Recorded on May 7, 2019, 2019 at G-Unit Studios in Rhode Island!
- Register for our upcoming webcasts by going to securityweekly.com/webcasts . If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand. Also, you can now submit your suggestions for guests in our recently released guest suggestion form! Go to securityweekly.com/guests and enter your suggestions!
Topic: The Lair of the White Worm
- So, in 1988, Robert Morris wrote a kind of joke piece of software. This was pretty common at the time. Now, according to Morris, he never realized this would cause all this harm. Now, for some of you this is going to be a bit hard to conceive but in 1988, there were probably around 50000 or less computers attached to the interweb worldwide. In 1988, there no MMORPG games, there were no end users for the most part that were attached. It was just mainframes. Now, some of those provided end user access via companies, or even services like Compuserv or Sierra online but for the most part it was all sysop type people running them.
- The second thing that arises in 1988 is the idea of security. Now, forever, people had not really worried about security on their systems since A) no one could access them?; B) only weird nerds could access them?; and C) well, who really cares. Let the nerds deal with it. (Revenge of the Nerds came out in 1984). Now, I did a pen test in 1986 and just about got fired from my job for reporting on it. So, how did the Morris Worm work? It primarily used a command that was available on unix driven mainframes called rsh/rlogin/rexec and a basic brute force password cracker. This was called hacking at the time. Now the r suite was a way to connect to the mainframe using the interweb but, wait for it, it may not have required a password. rlogin was often used by engineers who didn't have time for passwords so they could get in to fix things when it was needed. Now, the equivalent of this is that you don't padlock the gate to the weapons locker because it might inconvenience an engineer who needs to go down and change the lightbulb. How very Heinlein.
- So, Morris wrote this worm in C and it basically took advantage of all sorts of things in Unix including cracking/guessing passwords.
- First the worm scanned the hosts file and the rhosts file (these are convenient lists of other computers we trust or know about) and then tries to guess passwords (if those convenient unprotected services are not open). Now, this thing was supposedly an academic exercise (I tried the serum on myself) and it even had a kill switch built into it that would reputedly stop it from spreading to more complex systems. Oops. Ultimately, it infected a LOT of machines on the fledgling interweb. Got Morris arrested under the CFA and he got 400 hours of community service and a 10000 fine. In theory anyway, the worm term came from Scatha in Tolkien. Makes sense given the unix, nerds, engineers, all that. Honestly, people wrote things like this before Morris, but they never had the ability to spread. Was it intentional, well, maybe, but it's also believable at the time that Morris really didn't fathom how many machines were connected.
- So, what is worm exactly? A Worm is a computer program that can spread automatically via some mechanism to other connected computers. It may be harmless or it may be used to infect (usually) the systems with some sort of malware. Worms in and of themselves only take up resources so they have to have a "payload" to do any real harm but just the spread of the worm may cause an effective denial of service attack (like Morris). It doesn't even have to compromise (viz. the Ping of Death) if it gets the job done, but most modern worms have a purpose.
- So, all it really takes is some way to talk to and implement code on a remote machine from the local machine. So, this gets into a bit of talk about network segmentation. In 1988, most networks were considered "flat" and that persisted until the early 2000s. A flat network was made up of hubs instead of switches and as such, every machine saw every packet. So, imagine you want to send traffic via 23/tcp (telnet) and send a syn packet. In an old flat network, every machine in the network would have seen that syn request. Because, that network basically allowed full on communications with every device, a worm would have a lot of opportunity. But, Morris actually used a smart technique. He didn't broadcast for victims (that would be easier today) he just looked them up in the system list of other machines. Ouch. Today, as most devices can communicate or announce themselves, it's pretty easy to learn about the network unless it is filtering that type of thing.
- For instance, Server Messaging Block (SMB) is a service that allows Microsoft machines to create file shares. If you share a folder out on your local network segment, SMB is the protocol that handles that communication and connection. So, if I can guess your login, I could push something onto your system (Morris worm style). With modern systems, it's a lot harder to actually cause that code to execute as well so I still may have to do some more fancy compromises to get the worm to spread.
- So, let's talk about Slammer. Slammer was a tiny (376 bytes) worm from 2003 that again caused denial of service. It's really fast and spreads easily. In 2003, there were a lot more connected machines on the interweb and suddenly, we have a worm that can spread around the world in minutes. This one used an exploit in MS SQL Server to create a buffer overflow. The exploit had been patched but people didn't apply the patches. Basically, once it finds the UDP port (1434) open on a random IP, it tries the exploit. If you weren't patched, you got infected and the worm started spreading again. It really didn't do anything besides slow down the interweb and the servers that were infected but the real problem started because of routers crashing and subsequent router updates from dynamic routing protocols that occured. So, think OSPF re computing all the routes a LOT and you get the idea.
- So, some other famous worms (note these are just ones I dealt with, not meant to be an exhaustive list):
- Code Red (2001), Code Red II, and Nimda -- all exploited Microsoft systems connected to the interweb
- Beast (2002) was a backdoor written in Delphi (Pascal)
- Slammer (2003)
- Stuxnet (2010) I didn't have this but was most interested in it
- Duqu (2011) ditto
And then everything changed...
2013...Cryptolocker. it gets real. Cryptolocker was the first worm I saw that did something really bad to end users. I could really argue that it's NOT a worm but then again, it kind of is. Cryptolocker generated infected emails with a zip file attachment. These ideas had been seen plenty (nakedwife, et.al) but this one was different. It infected the registry on windows machines (you clicked it remember), it then reached out over the network to a server and downloaded a 2048 bit RSA key and proceeded to encrypt all your files that have office and other extensions.Once encrypted, it asks for payment in some cryptocurrency if you want the keys. Nasty. It also was also then weaponized using a botnet and other worm approaches to get it to spread more readily.
This led to true worm based ransomware we see today like Wannacry(2017) (based on the Eternal Blue exploit from our buddies at the NSA who got hacked by ShadowBrokers and had all their cool tools stolen (or did they? you know Scully, maybe the NSA hacked themselves and released these tools which contain even more subtle malware that we can't detect. You know, single packet type stuff that takes over the implants in our brains, so who really got hacked Scully? Who?)), Petya, and others.
Today's networks are much more sophisticated than the interweb of 1988. But this same thing means that unlike 1988, today there may be 50 billion (a low estimate most like) attached. Drone swarm, connected. Cam, connected. Ring Doorbell, connected. Car, connected. But, at the same time, today we segment our networks, have security, run pen tests, check our logs, monitor our traffic, right?
One thing that really helps is the segmentation that exists in modern networks. The fact that we have routers, firewalls, and other devices breaking up our internal networks helps prevent infection. Likewise, we tend to have anti malware running on even local devices (you have that right?) and often our firewalling can have the capability to look for these behaviors. BUT: zero days continue to occur. We need to be ever diligent to prevent these things and ultimately, the best intentions are undone by simply hacking the humans. I mean, if I can get you to open an email sent to everyone on the planet, I don't need a worm, you're the worm.
So, what to do. Patch, Secure, Monitor, Review, and Practice. Until we do these things and do them well, we will continue to be vulnerable to worm type attacks. As the connectivity becomes more dense, the risk of these things may grow. Look at Snow Crash, A worm that spreads to your brain. Oops.
Seriously, consider reading Snow Crash (Stephenson) and READ the War of the Worlds by HG Wells.