Carpet (IT) to Concrete (OT) – The Evolution of Internet-Based Malware | Cyber Security
November 2, 2018, marked the 30-year anniversary of the Morris Worm.
It seems the more things change, the more things stay the same. It’s a bit ironic that as more and more devices get connected to the Internet (~20 billion+ today versus ~60,000 in 1988), we are still susceptible to malware. What we probably didn’t quite understand or grasp back in 1988 is that, one day, we would need to worry about protecting Industrial Control Systems (ICS) from malware.
In 1988, Tripwire Founder Gene Kim was in high school working part-time at Sun Microsystems as a system administrator when the Morris Worm broke out on November 2. He witnessed, first hand, the power of the Worm, where he was part of the team that had to understand why their computing infrastructure was not operating in the way it was intended.
He had to determine what changed. The day before, everything was operating normally. Why were all of the computers becoming inoperable now? As you could imagine, trying to understand what happened and how to fix it became an intense passion for Gene. This passion lead Gene to read Dr. Gene Spafford’s abstract on the Morris Worm, “The Internet Worm Program: An Analysis” (PDF).
This abstract inspired him to attend Purdue University. At Purdue is where he eventually did an independent study project under the guidance of Dr. Spafford and fostered the seeds of what one day would become Tripwire, the company.
To help pay for school, Gene worked at the Purdue Computing Center as a system administrator. This is where he would work on his independent study project to prove that files could be compared by signatures, a process by which hashes are created to compare files without having to store the entire file.
For months, Gene had been working on this project and used the computers in the computing center to help him catalog tons of files.
Unfortunately, the project took an unplanned turn after Gene made an undocumented, unauthorized change to a script he created for cataloging the files. It just so happened that his script caused the backup tape library at the computing center to completely run out of available backup tape. Gene’s small change to his script is what forced all of the files to be backed up to tape.
Needless to say, this was Gene’s last day of employment at the computing center.
However, over the next three semesters, he continued working on creating a solution that could help detect changes that could adversely affect systems, enabling administrators to quickly correct the changes to get the systems operational again.
On November 2, 1992, the fourth anniversary of the Morris Worm, Tripwire was released as an open-source intrusion detection tool for Unix and in 1997, Gene founded Tripwire.
It’s been 30 years since the Morris Worm wreaked havoc on approximately 10 percent of the 60,000 servers then connected to the Internet. Given the malware’s central focus in Tripwire’s history, it’s worth taking a moment to look at the Worm, how it functioned, and how it has shaped the threat landscape today.
The Morris Worm – A Look Back
In November 1988, Robert Tappan Morris—then a graduate student at Cornell University—wanted to know how big the Internet was. Specifically, he wanted to know how many devices were connected to the web. He, therefore, decided to create a program to interact with each Internet-enabled computer and ask it to send a signal back.
Just like malware today, the Morris Worm took advantage of software vulnerabilities. In this case, it was vulnerabilities within BSD-derived versions of the Unix operating system. It was through these vulnerabilities that the malware was able to propagate itself without human intervention from system to system.
This is why it was labeled as a worm, even though many at the time called it a virus. To level set, a virus is a piece of code that needs another program to activate it, while a worm can run by itself and disseminate itself to other systems.
The Morris Worm worked so well that within 24 hours of its release, over 6,000 systems were impacted. The worm spread over the Internet and forced each system it infected to copy itself over and over again, thus consuming all available processing power, making the systems effectively useless.
After 72 hours, researchers at Purdue and Berkeley were able to halt the worm’s spread. While organizations worked to clean up their infected machines, federal prosecutors tried Morris under the new Computer Fraud and Abuse Act.
He ultimately received a sentence of three years’ probation and a fine of $10,000.
Fast-Forward 30 Years…
Today, the Morris worm continues to haunt the digital threat landscape not because of its own activity but because of what it inspired. On the one hand, malware has evolved into a more significant threat to match the Internet’s evolution.
Today, malware is growing more and more sophisticated and critical infrastructure, such as the electrical grid, water/wastewater plants, power generation facilities, and transportation systems, to name a few, are increasingly at risk as more and more of their devices are connected to Ethernet based networks.
We have seen malware such as Wannacry have a massive impact on discrete manufacturing plants, even though it was never targeted for them. We have also seen the next generation of malware target industrial control systems and speak industrial protocols (Industroyer/Crashoveride).
There is also malware that is now targeting safety instrumented systems (Triton). What’s next? Are we prepared?
The Tripwire team still exemplifies that same passion that Gene had back in the early 90s as we look to help provide visibility, protective controls and continuous monitoring solutions to industrial control environments.
To learn more about Tripwire’s industrial solutions, click here.