Eugene H. Spafford, The Internet worm program: an analysis, Tech. Report CSD-TR823, Department of Computer Science, Purdue University, 1988.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....However, exploiting mobility raises new problems because executable code is inherently architecture and system dependent. Security Global applications rely on network communications thus, apart from being potential victims of computer viruses, can be tampered and eavesdropped in many ways [Che91, Spa89, VJ99], and for this reason they are basically vulnerable and insecure [Ord96] In general, mobile code and communications may need to cross administrative domains and firewalls, and untrusted sites as well. Techniques such as cryptography may solve some problems related to data communications, but, ....

Eugene H. Spa#ord. The Internet Worm Program: An Analysis. Computer Communication Review, 19(1):17--57, January 1989. Also Purdue Technical Report, Department of Computer Science, Purdue University, Number CSD-TR-823.

....created. Experts were typically employed to analyze suspicious programs by hand. Using their expertise, signatures were found that made a malicious executable example different from other malicious executables or benign programs. One example of this type of analysis was performed by Spafford [24] who analyzed the Internet Worm and provided detailed notes on its spread over the Internet, the unique signatures in the worm s code, the method of the worm s attack, and a comprehensive description of system failure points. Although accurate, this method of analysis is expensive, and slow. If ....

Eugene H. Spafford. The Internet worm program: an analysis. Tech. Report CSD--TR--823, 1988. Department of Computer Science, Purdue University.

....during the attack, if a copy of the worm program is already running on the remote host. This avoids the remote machine to pass through a duplicate replication loop. This property of remotely determining whether a copy of worm is running on the target host was observed in the Internet worm [Spafford 89] A worm characterized by a missing surveyor is prone to early detection due to anomalous side effects in the infected system. These anomalies can occur in the form of frequent 27 crashing of the worm program or a large number of incomplete TCP sessions due to replication attempts to IP ....

....on a system. The intent of the concealment is to increase the complexity of analysis and thus increase the difficulty of detection of a virus attack. Concealment of virus structure involves camouflaging its code to prevent its detection or analysis. As seen in the case of the Internet Worm [Spafford 89] once the worm code was disassembled and analyzed and the software vulnerabilities (in fingerd and sendmail) used for its propagation were 30 patched, the worm propagation halted. The analysis phase took considerable time . In contemporary worms, analysis time can be a deciding factor in ....

[Article contains additional citation context not shown here]

E. H. Spafford. The Internet Worm Program: An Analysis. ACM Computer 19(1). pages 17-57. 1989.

....However, exploiting mobility raises new problems: executable code is inherently architecture and system dependent. Security: global applications rely on network communications thus, apart from being potential victims of computer viruses, can be tampered with and eavesdropped in many ways [12, 13], and for this reason they are basically vulnerable and insecure [14] In general, mobile code and communications may need to cross administrative domains and rewalls, and untrusted sites as well. Techniques such as cryptography may solve some problems related to data communications, but, when ....

Eugene H. Spaord. The Internet Worm Program: An Analysis. Computer Communication Review, 19(1):17-57, January 1989. Also Purdue Technical Report, Department of Computer Science, Purdue University, Number CSD-TR-823.

....created. Experts were typically employed to analyze suspicious programs by hand. Using their expertise, signatures were found that made a malicious executable example different from other malicious executables or benign programs. One example of this type of analysis was performed by Spafford [24] who analyzed the Internet Worm and provided detailed notes on its spread over the Internet, the unique signatures in the worm s code, the method of the worm s attack, and a comprehensive description of system failure points. Although accurate, this method of analysis is expensive, and slow. If ....

Eugene H. Spafford. The Internet worm program: an analysis. Tech. Report CSD--TR--823, 1988. Department of Computer Science, Purdue University.

....Experts were typically employed to analyze suspicious programs by hand. Using their expert knowledge signatures were found that made a malicious executable example different from other malicious executables or benign programs. One example of this type of analysis was performed by Spafford in 1988 [22]. He used his expertise to analyze the Internet Worm and provided detailed notes on the spread of it over the Internet, the unique signatures in the worm s code, the method of the worm s attack, and a comprehensive description of system failure points. Although accurate, this method of analysis ....

Eugene H. Spafford. The Internet worm program: an analysis. Tech. Report CSD--TR--823, 1988. Department of Computer Science, Purdue University.

....of successful or unsuccessful intrusions in operational systems. Unfortunately, as far as we know, this kind of data is not available. Nevertheless, valuable information can be obtained from the analysis of some well known intrusions described for instance in [Reid 1986, Stanley 1986, Spafford 1988, Stoll 1988, Rochlis Eichin 1989, Seeley 1989, Cheswick 1991, Stanley 1991, Bellovin 1992] Unfortunately, these intrusions are rare and cannot be considered as a representative sample. These data can be complemented by additional information provided by security experts concerning the ....

....few attackers may have this information. For instance, some intrusions can be achieved by memory modifications; these intrusions are not well known since they are specific to the operating system of the target (this is also the case of intrusions via daemon fingerd in Unix systems described in [Spafford 1988]) Other attacks require the availability of complex, expensive hardware that only few attackers may possess; for example, some passwords may be catched by the analysis of electro magnetic radiation from screens or keyboards by a specific hardware. Moreover, the implementation of some attacks is ....

E. H. Spafford, The Internet Worm Program: An Analysis, Purdue University, Technical Report, NCSD-TR-823, November 1988.

.... 1 Introduction Object oriented communication has become popular in distributed systems [2, 22, 8] With objects or without them, distributed systems typically rely on networks with no low level support for security; the vulnerability of distributed systems is by now evident and worrisome [23, 4]. A need exists therefore for secure objectoriented communication. We describe the design and implementation of secure network objects. Secure network objects extend Modula 3 network objects [19, 2] with security guarantees. When a client invokes a method of a secure network object over the ....

Eugene H. Spafford. The Internet worm program: An analysis. Computer Communication Review, 19(1):17--57, January 1989.

....in proving cryptosystems secure may lead to wide applications and standardisation of primitives later proven insecure. Software security problems Early examples of attacking hosts connected to the Internet through software vulnerabilities include those exploited by the so called Internet Worm (Spafford 1989). Among guessing passwords and exploiting poor security administration, the Internet Worm exploited weaknesses in application design, causing buffer overflows in the program execution stack. Since the program execution stack is usually executable memory, the overflow can be engineered to cause ....

Spafford, E. H. (1989) The Internet Worm Program: An Analysis. Computer Communications Review 19(1):17-57.

....to retract all versions of a WEB browser because of a newly discovered security bug. 5. 1 Related Work Probably the two oldest and at the same time most famous large scale selfdeploying services are the CHRISTMAS program propagated through e mail in 1987 and Morris Internet worm in 1988 [10]. Active networks clearly use the same propagation principle but want to harness the power of network wide replication. A notable difference of our approach compared to other active network environments is that we deliberately have no per packet resource limitations. ANTS [11] for example, uses ....

E. Spafford. The Internet Worm Program: An Analysis. SIGCOMM, Jan 1989, pp. 17--59.

....of an array was a common coding error. Using dangerous input functions, such as the gets call, turned out to be the second most common cause of errors that crashed system utilities. Besides being a cause of reliability errors, the gets call gained notoriety during the Morris Internet Worm incident [14]. The reason this call and other related input functions are dangerous is that they do not limit or check the length of the input they read. In the case of the Internet worm, supplying the gets call with more than 512 bytes of data overruns the stack frame, thus enabling arbitrary input data to be ....

E.H. Spafford. The Internet worm program: An analysis. Computer Communications Review, 19(1):17--57, January 1989.

....intrusions into UNIX systems prompted another look at the security of the UNIX password algorithm. In certain cases, intruders are using passwordguessing attacks much like those described by Morris and Thompson. One such attack was contained in the ARPA Internet Worm of November 1988[12]. Experiments by the authors demonstrate that the rapid improvements in computer price performance ratios over the past decade call into question the adequacy of the present UNIX password algorithm. By careful optimization and the liberal use of space time tradeoffs, one of us (Feldmeier) has ....

Eugene H. Spafford. The internet worm program: An analysis. Computer Communication Review, 19(1):17--57, January 1989.

....inadvertently inserted into the BSD sendmail program, enabling users to obtain root privileges. As another example, the finger daemon program neglects to limit the size of a input string, enabling an attacker to overflow its buffer to obtain root access in the host providing the finger service. [7, 19]. Often, such errors are subtle, and the exploitation involves multiple processes interacting in unexpected ways. Therefore, these errors are often not detected during testing and not discovered until long after system releases. In this paper, we discuss a technique for detecting exploitations of ....

E. H. Spafford. The internet worm program: An analysis. ACM SIGCOM, January 1989.

....contracts F3060296 1 0331 and F30602 96 1 0302. y Ryerson Polytechnic University 1 Introduction This paper presents a systematic solution to the persistent problem of buffer overflow attacks. Buffer overflow attack gained notoriety in 1988 as part of the Morris Worm incident on the Internet [23]. Despite the fact that fixing individual buffer overflow vulnerabilities is fairly simple, buffer overflow attacks continue to this day, as reported in the SANS Network Security Digest: Buffer overflows appear to be the most common problems reported in May, with degradation of service problems a ....

E. Spafford. The Internet Worm Program: Analysis. Computer Communication Review, January 1989.

....the execution of all processes throughout the world. We must always be aware of the possibility of chain reactions of submitted messages. Computer worms and viruses are a good example for that. The analysis of the internet worm has demonstrated the difficulties of writing such programs correctly [29] and the deficiencies of existing software to be aware of such misuses. It is impossible to examine all effects of communication, including hardware failures and unexpected behaviors, without examining all processes on the global architecture. The programmer does not know the global architecture ....

Spafford, E. The internet worm program: An analysis. Computer Communication Review, ACM SIGCOM 19, 1 (January 1989).

....monitoring the login password pairs that are entered into the system. The Trojan may have to wait for the system to be rebooted to accomplish this. It may also need root permissions. We will assume that the requisite measures are taken, perhaps by exploiting a bug in the system, etc. see [ER88, Sp89] The following are the steps in the computation: ffl Once a login password pair is entered the cleartext of the pair is intercepted by the Trojan. The Trojan then encrypts the pair using ElGamal. ffl It then flips an N sided coin to get a value i. The Trojan will store the pair in the i th ....

E. H. Spafford. The Internet Worm Program: an analysis. Comp. Comm Review, 19(1), 1989, pp. 17-57.

.... Once weak password have been discovered, the attacker can use this knowledge to launch an attack on more secure systems on which users may have accounts [6] Using a dictionary password key search attack is one of the methods which the Internet Worm of 1988 used to gain access to other systems [10]. The standard Unix crypt function available in the Unix standard C library (lib c) on domestically distributed Unix systems. Source code for the Unix crypt function (in C language) can be found in the source distributions of Linux, FreeBSD and NetBSD. Also, an optimized version of Unix crypt ....

Eugene H. Spafford. The Internet Worm program: An analysis. Technical Report CSD-TR-823, Purdue University, November 1988.

....for the program, or it may point to data that is not a valid instruction opcode. This result points to potential vulnerabilities in the GNU utilities to buffer overrun attacks. Buffer overrun attacks are one of the most significant security related flaws that are most often exploited in practice [2, 6]. The Fuzz study also pointed out the relative vulnerability of programs to unconstrained input [5] However, the assertion that these programs are vulnerable to buffer overrun attacks has not been investigated in this study. The data collected from the tests run on the native Windows NT utilities ....

E.H. Spafford. The Internet worm program: An analysis. Computer Communications Review, 19(1):17--57, January 1989.

....in determining whether buffers are in fact vulnerable once identified. Other software engineering analysis techniques have been applied to the problems of computer security. Pioneering work in analyzing buffer overruns has been performed by researchers at the COAST Laboratory at Purdue University [13]. In addition, research out of the University of Wisconsin has analyzed Unix utilities for reliability and robustness, with corresponding implications on security [10, 11] A static software analysis technique employed by UC Davis researchers can analyze software for vulnerability to a class of ....

E.H. Spafford. The Internet worm program: An analysis. Computer Communications Review, 19(1):17--57, January 1989.

....the work of research groups from the University of Wisconsin and the University of California (Davis) in applying software analysis techniques for security assessment is summarized. Other pioneering work in this area was performed by researchers at the COAST Laboratory at Purdue University [12]. PREPRINT A University of Wisconsin group using a tool called Fuzz subjected Unix utilities with random streams of input data. Miller et al. found that . the failure rate of utilities on the commercial versions of UNIX . tested (from Sun, IBM, SGI, DEC, and NeXT) ranged from 15 43 [10, ....

....end of an array was a common coding error. Using dangerous input functions, such as the gets call, turned out to be the second most common cause of errors that crashed system utilities. Besides being a cause of reliability errors, the gets call is notorious from the Morris Internet Worm incident [12]. The reason this call and other related input functions are dangerous is that they do not limit or check the length of the input they read. In the case of the Internet worm, supplying the gets call with over 512 bytes of data overruns the stack frame, thus enabling arbitrary input data to be ....

E.H. Spafford. The Internet worm program: An analysis. Computer Communications Review, 19(1):17--57, January 1989.

....better, easier and more efficient distributed communications, but also because interfaces and protocols appropriate to a small cooperating closed environment were inappropriate to operation in an open distributed environment. Perhaps the most infamous security incidence was the Internet Worm 1 2 [Spafford(1991, 1988)]which was able to access a system by connecting to the TCP IP port monitored by the fingerd daemon process and overruning it s input buffer it such a way to cause it to accept instructions from the remote system (on given machine architectures) More typical, perhaps, are security violations due ....

Eugene H. Spafford (1988), The Internet Worm Program: An Analysis, Purdue Technical Report CSD-TR-823, ftp: coast.purdue.edu 2

....This section contains a more detailed overview of how the Worm program functioned. The description in this section assumes that the reader is somewhat familiar with standard UNIX commands and with BSD UNIX network facilities. A more detailed analysis of operation and components can be found in [26], with additional details in [10] and [24] This description starts from the point at which a host is about to be infected. A Worm running on another machine has either succeeded in establishing a shell on the new host and has connected back to the infecting machine via a TCP connection, or it ....

....host as in steps 1 and 2a, above. On Suns, this simply resulted in a core dump since the code was not in place to corrupt a Sun version of fingerd in a similar fashion. Curiously, correct machine specific code to corrupt Suns could have been written in a matter of hours and included but was not. [26] 8c) The Worm then tried to infect the remote host by establishing a connection to the SMTP port and mailing an infection, as in step 2b, above. Not all the steps were attempted. As soon as one method succeeded, the host entry in the internal list was marked as infected and the other methods were ....

[Article contains additional citation context not shown here]

Spafford, Eugene H., "The Internet Worm Program: An Analysis," COMPUTER COMMUNICATION REVIEW, vol. 19, no. 1, ACM SIGCOM, January 1989. Also issued as Purdue CS technical report TR-CSD-823

....external intruder might break into a UNIX system. These include guessing poorly chosen passwords, potentially with dictionary attacks; taking advantage of bugs in privileged UNIX system software (an example is the Morris Worm of November 1988 that exploited a bug in the Internet finger server [1] . and taking advantage of system configuration errors or poorly chosen system defaults. Properly configured and administered systems are not generally vulnerable to these attacks. Other attacks take advantage of the information that crosses communications networks. One can obtain passwords for ....

Eugene H. Spafford, The Internet worm program: An analysis. Computer Communications Review 19(1):17-57, January 1989.

....spread to systems of varying architectures. On November 2, 1988, a program combining elements of a computer worm and a computer virus targeting Berkeley and Sun UNIX based computers entered the Internet; within hours, it had rendered several thousand computers unusable [46] 47] 109] 117] 118] 122][123][125] Among other techniques, this program used a virus like attack to spread: it inserted some instructions into a running process on the target machine and arranged for those instructions to be executed. To recover, these machines had to be disconnected from the network, rebooted, and several ....

E. Spafford, "The Internet Worm Program: An Analysis," ACM Computer Communications Review 19(1) (Jan. 1989).

....no more dangerous than the data in a data base or the text file from a word processor. Imagine however, the problems that could arise if evolving digital organisms were to colonize the computers connected to the major networks. They could spread across the network like the infamous internet worm [2, 8, 83, 84]. When we attempted to stop them, they could evolve mechanisms to escape from our attacks. It might conceivably be very difficult to eliminate them. However, this scenario is highly unlikely, as it is probably not possible for digital organisms to evolve on normal computer systems. While the ....

Spafford, Eugene H. 1989. The internet worm program: an analysis. Computer Communication Review 19(1): 17--57. Also issued as Purdue CS technical report TR-CSD-823. Contact: spaf@purdue.edu

.... 1 Introduction Object oriented communication has become popular in distributed systems [2, 23, 19] With objects or without them, distributed systems typically rely on networks with no low level support for security; the vulnerability of distributed systems is by now evident and worrisome [24, 4]. Therefore, a need exists for secure object oriented communication. We describe the design and implementation of secure network objects. Secure network objects extend Modula 3 network objects [18, 2] with security guarantees. When a client invokes a method of a secure network object over the ....

E. H. Spafford. The Internet worm program: An analysis. Computer Communication Review, 19(1):17--57, Jan. 1989.

....the failure and they normally result in violation of [expected] policies. Detailed analysis of the factors that contribute to the existence of these vulnerabilities is mostly limited to cryptic articles posted to hacker newsgroups or web sites. There are a few notable exceptions [Lin75, Spa89a, Spa89b, Sto90, Kum95, DFW96, MF97, DW95] and this report attempts to add to these with a detailed analysis of five common computer vulnerabilities. The analysis of each vulnerability attempts to identify its characteristics, the [expected] policies violated by its exploitation, and contributes to the ....

Eugene H. Spafford. The Internet Worm Program: An Analysis. Computer Communication Review, 19(1), January 1989.

....the failure and they normally result in violation of [expected] policies. Detailed analysis of the factors that contribute to the existence of these vulnerabilities is mostly limited to cryptic articles posted to hacker newsgroups or web sites. There are a few notable exceptions [Lin75, Spa89a, Spa89b, Sto90, Kum95, DFW96, MF97, DW95] and this report attempts to add to these with a detailed analysis of four common computer vulnerabilities. The analysis of each vulnerability identifies its characteristics, the [expected] policies violated by its exploitation, and contributes to the ....

Eugene H. Spafford. The Internet Worm Program: An Analysis. Computer Communication Review, 19(1), January 1989.

No context found.

Eugene H. Spafford. The Internet Worm Program: An Analysis. Technical Report CSD-TR-823, Purdue University, West Lafayette, IN, 1988.

....misuse intrusion detection, refers to intrusions that follow well defined patterns of attack that exploit weaknesses in system and application software. Such patterns can be precisely written in advance. For example, exploitation of the fingerd and sendmail bugs used in the Internet Worm attack [Spa88] would come under this category. This technique represents knowledge about the bad or unacceptable behavior [Sma92] and seeks to detect it directly, as opposed to anomaly intrusion detection, which seeks to detect the complement of normal behavior. The above mentioned schemes of classifying ....

Eugene Spafford. The Internet Worm Program: An Analysis. Technical Report CSD-TR-823, Department of Computer Sciences, Purdue University, West Lafayette, IN, November 1988.

.... be feasible to analyze the remnants of software, typically the remains of a virus or Trojan horse, and identify its author [WS93] In actual practice, there are documented cases where people have used ad hoc techniques, based on programming style, to make conclusions about authorship of programs[Spa89, Spa88, LS93]. 2.2 Authorship Analysis in Literature Hundreds of books and essays have been written on this topic, some as early as 1837 [Dis37] Specially interesting is W. Elliott s attempt to resolve the authorship of Shakespeare s work with a computer by examining literary minutiae, from word frequency to ....

Eugene H. Spafford. The internet worm program: An analysis. Computer Communication Review, 19(1), January 1989.

.... be feasible to analyze the remnants of software, typically the remains of a virus or Trojan horse, and identify its author [WS93] In actual practice, there are documented cases where people have used ad hoc techniques, based on programming style, to make conclusions about authorship of programs[Spa89, Spa88, LS93]. 2.2 Authorship Analysis in Literature Hundreds of books and essays have been written on this topic, some as early as 1837 [Dis37] Specially interesting is W. Elliott s attempt to resolve the authorship of Shakespeare s work with a computer by examining literary minutiae, from word frequency to ....

Eugene H. Spafford. The internet worm program: An analysis. Technical Report CSD-TR-823, Department of Computer Science. Purdue University, 1988.

....The information is also provided to authorized personnel for security and system monitoring. An audit system should be constructed in such a way that if a system violation occurs, the events leading up to and including that violation are reconstructible ( 51] Shimomura and Spafford demonstrate ([46, 48]) how audit information may be used in the aftermath of a system violation for the recovery of its functionality and the investigation of what led to the violation. Furthermore, an audit system might allow for the monitoring of systems prior to a violation. Attempts to violate security may then be ....

E. H. Spafford. The Internet Worm Program: An Analysis. Technical Report CSD-TR-823, Department of Computer Sciences, Purdue University, West Lafayette, Indiana, 1988.

No context found.

Eugene H. Spafford, The Internet worm program: an analysis, Tech. Report CSD-TR823, Department of Computer Science, Purdue University, 1988.

No context found.

E. H. Spafford. The Internet Worm Program: An Analysis. Technical Report CSD-TR-823, Purdue University, 1988.

No context found.

E. H. Spafford. The Internet Worm Program: An Analysis. Technical Report CSD-TR-823, Purdue University, 1988.

No context found.

E. H. Spafford. The Internet Worm Program: An Analysis. Technical Report CSD-TR-823, Purdue University, 1988.

No context found.

Eugene H. Spafford, The Internet worm program: an analysis, Tech. Report CSD-TR823, Department of Computer Science, Purdue University, 1988.

No context found.

E. H. Spafford. The Internet Worm Program: An Analysis. Technical Report CSD-TR-823, Purdue University, 1988.

No context found.

E. H. Spafford. The Internet Worm Program: An Analysis. Technical Report CSD-TR-823, Purdue University, 1988.

No context found.

E. H. Spafford, "The Internet Worm Program: An Analysis", Purdue Technical Report, 1988.

No context found.

Eugene H. Spafiord. The internet worm program: An analysis. Computer Communication Review, 19(1):17-57, January 1989.

No context found.

Eugene H. Spafford. The Internet Worm Program: An Analysis. Technical Report CSD-TR-823, Purdue University,West Lafayette, IN, 1988.

No context found.

E. Spafford, The Internet Worm Program: An Analysis, ACM Computer Comm. Review, 19(1), 1989.

No context found.

E. Spafford. The Internet Worm Program: Analysis. Computer Communication Review, 1989.

No context found.

E. Spafford. The Internet Worm Program: Analysis. Computer Communication Review, 1989.

No context found.

Spafford, Eugene H. The Internet Worm Program: An Analysis . Technical . Report-823. Department of Computer Science, Purdue University CSD-TR .

No context found.

Eugene H. Spafford, "The Internet Worm Program: An Analysis,"Purdue Technical Report CSD-TR-823, Purdue University, November 29, 1988.

No context found.

Spafford, E. H., "The Internet Worm Program: An Analysis," Purdue Technical Report, CSD-TR-823, November 28, 1988.

No context found.

E. H. Spafford. The internet worm program: An analysis. Technical Report CSD--TR--823, Purdue University, December 1988.

First 50 documents  Next 50

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC