2 cissp ® Official Study Guide Eighth Edition

Malicious Code 
927
Finger Vulnerability 
Finger, a popular internet utility, allowed users to determine 
who was logged on to a remote system. Then-current versions of the Finger software 
contained a buffer-overflow vulnerability that allowed the worm to spread (see “Buffer 
Overflows” later in this chapter). The Finger program has since been removed from most 
internet-connected systems.
Trust Relationships 
After the worm infected a system, it analyzed any existing trust 
relationships with other systems on the network and attempted to spread itself to those 
systems through the trusted path.
This multipronged approach made the internet worm extremely dangerous. Fortunately, 
the (then-small) computer security community quickly put together a crack team of 
investigators who disarmed the worm and patched the affected systems. Their efforts 
were facilitated by several inefficient routines in the worm’s code that limited the rate of 
its spread.
Because of the lack of experience among law enforcement authorities and the court 
system in dealing with computer crimes, along with a lack of relevant laws, Morris 
received only a slap on the wrist for his transgression. He was sentenced to three years’ 
probation, 400 hours of community service, and a $10,000 fine under the Computer Fraud 
and Abuse Act of 1986. Ironically, Morris’s father, Robert Morris, was serving as the 
director of the National Security Agency’s National Computer Security Center (NCSC) at 
the time of the incident.
Stuxnet
In mid-2010, a worm named Stuxnet surfaced on the internet. This highly sophisticated 
worm uses a variety of advanced techniques to spread, including multiple previously undoc-
umented vulnerabilities. Stuxnet uses the following propagation techniques:
■
Searching for unprotected administrative shares of systems on the local network
■
Exploiting zero-day vulnerabilities in the Windows Server service and Windows Print 
Spooler service
■
Connecting to systems using a default database password
■
Spreading by the use of shared infected USB drives
While Stuxnet spread from system to system with impunity, it was actually searching 
for a very specific type of system—one using a controller manufactured by Siemens and 
allegedly used in the production of material for nuclear weapons. When it found such a sys-
tem, it executed a series of actions designed to destroy centrifuges attached to the Siemens 
controller.
Stuxnet appeared to begin its spread in the Middle East, specifically on systems located 
in Iran. It is alleged to have been designed by Western nations with the intent of disrupting 
an Iranian nuclear weapons program. According to a story in the 
New York Times
, a facil-
ity in Israel contained equipment used to test the worm. The story stated, “Israel has spun 

928
Chapter 21 
■
Malicious Code and Application Attacks
nuclear centrifuges nearly identical to Iran’s” and went on to say that “the operations there, 
as well as related efforts in the United States, are . . . clues that the virus was designed as an 
American-Israeli project to sabotage the Iranian program.” 
If these allegations are true, Stuxnet marks two major evolutions in the world of mali-
cious code: the use of a worm to cause major physical damage to a facility and the use of 
malicious code in warfare between nations.

Download 19,3 Mb.

Do'stlaringiz bilan baham: