The Morris Worm: Internet malware turns 25

The Morris Worm: Internet malware turns 25

Summary: 25 years ago this Saturday, November 2, 1988, much of the Internet - still very small at the time - crashed. The cause was a selfish experiment, turned Frankenstein monster, instigated by a graduate student at Cornell named Robert Morris.

TOPICS: Security

On Wednesday, November 2, 1988 the Internet was still young, small and dominated by academics and engineers. It was all very collegial, and there wasn't much in the way of security work, even if the topic existed in theory.

Robert Morris. Image shared by Trevor Blackwell.

Robert Tappan Morris, then a graduate student at Cornell, wasn't trying to "attack" other computers when he unleashed the first great incidence of malware, known thereafter as the Morris Worm, on the Internet. It changed everything.

The worm had no 'payload,' as we would say today. Its point was simply to propagate. A contemporaneously-written technical description of the worm makes clear that Morris went to some trouble to get his program running on other people's systems, that it tried to do so with stealth and that it used the then-novel technique of a stack buffer overflow to get itself running.

One method it used to attempt access was to log in using what we would now call a dictionary attack; that is, it had an embedded list of "popular" passwords. Morris was based at Cornell, but he started the worm going from a computer at MIT to attempt to hide its source. The code also attempts to thwart one possible mechanism of stopping it. All this demonstrates that even if there is no payload, clearly Morris knew he was breaking surreptitiously into other people's computers whether they likes it or not. There's no way Morris was young and inexperienced enough to mistake the fact that what he was doing was wrong.

The source code also shows that Morris attempted to keep the spread of the worm under control, but he was more confident in his code than he should have been. Bugs in the code caused it to crash many systems, basically all SunOS systems, and to execute more than once on many other systems, devouring system resources.

Hacking skills were of high value as administrators attempted to recover from the Morris Worm attacks. To quote the technical description I linked to above:

Initially, the fastest defense against the worm is is to create a directory called /usr/tmp/sh. The script that creates /usr/tmp/sh from one of the .o files checks to see if /usr/tmp/sh exists, but not to see if it's a directory. This fix is known as 'the condom'.

Everyone realized at the time that computer security was no longer just theory, but something that needed to be taken seriously. That doesn't mean that people actually went to the trouble of taking it seriously, just that it couldn’t be dismissed as science fiction anymore. DARPA created the CERT/CC (CERT Coordination Center) at Carnegie Mellon University to deal with such incidents in the future. They're still in business as are CERTs all over the world. US CERT calls itself Computer Emergency ReadinessTeam now, which I guess is meant to sound more proactive. In 2003 the Department of Homeland Security to create US-CERT, "...a coordination point for prevention,   protection, and response to cyber attacks across the Internet."

A disk containing the complete source code to the Morris Worm. Image shared via Creative Commons by the Computer History Museum, Boston

How many systems were affected by the Morris Worm? There's a number that is still thrown about, that 6,000 of the 60,000 host systems on the Internet were affected. Morris's friend and colleague Paul Graham writes that the number was just someone's wild guess, and that he was there when it happened. The problem is that the solution to the worm was to reboot systems, and this deleted all traces of it. Nobody knew at the time how many hosts were on the Internet or how many wre affected. Suffice it to say that it was big enough that everyone on the Internet knew about it, but then again the Internet was a small place at the time.

Morris, now a tenured Professor in the Parallel and Distributed Operating Systems (PDOS) Group of the Computer Science and Artificial Intelligence Laboratory (CSAIL) at MIT, was the first person convicted under the fairly new Computer Fraud and Abuse Act and sentenced to three years' probation and a fine. An appeals court confirmed that his lack of intent to cause harm was irrelevant, and that what mattered was his intent to access other computers without authorization.

If Morris hadn't launched his eponymous worm, someone else would have done something similar, perhaps with genuine malicious intent. Given that he was still basically a kid and didn't intend harm, his punishment was probably appropriate. It doesn't seem to have hurt his career.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I'm guessing...

    ...that Dr. Morris has spent at least some of the last 25 years thinking very hard about network security. I'm glad he was still able to have a career in computers despite the conviction.

    We all do dumb things when we're young (or even not so young). The key to growing up is learning from them.
    John L. Ries
    • totally

      I completely agree. It would be a stupid waste to hold him back because of it. I think the punishment in this case was spot-on. It caused damage so a fine seems appropriate, and probation is modestly humiliating and a constant reminder of his status. Something like this would probably be dealt with much more harshly now.
      I know somebody who, as a teenager, wargamed his way into and crashed a very large Defense Department ... let's call it a resource. The FBI eventually caught up to him and he went through pretty much what Morris went through. In fact, I believe he eventually got his record expunged.
  • Was the first worm based on TCP/IP...

    But there was an earlier one - that took down the entire DECNet - world wide. Twice.

    A NCP command file that was attempting to map their internal network - it would list each node known to the local node, then forward itself to each one.

    Unfortunately, the coder didn't realize it could not stop - it would also forward itself back to the source... and to every node the next node knew... thus multiplying and not able to be stopped. The only cure was to take the entire network down (thus stopping the propagation), then deleting the file from each node manually, and disable the forwarding capability. That last step didn't happen until the second occurrence... Turned out the version NCP running on RSTS-E systems wasn't compatible, but somebody recognized it - and tried it out. After the second occurrence, forwarding was disabled, AND every node (both VAX and not...) were purged.

    Took several months to clean up.
    • "on the Internet"

      I had heard of this, which is why I wrote "on the Internet." But you obviously know a lot more about it than I do. I read somewhere that Morris had done an internship at DEC, so perhaps he was inspired by this worm. Kind of makes it all the more irresponsible.
  • But could he hack the Gibson!

    See what I did there? I made the crappiest movie ever made, relevant in a conversation.
  • Let's not forget ...

    That the first computer worm was developed by Xerox not for malevolent purposes. They were running about 100 stations on a network and they developed it that it would check if a computer was doing anything useful (i.e., if a user was running a program) and if not it would start a program. The idea was to make maximum use of available network resources. When a user wanted to use a machine that was running a worm program he would simply reboot.
    • I remember reading that paper

      They were inspired by the novel "Shockwave Rider" by John Brunner.
  • morris' objective

    if i remember rightly morris' objective was to 'count the computers on the internet'. to do it he sent out his worm wanting to get info back from every computer ont he net...

    ...wanting to get info back from other computers remains a critical motive for hackers, and an arrogant one as well. which underscores the need to set your computer so that it does not accept un-authorized updates.

    if you've been reading up on the topic you know ssl, or x.509 is not good enough. you need to be involved: take control of what is allowed to update on your machine. if you do not do this you are toast.
    • I've heard that too

      The problem is that it doesn't do any counting, it just propagates.
    • re: Morris' objective

      The problem with that excuse is that if you're not looking to cause trouble, you don't look over your shoulder and go out of the way to hide what you're doing.

      I think the most important takeaway is what was mentioned in the article:

      Everyone realized at the time that computer security was no longer just theory, but something that needed to be taken seriously, but that doesn't mean that people actually went to the trouble of taking it seriously.

      And we haven't. Buffer overflows have propagated since then, causing billions of dollars in damages over the last couple decades. If people took computer security seriously, the C language would have been dead before 1983!

      As one of my coworkers likes to say, Dennis Ritchie's true legacy to the world is the buffer overflow. In any sane world, it would be considered an act of criminal negligence today to write any network-facing software or other software with security requirements--such as an OS or a web browser--in C or its descendants.
  • Mainframe "worm" created by accident in 1960's

    Back in the 1960's the teacher in a non-computer course wrote on the blackboard the source code in FORTRAN for a simple problem solution. He had run the program a year or so earlier, and it had a main program that called a subroutine named MAIN, which then called a few other subroutines. To give the students some familiarity with the processes for running their work, he asked the students to write it down verbatim and run it (by submitting punch cards) on the mainframe computer. Unknown to him, a new version of the FORTRAN compiler was in use, which actually NAMED the main program MAIN (the earlier one left the main program unnamed). The main program called itself recursively, using up some of the operating system's control block memory with each call, bringing down the entire operating system. When students failed to get a printout, the resubmitted their card decks several times ... EVERY student in his class!

    Nobody got in trouble since it was his and his students' honest mistakes, but soon IBM patched the operating system so that each job had a rationed share of control block space, and a job that exceeded its share was cancelled with an error message and a dump by the operating system (I believe it was either OS/360 MFT or OS/360 MVT at the time).

    This may have been the first "worm" propagated by chalk-blackboard-pen-notes-keypunch.