Sunday, November 09, 2008

Morris Worm - two decades later - little has changed

It was November 1988 and I was an undergrad at Colorado State University when the Morris Worm started hitting computers on campus.  I remember the excitement in the Physics lounge as we started to discuss and reverse engineer the virus.

The worm infected BSD based operating systems by exploiting buffer overruns using the gets function call in the utilities fingerd and sendmail.  The worm collected host, network and user information and then, in turn, used this information to infect other servers using TCP or SMTP and the buffer overrun defects in sendmail and/or fingerd.

The detection of the virus started with strange files showing up in /usr/tmp directories, strange entries in /var/log/ files, but most notably was the vast number of processes running when one issued a top command.

Shortly after discovery,  UC Berkley had created a patch for sendmail and made suggestions to limit the spread of the Morris Worm.  Oddly enough the Morris Worm exploited a debug option (e.g. -d) in sendmail, used by many system admins (and users) to test mail configurations.

So here we are twenty years later and I am still disappointed to find my colleagues using unbounded string copy functions like gets, strcpy, strcat, etc.  I recently worked with a networking group to close a security exploit in one of their communications libraries that, you guessed it did a blind copy of a buffer passed in from the user (doh!) and caused the daemons using the library to crash and dump the stack.

Therefore I have written on the whiteboard by my desk:
Use of the function strcpy is a clear indication to anyone reading your code that you are willing to walk forever to find nothing (e.g. a NULL).
As a footnote:  Whatever happened to that Morris guy who created the Morris Worm?  Well, Robert T. Morris was represented by the law firm Bonnor and O'Connell; tried and convicted of violating the 1986 Computer Fraud and Abuse act and eventually sentenced to three years probation and fined 10,000 USD.  Shed no tears, R. T. Morris is an associate professor at MIT (the exact same university where he created the worm).

No comments: