HOME HISTORY EFFECT TOUR LESSONS BIBLIOGRAPHY

Cracking Passwords

The routine cracksome was called to break into user accounts with inadequate passwords. Cracksome was Morris's actual name for the routine. The fact that the routine had such a self descriptive name is one piece of evidence in the argument that the Worm "escaped" before it had been completely finished. The cracksome routine is divided into 4 subsections, each of which is called sequentially.

Phase 0

Actually this phase was merely the initialization portion of the code and it only performs its loop once. It had several tasks to perform, generally centered around finding other machines to attack.

The Worm read through the file /etc/hosts.equiv, if it was present. This was done on the assumption that, if an account could be broken into on this machine, it could probably be broken into on the machines listed in this file. Machines found this way get a special tag in the structure the Worm uses to hold such data.

The Worm then read through the file /.rhosts searching for other machines to break into at a later time.

The Worm then reads in the file /etc/passwd. This is a file that was often publicly readable that contained a list of all the users authorized to use a machine, along with their encrypted passwords. This was one of the major security holes that the Worm took advantage of.

The Worm will then use the the /etc/passwd file to find personal .forward files, used to forward mail to other machines, in order to get the locations of additional machines to attack.

Once these tasks have been completed, the Worm passes on to Phase 1.

Return to the main Worm page.