Anecdotal story about myself, worm writing and Emergent behavior in Worms

When I first started [I was about 13 & 1/2] working with computers I was really interested in figuring out how the ‘did what they did’. So much so that I was tinkering with assembler within 6 months of getting a computer, not that I accomplished much at that time. I didn’t have internet access so my only ‘escape’ from the real world was delving deeper into the machine. I quickly developed programming skills and was becoming trapped by the limits imposed in QuickBasic (hey we all learn somehwere :D ). I went back to looking at assembler since I knew I could encode byte code into the basic programs. After that I made some great mode 13 games and demos.note: I tend to explain stories with stories! Please forgive the length of this.

A friend of mine, who was a year younger than me at this time, was talking about his new job. He was writing code for a local company. This is extremely odd, since I live in a town of about 2500 people. I took a disk of my programs and went there. He hired me on the spot, and then introduced me to Pascal and loaned me a 200mhz Pentium with 32mb ram (a 4000$ machine at that time. I think it also had 10gb of scsi disk space!)

Anyway past the amazingly boring back story. After I had worked there off and on for about 4 years, I was starting to notice more and more security problems with the application. The application relied on code that was ported from DOS into windows 95/98. It was the database access. He had written his own flat-file & index database scheme. This required that the user running the application ran it from a share over the network. Complicated file locking schemes allowed multiple users to access the data. Except for one hold over from the original DOS code. You had to share you entire Drive. Yup the whole thing with full read/write access. The reasons were for convenience and there were several document folder and other things that the application accessed. Generally most people installed this program into their C drive. So 90% of the owners of this application were sharing their C drive out to people. Consider that their market is small, they did have (and currently still do) more than 50% of their market at about 4500+ users.

When access to the internet became more pervasive and broadband was becoming affordable for companies. I realized we had a problem. And to illustrate this problem, I ‘exploited’ the security holes.
This was a simple worm, simple enough I figured to just show what issues we are facing and what we are forcing our customers to do. No one in the company ever listened to my suggestions of simple steps to mediate the problem. Such as making a couple of fileshares, a Read only executable directory, and a read/write data directory, and several other shares to allow access of the network documents and other things. To them this complicated things on the end users side too much. Also to do tech support 90% of all the employees in the building shared their C drives, and their program folders.
The worm used an old exploit in Win98 dealing with the explorer.exe execution and the path. When windows started it executed the shell as ‘explorer.exe’. And as you should know to execute a program the OS searches the path. Explorer.exe was placed in the windows folder. But it turns out that the computer had a default path of C:\;C:\WINDOWS; If you were to place an explorer.exe into the C folder. well I’m sure you can see where this is going.

Once executed my program would immediately execute the real explorer. And then wait 2 minutes. After 2 minutes it would look for all computers on the network, and find folders that matched the criteria of being a ‘root’ share ( I believe I tested presence of a ‘Program Files’ directory and the windows/explorer.exe file were both there) Once a share was found, it attempted to copy itself to that share, After it copied itself to ALL available shares, It would play a sound resource the laugh of that Mutley Dog character. it would wait one minute do laugh again, and then 30 sec, and laugh again.

Once I was done writing and testing the code, I unleashed it unto the local network. I left work that night, not knowing how many computers I had infected in my first round.

When I came to work the next morning, all you could hear around the office was the sound of mutley, you would hear that laugh at least 3 times once every half hour. There were about 50 computers in the office. The Jig was up. The IT dept. had no clue what was going on, because norton didn’t detect it. Honestly they never had a clue.

After I figured my point was made, and nobody had figured out what was going on. I ran the program I wrote to ‘clean up’ the mess. It went around deleting explorer.exe files that matched the md5 sum of the original release.
All is well I thought. At least I thought it would be well. Within about 3 hours, machines started laughing again. I ran my program and 20-ish infections were found, the first run had almost 100% saturation, as in all of the machines I could see most of them had the worm.

After I ran it, and deleted the files, I thought phew, there all gone. I ran it a second time just to make sure. Turns out, little did I know, that computers that are powered off tend not to communicate with the network.

When I arrived at work the next day, again computers were laughing and I swear I was starting to go pale. I never expected this to be so amazingly pervasive. It seems logical that if you install it on all the computers that are visible on the network, and all of those machines installed it to visible computers, you’d just have to delete it from all the visible computers. Wrong! Well sorta. It turns out that each computer that got the worm installed on it, had different notions of what constituted a visible computer. Also a few people who ‘upped’ their security with passwords on their shares, were actually harboring the worm from my cleanup program. The worm got installed to those computers through other people who had the passwords, somehow my worm would get access to those computers. My only conclusion at that pooint was some people had mapped network drives to password protected shares, with saved passwords. This allowed the bug, because of windows propensity to just do what is convenient to install it to those computer. I never verified this, so it could be wrong.

I realized what I had to do, and I talked to my manager, he laugh at me, and said he thought it was annoying but mildly humorous. I told him I would stay after and go to each of the 50 computers in the office and delete it manually. He was really impressed at the emergent behavior of the worm, since he was actually working on some genetic algorithms in his free time.

I spend that evening cleaning up the worm. Took forever, I had to take the network switch offline, and go to the few computers that were needed after hours, and clean them first, then connect their cables back to the switch and get them up and running.

After I did that I figured now all will be good. Until the next Monday that is. On Monday I got a report from the IT guys that one of the training laptops was booted up and .. was laughing. They were gone from mid-week over the weekend and had returned. They heard the laughing but didn’t know what it was nor how to fix it.

They didn’t even bother to call IT, they just ignored it whilst onsite, not only that they plugged into a customers network.

I cleaned up the laptops, but they had already left their mark. Most of the computers on the network were reported infected by my tool, and by the late afternoon, it felt as if all of the machines were laughing at me.

I stayed yet again to fix all of the machines that were infected. This was starting feel like a ritual. After this last time, It was over. The managers who knew about it, hid that I had done it from those who would not be happy. Though most people knew I did it. The ‘man in charge’ did not. Which was good, because I would have probably lost my job. So I never really got to prove my point, all I did was make a massive headache for myself. Not only did I not achieve my end goal. It seems that life always finds a way.

6 months after everything had died down and most had forgotten the whole ordeal. I was sitting at my computer desk. Which had been moved across the prairie and right next to the IT room. From behind the doors, I heard a disturbing sound. A cooworker who heard it at the same time looked straight at me, and asked me if I had seen a ghost, And smiled. He knew why I was damn near pale white.

Turns out while that whole mess was going on 6 months ago, one of our founders children who works as a missionary in mexico, He took a computer with him down to the missionary camp. Well – he came back. His computer was ‘messed up’ and they could not get it to boot. So they removed the hard drive stuck it in another computer, and proceeded to boot it up. That action installed the worm all over again. Only this time we were up to 70+ computers, and it took me almost a week to fix it, and remove the worm. After that it never came back.

Okay, this amazingly long winded story, has a few lessons learned. Number one I don’t think anyone would write a virus/worm if they were the ones who would have to clean up after themselves. Second is, I never realize it, but emergent patterns start to form with the spread of this worm or any, it almost seemed alive at times, it was crazy to watch all of this unfold. Third if your going to write a worm, make sure it doesn’t advertise! esp. since any time I hear the mutley laugh I cringe horribly. I was under the naive impression that the bug would never spread out of the local network. I couldn’t imagine how, since it infected the harddrive. I had never considered that we had laptops that went to customers sites. And then plugged into their network, I don’t really know if the bug ever got out in the wild, but there were two incidences that could have made it possible. Thought I’ve still never heard of w32.mutley ;)
Okay for those of you who wish to scold me for creating devious programs, save your breath. I learned my lesson, in more ways than this, but we’ll just leave it at that.

Oh yeah, BTW the whole point of the mess with the shares, well they never changed a thing. In order to run that app you have to share your whole drive with read write access. They do suggest using domains, and passwords, but ANY user can change ANY file in the shared folder. So a worm that wants to spread could easily exploit a simple exe swap trick to infect other computers on a network.

Share
  • 10gigawatz

    10gb of scsi disk space is unlikely.. at the time of pentium 200mhz, might have been a few megabytes.. like 100mb…

  • foQ

    Man, that is funny. Metasploit to use this as a payload in the framework. It would be a great way to prove that you pwnd somebody’s computer!

  • http://networksecurity.typepad.com/ Juha-Matti

    Is it possible that the remarkable long Title field causes bold tag to switch permanently on via ‘Continue reading’ section (it uses bolded text automatically)? When reading blog entries separately there is no such effect.
    Prozacgod, can you try to shorten the title and then try to visit address blogs.securiteam.com again.

  • http://prozacville.com Prozacgod

    10gigawatz – I might have been wrong about the size of the disks, but I do remember it was several gigs. And also I was talking to that same friend who introduced me to them. That computer wasn’t new I think they were using PII’s at the time, so they might have put new hardware in it. who knows, but yeah you’re probably right.

    foQ – I always wondered why worm writers don’t employ more than the handful of attack vectors, and not the simple – look for open writable shares, swap yourself with an exe requires no level of trust – or and SMTP server to send your junk too. Hell once you get the network broswer code in there you can use the network to search for more emails.