Case Studies

After some theoretical considerations, we will now take a look at some real-life worms, their design decisions, strengths and weaknesses, and their effect on the infected hosts and the network infrastructure.

The very first Internet-wide worm was the famous Morris worm of November 1988 (named after its originator, Robert T. Morris, then student of computer science at Cornell University). It used topology information to spread and exploited flaws in the finger and sendmail daemons and other well-known system weaknesses on Sun3s and VAXen running 4BSD UNIX. Those systems were the workhorses of the Internet at the time, and were as common as Intel machines running Windows2000 and Linux today.
It ended up infecting 10% of the 60,000 connected hosts within a few days, which was sufficient to make the Internet grind to a halt.

finger is a service that provides information about UNIX users, such as their real name, their "plan" (a short textfile describing what they are up to at the moment), and whether they have recently checked mail or logged in. It had a traditional buffer overflow weakness, which the attacker could use to gain root access.
finger is still widely used on many UNIX servers, although it is now normally firewalled off and allows only internal queries.

sendmail is a widely used mail transfer agent, both liked for its richness in features and loathed for its immense complexity. Its weakness lay in the fact that a certain debug feature was left turned on in most production installations, which allowed the execution of arbitrary shell commands.
Sendmail's security track record has not been good, and it is gradually being replaced with simpler mail servers at many sites.

In addition to these exploits, the worm also attempted to guess user passwords by comparing a list of encrypted dictionary words to the entries in the UNIX password file, which in those days was world-readable. Most UNIX systems have since introduced shadow passwords (only readable by the login program) to close this weakness.

To make matters worse, many UNIX sites allowed users to maintain trust relationships between hosts by keeping a .rhosts file. rsh (= remote shell) logins of that user from a machine listed in the .rhosts file would be accepted without prompting for a password. The Morris Worm tried rsh connections to neighboring hosts to take advantage of this misfeature.[Spafford1988]

The Morris Worm lead to the founding of CERT, the Computer Emergency Response Team, which is the net's most important repository of security alerts today.
Robert T. Morris was convicted, fined 10,000 US$ and sentenced to 400 hours of social work in addition to a 3-year probation. Interestingly, he is now a staff member at MIT, where he originally released the worm.

The Code Red Family of Worms exploited a flaw in the Microsoft Internet Information Server, a web server that was enabled by default at many sites without the owners realizing it, since it was part of the default install of Windows 2000.
The flaw consisted of a buffer overflow vulnerability in an indexing component, which was trivial to exploit remotely via a specially crafted HTTP GET request:

GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%uc
bd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%
u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" .

Note the padding X's to pre-fill the buffer and the exploit code in URL-encoded unicode. This exploit would give the worm local administrator privileges, effectively handing the machine over.

Code Red I and II used a different code base and have likely been written by different people.

The initial version of Code Red I contained an interesting bug in its random scanning algorithm: the randomizer was seeded with a constant value, so that every worm instance scanned the same sequence of hosts. Therefore, this version had only linear growth and was not very successful. This problem was fixed later, and Code Red I.2 showed the exponential growth curve typical for random scanning worms.
Code Red I was (and is) only active from the first to the 19th day of the month and sleeps for the rest. It contained two payloads, one crude website defacement stating "Hacked by Chinese" and a dDoS-Attack against www.whitehouse.gov.
But since the attack was targetted against the IP address instead of the DNS name, it could be dodged easily by moving the website to another IP.
Code Red I resides only in memory, and can be removed by rebooting the machine. Without a patch however, it is a matter of hours for the machine to be re-infected.
Code Red I infected more than 350,000 machines in less than 14 hours, and remains active to this day.

Code Red II employed weighted scanning and was much quicker to spread than its predecessor. With a probability of 3/8, it would scan an address in the same Class B network, with p=1/2 it would stay in the same Class A network, and only with 1/8 it would choose a totally random address.
Its payload was a backdoor allowing full Adminstrator access. Code Red II deactivated itself on October 1st 2001 due to a built-in expiration date, but the backdoors remained active. [eEye2001], [Moore2001]

The Sapphire (aka Slammer) worm took advantage of a hole in Microsoft's SQL Server that could be exploited with a single 376 byte UDP packet. This fact accounted for its immense speed, spreading almost 250 times as fast as Code Red I, with an initial doubling rate only of 8.5 seconds. After only 30 minutes it had reached saturation. As of this writing, Sapphire has been the fastest worm observed in the wild.

UDP is a stateless protocol, meaning the worm instance can dish out attacks as fast as the resources allow, without the need to keep track of connection state and handshakes. Sapphire used random scanning. It was the first worm to be bandwidth-bound, and resulted in massive business disruption, leading to cancelled flights and widespread crashes of ATM machines. [Moore2003]