Seely, Don, "A Tour of the Worm," Department of Computer Science, University of Utah, n.d.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....that had not been closed in the victim systems. The Morris Worm used four main methods for spreading: fingerd gets( buffer overflow: Only 4. 3BSD VAX machines suffered from this attack [19] SunOS did not suffer, causing a core dump, only because of different required offset on the stack [18, 21, 26]. Ultrix, for example, was not vulnerable [8] Sendmail DEBUG option: Mostly Berkeley derived Unixes, but also other varieties of Unix [25, 26] SunOS binary releases had this mode [8] DEBUG was enabled as the default for 4.2BSD, 4.3BSD and derived SunOS, while the commercial release of Ultrix ....

....an additional 17 files [17] indicating additional targets may have been planned. It was estimated that approximately 75 percent of the computers then attached to the Internet used some version of Unix [27] but the worm only affected code that included 4.2 or 4. 3 BSD derivatives like SunOS [21]. Furthermore, the worm only propagated over TCP IP and not UUCP, X.25, DECNET, or BITNET [21] The worm did not infect System V systems unless they had been modified to use Berkeley network programs like sendmail, fingerd and rexec [21] In November 1988 it was estimated that there were ....

[Article contains additional citation context not shown here]

Seely, Don, "A Tour of the Worm," Department of Computer Science, University of Utah, n.d.

....traced back to the same person, or if features of the attacks are similar. To make this inference, a mechanism must exist to correlate sessions across several hosts. Seely defines a worm as a program that propagates itself across a network using resources on one machine to attack other machines [2]. The best known worm attack is the Morris worm of 1988 which infected thousands of hosts throughout the Internet, rendering them unusable. Worms are evidenced by a large amount of traffic forming a tree like pattern and by similar activity occurring on hosts within this tree. Intrusion detection ....

D. Seely. A tour of the worm. IEEE Trans. on Soft. Eng., November 1991.

....traced back to the same person, or if features of the attacks are similar. To make this inference, a mechanism must exist to correlate sessions across several hosts. Seely defines a worm as a program that propagates itself across a network using resources on one machine to attack other machines [14]. The best known worm attack is the Morris worm of 1988 which infected thousands of hosts throughout the Internet, rendering them unusable. Worms are evidenced by a large amount of traffic forming a tree like pattern and by similar activity occurring on hosts within this tree. Intrusion detection ....

D. Seely. A tour of the worm. IEEE Trans. on Soft. Eng., November 1991.

....combined nature of the distributed attack is only apparent if the attack is traced back to the same source, or if features of the attacks are similar. To detect such coordinated activity, an IDS must correlate sessions across several hosts and possibly across several distributed detectors. Seely [11] defines a worm as a program that propagates itself across a network using resources on one machine to attack other machines. The best known worm attack is the Internet worm of 1988 which infected thousands of hosts throughout the Internet, rendering many of them unusable. Worms are evidenced by ....

D. Seely. A tour of the worm. IEEE Trans. on Soft. Eng., November 1991.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC