莫里斯网络蠕虫 - 有人知道他们是如何阻止它的吗?
是的,这是一个家庭作业类型的问题,但是你能帮我解决一下吗?
在关于莫里斯互联网蠕虫主题的简短演示中,我应该列出为阻止蠕虫传播而采取的步骤。我的 pp 幻灯片现已接近最终状态,但在我说这个或那个是他们阻止蠕虫的方法之前,我想与您核实一下。听说这个蠕虫新闻闹得沸沸扬扬,当时在美国引起了不小的轰动,所以我希望能找到几个计算机领域的人可以提供一些信息。
基本上,我在各种报告和文章中不断发现,该蠕虫病毒的主要弱点是 pleasequit 变量未正确初始化,因此将此变量设置为 -1 就足以阻止该蠕虫病毒。这是对蠕虫的最后一击吗?这是否有效地阻止了它的传播?
我发现以下报告和其他报告提到了 pleasequit var:(取自本网站):
蠕虫使用一个名为 “请退出”但不正确 初始化它,所以有些人添加了一个 C 中名为 _worm.o 的模块 库,其生成自:
int pleasequit = -1;该值设置为 -1 会导致它在一后退出 迭代。
yes, this is a homework-type question but could you please help me out?
In a very short presentation on the topic of Morris Internet Worm I am supposed to list the steps taken to stop the worm from spreading. My pp slides are now approaching the final state, but before I go and say that this or that is how they stopped the worm, I would like to check with you. I heard that the worm hit the news big time, and caused quite a lot of stir in the US at that time, so I was hoping to find a few people from the field of computing who could provide some info.
Basically, I keep finding in various reports and articles, that the main weakness of the worm was the pleasequit variable which was not initialised properly and therefore it was sufficient to set this variable to -1 to stop the worm. Was this the final blow for the worm? Was this that effectually stopped it from spreading?
I found the following report, and others, mention the pleasequit var: (taken from this website):
The worm uses a variable called
'pleasequit' but doesn't correctly
initialize it, so some folks added a
module called _worm.o to the C
library, which is produced from:int pleasequit = -1;the fact that this value is set to -1
will cause it to exit after one
iteration.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
该蠕虫有多种方法来感染新系统,包括 sendmail 和 Finger 漏洞,还有密码猜测。 (sendmail 漏洞不是代码漏洞,而是可以在 sendmail.cf 文件中启用的后门。)最初的目标似乎是进行低强度的隐秘攻击,最终导致该程序在许多不同的服务器上运行业主没有意识到发生了什么。编码错误不是
pleasequit变量,而是蠕虫重新感染了看似已感染的系统。这导致受感染的机器受到多重感染,然后崩溃。因此,(TED)认为正确的答案实际上是不正确的,因为蠕虫继续感染未感染的系统。
导致感染停止的原因是易受攻击的系统已从互联网上移除。不幸的是,当时许多组织的应对措施是切断互联网连接,这实际上使他们更难找出问题所在并解决问题。
说该系统只能感染“旧的 Sun3 系统或 Vaxen”也是不正确的。在蠕虫病毒出现时,它正在感染正在使用的最先进的系统。该蠕虫病毒特别聪明,因为它携带针对两种不同架构的机器语言漏洞(Sun3 是 68K,Vax 是它自己的架构)。该蠕虫攻击当前版本的操作系统——我们今天所说的“0 Day”漏洞。
莫里斯此前曾在邮件列表上公开了该蠕虫利用的漏洞之一,但人们几乎忽略了他,称该漏洞并不重要。该蠕虫病毒似乎是一种宣传噱头,旨在引起人们对一些重要计算机安全问题的关注。在蠕虫被释放并失去控制后,他似乎公开了如何阻止它的信息,但由于互联网堵塞,该信息无法足够快地传播出去。
The worm had several approaches to infecting new systems, including the sendmail and finger vulnerabilities, but also password guessing. (The sendmail vulnerability was not a code vulnerability, but a backdoor that could be enabled in the sendmail.cf file.) The original goal appears to have been to have a low, stealthy attack which ended up with the program running on many different servers without the owners realizing what was happening. The coding error wasn't the
pleasequitvariable, but the fact that the worm re-infected systems that even appeared to be already infected. This caused infected machines to get multiple infections and then to crash.Therefore, the answer that has been accepted as correct (by T.E.D.) is actually not correct, because the worm continued to infect systems that were uninfected.
What caused the infection to stop was that systems which were vulnerable were taken off the Internet. Unfortunately, many organizations at the time responded by cutting their Internet connections, which actually made it harder for them to find out what was going wrong and fix the situation.
It is also incorrect to say that the system could only infect "old Sun3 systems or Vaxen." At the time of the Worm it was infecting the state-of-the-art systems that were in use. The worm was particularly clever in that it carried machine-language exploits for two different architectures (Sun3 was 68K, Vax was its own architecture). The worm attacks the current versions of the operating systems---what we would call "0 Day" vulnerabilities today.
Morris had previously publicized one of the vulnerabilities that the worm exploited on a mailing list and people had pretty much ignored him, saying that the vulnerability was not significant. It appears that the worm was done as a publicity stunt to get people's attention on some important computer security problems. After the worm was released and got out of control it appears that he publicized information on how to stop it, but that information could not get out fast enough because the internet was clogged.
它利用了旧版本的 sendmail、finger 和 rsh(主要是 sendmail,IIRC)中的漏洞。修复方法非常简单,只需出去获取这些服务器的最新版本即可。
阻止最初传播的因素正是阻止人类病毒传播的因素:缺乏可从受感染的主机访问的新的未受感染的易受攻击的主机。它只能感染旧的 Sun3 系统或 Vaxen 的正确版本之一(当时许多 Vaxes 都运行 VMS)以及未修补版本的 Finger 或 sendmail 或 rsh 服务器。
It used a vulnerability in older versions of sendmail, finger, and rsh (primarily sendmail though, IIRC). The fix was as simple as going out and getting yourself the latest versions of those servers.
What would have stopped the initial spread is precisely what stops the spread of human viruses: Lack of new uninfected vulnerable hosts reachable from the infected ones. It could only infect old Sun3 systems or Vaxen with one of the right versions of Unix (many if not most Vaxes at the time ran VMS instead) and unpatched versions of finger or sendmail or rsh servers.