Morris Internet Worm - anyone knows how did they manage to stop it?

Question

Hi there,

yes, this is a homework-type question but could you please help me out?

In a very short presentation on the topic of Morris Internet Worm I am supposed to list the steps taken to stop the worm from spreading. My pp slides are now approaching the final state, but before I go and say that this or that is how they stopped the worm, I would like to check with you. I heard that the worm hit the news big time, and caused quite a lot of stir in the US at that time, so I was hoping to find a few people from the field of computing who could provide some info.

Basically, I keep finding in various reports and articles, that the main weakness of the worm was the pleasequit variable which was not initialised properly and therefore it was sufficient to set this variable to -1 to stop the worm. Was this the final blow for the worm? Was this that effectually stopped it from spreading?

I found the following report, and others, mention the pleasequit var: (taken from this website):

The worm uses a variable called 'pleasequit' but doesn't correctly initialize it, so some folks added a module called _worm.o to the C library, which is produced from:

int pleasequit = -1;

the fact that this value is set to -1 will cause it to exit after one iteration.

Answer 1

It used a vulnerability in older versions of sendmail, finger, and rsh (primarily sendmail though, IIRC). The fix was as simple as going out and getting yourself the latest versions of those servers.

What would have stopped the initial spread is precisely what stops the spread of human viruses: Lack of new uninfected vulnerable hosts reachable from the infected ones. It could only infect old Sun3 systems or Vaxen with one of the right versions of Unix (many if not most Vaxes at the time ran VMS instead) and unpatched versions of finger or sendmail or rsh servers.

Answer 2

The worm had several approaches to infecting new systems, including the sendmail and finger vulnerabilities, but also password guessing. (The sendmail vulnerability was not a code vulnerability, but a backdoor that could be enabled in the sendmail.cf file.) The original goal appears to have been to have a low, stealthy attack which ended up with the program running on many different servers without the owners realizing what was happening. The coding error wasn't the pleasequit variable, but the fact that the worm re-infected systems that even appeared to be already infected. This caused infected machines to get multiple infections and then to crash.

Therefore, the answer that has been accepted as correct (by T.E.D.) is actually not correct, because the worm continued to infect systems that were uninfected.

What caused the infection to stop was that systems which were vulnerable were taken off the Internet. Unfortunately, many organizations at the time responded by cutting their Internet connections, which actually made it harder for them to find out what was going wrong and fix the situation.

It is also incorrect to say that the system could only infect "old Sun3 systems or Vaxen." At the time of the Worm it was infecting the state-of-the-art systems that were in use. The worm was particularly clever in that it carried machine-language exploits for two different architectures (Sun3 was 68K, Vax was its own architecture). The worm attacks the current versions of the operating systems---what we would call "0 Day" vulnerabilities today.

Morris had previously publicized one of the vulnerabilities that the worm exploited on a mailing list and people had pretty much ignored him, saying that the vulnerability was not significant. It appears that the worm was done as a publicity stunt to get people's attention on some important computer security problems. After the worm was released and got out of control it appears that he publicized information on how to stop it, but that information could not get out fast enough because the internet was clogged.