Paxton Sollars and Adam Schwartz
Professor Mathew Heath Van Horn
CI311
April 21, 2023
SEED Labs: Morris Worm Attack
The Morris worm is one of the internet's oldest worms, and it was the first to gain
mainstream media attention. At first, it was only designed to be an exercise in penetration testing,
but a flaw in the code turned the worm into a Denial-of-Service attack, exploiting vulnerabilities
in the UNIX email service. In this lab, we were tasked with emulating a miniature internet,
editing the worm to attack this internet, and releasing the worm onto the emulated internet.
The first step of this lab was to use docker to create containers for hosts, servers, and
routers on the emulated internet. The lab files included all the necessary files to create these
containers, but we had installed the Python import seedemu to get a visual version of the
emulated internet. These files can be found at https://github.com/seed-labs/seed-emulator. After
installing this GitHub library using the clone command in Ubuntu, we ran Python files titled
nano-internet.py and mini-internet.py to create output files for the containers, allowing us to
emulate each of these internets. The nano-internet is much smaller than the mini-internet,
containing about 25 hosts, compared to around 200 hosts from the mini-internet. The nanointernet was used to test and edit the worm, before releasing it onto the mini-internet. To get the
map emulator, we composed the containers for the nano internet, then composed the map,
allowing us to access the map at https://localhost:8080/map.html. Once the map was successfully
emulated, we were able to move on to the next steps of the lab, editing the worm file.
The worm file, which is coded in Python, outputs a file called badfile, which is shellcode used to
spread the worm to other hosts. Our job was to choose a host to attack, then edit the code to
attack random IP addresses and release it onto the emulated internet. To do this, we had to turn
off random IP addressing, using the command sudo /sbin/sysctl -w
kernel.randomize_va_space=0. Afterwards, we chose an IP on the emulator and attacked it with
the worm. After successfully attacking a single host with the worm, we edited the code to selfduplicate and attack random IP addresses within the parameters of the emulated internet, then rereleased the worm onto the emulated internet. After success on the nano-internet, we released the
finished version onto the mini-internet, attacking a larger network. Watching the emulated map,
we could see what hosts had been attacked because each infected host would ping 1.2.3.4, every
two seconds, which we saw with the filter icmp and dst 1.2.3.4.
Throughout this lab, we observed that virtual machine self-infliction was something to be
wary of. Without protection against self-infliction, the worm would eventually crash the VM,
because the containers would use up all our computer's resources, as more hosts got infected.
Secondly, while this worm is mostly outdated, some of its ideas have been used, such as in the
WannaCry ransomware attack in 2017. The tie-ins to the class include the worm using a DenialOf-Service attack, which is an active attack. The second tie-in was how to worm used the kill
chain, including reconnaissance, exploitation, and persistence of its attacks.
In summary, the SEED labs Morris Worm Attack Lab is a valuable tool for gaining
hands-on experience with computer security concepts and learning about the Morris worm
attack. The lab provides a realistic simulation of the attack and helps students understand the
vulnerabilities that were exploited. Overall, this lab is an effective way to improve cybersecurity
education and increase awareness of the importance of strong security practices.