[TUHS] Happy birthday, Morris Worm!

Dave Horsfall dave at horsfall.org
Sat Nov 4 11:15:37 AEST 2017


Well, that sure stirred up a hornet's nest; then again, I've been a 
stirrer for most of my 65 years (just ask anyone who knows me, including 
WKT), so I guess I should've expected it...

There are far too many responses to deal with individually (it will only 
go exponential) so I'll make this my final post, and then it can continue 
off-list if people insist; if Warren has shut down the topic then I 
haven't noticed it yet, but at least I can see it's an active topic going 
by the "TUHS" tag (and thanks again Warren for reinstating that).

First, apologies I guess to anyone who was offended, but I've never balked 
at kicking the odd sacred cow now and then.

I would've dismissed RTM's effort as an "oopsie" that we all make from 
time to time, except for the following extract from the Morris Worm page:

https://en.wikipedia.org/wiki/Morris_worm

``The critical error that transformed the worm from a potentially harmless
   intellectual exercise into a virulent denial of service attack was in the
   spreading mechanism. The worm could have determined whether to invade a
   new computer by asking whether there was already a copy running. But just
   doing this would have made it trivially easy to stop, as administrators
   could just run a process that would answer "yes" when asked whether there
   was already a copy, and the worm would stay away. The defense against this
   was inspired by Michael Rabin's mantra "Randomization". To compensate for
   this possibility, Morris directed the worm to copy itself even if the
   response is "yes" 1 out of 7 times. This level of replication proved
   excessive, and the worm spread rapidly, infecting some computers multiple
   times. Rabin said that Morris "should have tried it on a simulator
   first".''

The (reconstructed) source code, easily found in a few seconds, shows just 
that i.e. it was *designed* to avoid any attempts to suppress it; a simple 
statistical analysis shows that it would become uncontrollable even within 
a small cluster (I can provide it upon request, in case anyone doubts my 
admittedly-rusty statistical skills).

The first thing any binary did was to unlink itself, thereby making 
detection difficult.

It forks a lot to change the process ID, thereby making it difficult to 
kill.

It encrypts all the strings (a simple XOR with 0x81), thereby disguising 
it.

In short, although I doubt whether there was malicious intent, if I were 
to write something to bring down the Internet then I would start along 
those lines.

No doubt his goal was laudable (estimating the number of hosts) but there 
are weirdos like me who prefer not to be "counted" (even my census returns 
are illegally anonymous, by not providing a real name, no birth date but 
age is OK, no street address but suburb is OK; I don't care who knows that 
I'm an atheist as until now we were lumped in as "other"); I regularly 
fend off such probing attempts in my firewall (ACK scans, FIN scans, etc).

So, was RTM an idiot or not?  You be the judge.

-- 
Dave Horsfall DTM (VK2KFU)  "Those who don't understand security will suffer."


More information about the TUHS mailing list