - Defenses must be at the host level, not the network level. (The network performed its function perfectly and should not be faulted; the flaws were in several application programs.) - Logging information is important. - Denial of service attacks are easy. - A central security fix repository may be a good idea. - Knee-jerk reactions should be avoided. Appendix A describes the virus program subroutine by subroutine. A flow of information among the subroutines is pictured on page 19. Appendix B presents the 432 words built in the worm's dictionary. Appendix C lists the "cast of characters" in defeating the virus. 7.3 "A Tour of the Worm" In Donn Seeley's "A Tour of the Worm", specific details were presented as a "walk thru" of this particular worm program. The paper opened with an abstract, introduction, detailed chronology of events upon the discovery of the worm, an overview, the internals of the worm, personal opinions, and conclusion. The chronology section presented a partial list representing the current known dates and times (in PST). In the descriptive overview, the worm is defined as a 99-line bootstrap program written in the C language, plus a large relocatable object file that was available in VAX and various Sun-3 versions. Seeley classified activities of the worm into two categories of attack and defense. Attack consisted of locating hosts (and accounts) to penetrate, then exploiting security holes on remote systems to pass across a copy of the worm and run it. The defense tactics fell into three categories: preventing the detection of intrusion, inhibiting the analysis of the program, and authenticating other worms. When analyzing this particular program, Seeley stated that it is just as important to establish what the program DOES NOT do, as what it does do:Reynolds [Page 15]
RFC 1135 The Helminthiasis of the Internet December 1989 This worm did not delete a system's files, This worm did not modify existing files, This worm did not install trojan horses, This worm did not record or transmit decrypted passwords, This worm did not try to capture superuser privileges, This worm did not propagate over UUCP, X.25, DECNET, or BITNET, This worm specifically draws upon TCP/IP, and This worm did not infect System V systems, unless they had been modified to use Berkeley network programs like sendmail, fingerd, and rexec. In section 4, the "internals" of the worm were examined and charted. The main thread of control in the worm was analyzed, then an examination of the worm's data structure was presented. Population growth of the worm, security holes, the worms' use of rsh and rexec network services, the use of the TCP finger service to gain entry to a system, and the sendmail attack are discussed. Password cracking and faster password encryption algorithms are discussed. In the opinions section, certain questions that a "mythical ordinary system administrator" might ask were discussed: Did the worm cause damage? Was the worm malicious? Will publication or worm details further harm security? 7.4 "The Internet Worm Program: An Analysis" Gene Spafford's "The Internet Worm Program: An Analysis", described the infection of the Internet as a worm program that exploited flaws in utility programs in UNIX based systems. His report gives a detailed description of the components of the worm program: data and functions. He focuses his study on two completely independent reverse-compilations of the worm and a version disassembled to VAX assembly language.Reynolds [Page 16]
RFC 1135 The Helminthiasis of the Internet December 1989 In Section 4, Spafford provided a high-level example of how the worm program functioned. The worm consisted of two parts: a main program, and a bootstrap (or vector) program. A description from the point of view of a host that was infected was presented. Section 5 describes the data structures and organization of the routines of the program: 1) The worm had few global data structures. 2) The worm constructed a linked list of host records. 3) The worm constructed a simple array of gateway IP addresses through the use of the system "netstat" command. 4) An array of records was filled in with information about each network interface active on the current host. 5) A linked list of records was built to hold user information. 6) The program maintained an array of "object" that held the files that composed the worm. 7) A mini-dictionary of words was present in the worm to use in password guessing. 8) Every text string used by the program, except for the words in the mini-dictionary, was masked (XOR) with the bit pattern 0x81. 9) The worm used the following routines: setup and utility: main, doit, crypt, h_addaddr, h_addname, h_addr2host, h_clean, h_name2host, if_init, loadobject, makemagic, netmastfor, permute, rt_init, supports_rsh, and supports_telnet network and password attacks: attack_network, attack_user, crack_0, crack_1, crack_2, crack_3, cracksome, ha, hg, hi, hl, hul, infect, scan_gateways,⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -