Histoire passionnante sur le Washington Post que celle de Robert Morris, 23 ans, diplômé de Harvard et étudiant à Cornell, créateur du premier ver informatique à s’être réellement propagé sur Internet. On y revit heure par heure, jour par jour la génèse et la propagation rapide du ver au travers du réseau mondial à l’époque (en 1988) composé de moins de 100000 machines, essentiellement dans des universités.
A worm is a computer program that spreads from computer to computer by exploiting security vulnerabilities in target machines. Once released, it operates without human assistance or control, scanning the Internet for new hosts to infect, attacking them and then launching a new copy of the software on the new host. While experimental worms had been developed in the past, Morris’s worm spread much further and faster than any previous worm.
Amusant de découvrir les astuces utilisées par Morris pour attaquer les machines tout comme les erreurs qu’il a pu commettre.
Forensic evidence would reveal that Morris started using Cornell computers to develop the worm around Oct. 15, 1988. The worm used several attacks to spread from computer to computer. One attack exploited a common Internet service known as “finger,” which was installed on most Unix machines.
Another attack took advantage of the fact that many users chose easy-to-guess passwords, such as their username spelled backwards or a common term from the dictionary. The worm obtained a computer’s password file, which contained encrypted copies of every user’s password. It then systematically guessed passwords using a dictionary of common words. If it discovered a user’s password, it attempted to use that user’s credentials to access other servers where that same user had an account.
On Oct. 20, Morris made the 300-mile trek to visit friends at Harvard, staying for two days. Upon his return, Morris added code to exploit a third security vulnerability. The code targeted a flaw in “sendmail,” a ubiquitous utility that, as its name suggests, was used to send e-mail. It seems likely that Morris learned about this vulnerability during his Harvard trip. Graham, the Harvard friend Morris would call the night he released the worm, e-mailed Morris on Oct. 26 to ask, “any news on the brilliant project?”
Morris wanted to avoid infecting the same machine multiple times, which could slow infected machines down and draw unwanted attention. But the most obvious way to do that — have an infected machine publicly signal its infected status to other copies of the worm — could itself aid efforts to detect and eradicate the worm. To solve this dilemma, Morris thought he would need to build a “global database” of infected computers. However, he admitted, doing that could prove “really hard.”
By the time he released the worm two weeks later, he had only made small steps toward implementing these ideas. He never created a command-and-control system that would have allowed him to send instructions to infected machines. The worms did have code designed to send a homing beacon to a particular computer at Berkeley, which could have been part of a planned command-and-control system. But, thanks to a programming error, even that subroutine didn’t work.
Morris did implement a mechanism designed to prevent multiple copies of the worm from running on the same computer. If two worms found themselves on the same machine, they would flip a virtual coin, and then the losing copy of the worm would commit electronic seppuku.
But Morris modified this scheme in a way that made it ineffective. One time out of seven, selected at random, the losing worm would make itself immortal rather than committing suicide. “This was probably done to defeat any attempt to put a fake worm process on the TCP port to kill existing worms,” Spafford wrote in his worm postmortem. But the move also undermined the original purpose of the self-destruct scheme: preventing multiple worms from infecting the same computer. As a result, on the morning of Nov. 3 the population of worms grew exponentially until computers’ resources were exhausted from running so many copies.
Même s’il n’a pas été écrit pour créer des dommages mais uniquement pour se propager, ce ver a valu à Morris la toute première condamnation pour violation du Computer Fraud and Abuse Act de 1986. Un mal pour un bien, c’est aussi cet événement qui est à l’origine de la création du CERT.
À lire absolument en totalité sur le site du WP: “How a grad student trying to build the first botnet brought the Internet to its knees”.