Opening a can of worms

Long before virus outbreaks like NakedWife, Kournikova, Melissa and ILOVEYOU, there was the infamous Morris Worm. Read this 6-page feature on one of the most dangerous worms ever to invade the Internet.

A rogue program called Morris infected 10 percent of the Internet in 1988. Could such an outbreak happen again?


Within this story, you'll find these pages:
  1. The history of the Morris worm
  2. How the worm was designed
  3. Damage the worm caused
  4. How the worm spread
  5. Could it happen again?
  6. So what happened to Morris?

It's one of the biggest Internet disasters of all time, yet many of today's technology consultants don't remember the online carnage.

Long before virus outbreaks like NakedWife, Kournikova, Melissa and ILOVEYOU, there was the infamous Morris Worm.

Flashback to Nov. 2, 1988. The Los Angeles Dodgers had just won the World Series, Ronald Reagan was about to exit the White House, and a shy programmer named Robert T. Morris was set to unleash a digital plague that infected 10 percent of the Net.

Those closest to the case say Morris' story should be required reading for aspiring security consultants, e-business partners and systems integrators alike. The Morris case involved a 99-line program written to infiltrate Digital VAX and Sun 3 systems. The so-called worm didn't contain any malicious code. Instead, Morris simply wanted to prove that he could use programs like sendmail to propagate a worm across the Internet.

Bad Code
But when Morris released the program on the Internet, a design flaw caused the worm to reproduce faster than a jackrabbit. It quickly penetrated 10 percent of the Internet and bogged down thousands of systems. Dozens of major colleges, government facilities and research centers fell victim to Morris' rogue code. The casualties included Lawrence Livermore Labs, UC Berkeley, UC San Diego, Stanford University and dozens of other sites.

YES

"Back then, there was no Web, and the Internet was largely academically driven," says Keith Bostic, who fought the worm at UC Berkeley. "The universities ran the big sites, and those were the sites that the worm hit hardest."

Adds Peter Yee, another UC Berkeley veteran: "I was at school that night, and we noticed the computers were all getting slower and slower. The worm crawled into a machine and then tried to get into other machines. It kept on re-infecting machines that were already infected."

In the days before Internet commerce and global e-mail, the Morris Worm cleanup effort cost anywhere between $200 to $53,000 per site, according to court documents. In today's world of interconnected sites, the clean-up costs for a similar outbreak could be astronomical.

 

Repeat offender
Could a plague like the Morris Worm infect 10 percent—or more—of today's Internet? It depends upon whom you ask. Some security experts say today's Internet is too heterogeneous for a single worm to infiltrate so many different platforms. But Global Integrity cyber law expert Mark Rasch—the attorney who prosecuted the Morris case—says the Net is just as vulnerable today as it was in 1988.

Morris, now working at MIT's Lab for Computer Sciences, declined comment for this article. But interviews with programmers who fought the worm, as well as court documents and Internet archives, paint a vivid picture of the disaster and the man behind it all.

Good Kid, Bad Move
Morris didn't set out to become a cyberpunk. And it's certainly unfair to lump Morris in with former dark-side hackers like Justin Tanner Petersen or media hounds like Kim Schmitz.

Morris' defenders say the worm incident was merely a complicated software experiment gone bad. "Rob was a curious guy who accidentally opened a Pandora's box," says a friend of Morris, who requested anonymity.

At the time of the worm incident, Morris was a first-year graduate student in Cornell University's computer science Ph.D. program. Morris wrote the worm in October 1988 and released it onto the Internet on Nov. 2 of that year. The worm infiltrated systems through holes in sendmail and finger daemon, among other things. Its first target was a VAX server at MIT's Artificial Intelligence Lab. Morris selected MIT's systems to disguise the fact that the worm came from Cornell, according to court documents.

Morris designed the worm to ask Sun-3 and VAX systems whether they already had a local copy of the worm. The worm would skip systems that replied "yes." In theory, this would prevent the worm from copying itself endlessly and bogging down the Internet.

However, Morris was concerned that systems administrators would block the worm by programming their computers to falsely respond "yes." To beat that potential defensive measure, Morris programmed the worm to duplicate itself every seventh time it received a "yes" response, according to court documents. Big mistake
Morris' seven-to-one ratio turned out to be a fatal design flaw. The ratio wasn't high enough to slow the program's reproduction. The worm quickly spread from systems on the East Coast to the West Coast, and the Internet's first disaster was under way.

When Morris realized the worm was reproducing faster than he had expected, he contacted a friend at Harvard, Andy Sudduth. The two allegedly discussed fixes for the worm, according to court documents. Sudduth quickly posted an anonymous message on the Internet, warning users about a rapidly reproducing worm and instructing readers how to defeat it.

But Sudduth's message got blocked by a downed Internet gateway. In a cruel ironic twist, an administrator had shut down the gateway in an attempt to limit the worm's progress.

Sudduth's warning message didn't get through the gateway for about two days, but dozens of administrators around the world began to notice problems within hours of the worm's release.

Yee, a UC Berkeley student and a contract worker for NASA at the time, was among the first people to spot the problem. "I was up all night working through the Morris worm," says Yee, who now works for Spyrus, a security vendor in San Jose, Calif. "I don't think I got home until 7 a.m. the next day."

Yee posted a message about the problems to a TCP-IP mailing list within hours of the worm's release. With Sudduth's message still blocked, Yee's electronic dispatch was one of the first known communications about the worm. The message suggested turning off several services that the worm apparently used, including telnet, ftp, finger, rsh and SMTP.

"Turning off those services was the short-term fix," says Yee. "We left those services off while the research group worked to decompile it." Decompiling the worm was a critical step. This procedure unlocked the worm's source code, allowing researchers to identify security holes that Morris' program was exploiting. "Once you figure out how the program works, you can figure out which [security] holes to patch," says Yee.

Systems administrators at UC Berkeley, MIT and other schools worked around the clock for nearly two days to analyze the worm. By noon on Nov. 4, MIT and Berkeley had completely disassembled the worm. Most of the infected systems were back online within days of the incident. Hit and run
Researchers say the worm had an "attack and defense" design. First, the worm would locate Internet hosts and user accounts to penetrate, then it would exploit security holes on remote systems to pass across a copy of the worm. The worm also used three defense tactics: It changed its name to minimize intrusion detection; it moved into memory and deleted its own file-system data to cover its tracks; and it used a short burst of random numbers to test a connection before moving onto a system.

Fortunately, the worm had no malicious code. Unlike some recent viruses, the Morris worm didn't erase or corrupt any of the host's data, and it didn't attempt to steal any information.

"The [Morris] worm took systems down from load," says Eugene Spafford, a professor of computer sciences at Purdue University and a widely regarded security expert. "It didn't really damage systems."

"The Morris worm could have been a lot worse," adds Bostic, who now works for Sleepycat Software. "It just tied up the CPU. Imagine if the worm had been written to delete all of the host's data instead? Fortunately, most worm authors don't have malicious intent. It's mostly kids having fun and showing off. But every once in a while you get an _ _ _hole in the mix."

Such was the case last week, when NakedWife became the latest virus to spread across the Internet via Microsoft's Outlook program.

While the Morris worm moved from system to system without any user interaction, a virus like NakedWife (a.k.a. JibJab) needs unsuspecting users to propagate itself. NakedWife arrives as an e-mail attachment. When users activate the attachment, the virus wipes out vital Windows files and uses Outlook to e-mail itself to more unsuspecting users.

As we went to press, NakedWife had infected nearly 70 organizations. Virtually every major media outlet covered the story, yet NakedWife was a relatively minor disaster compared with the Morris Worm, which infected 10 percent of the Internet during its brief outbreak. Famous last words
E-commerce proponents downplay the risk of another Morris-type outbreak. They point out that today's Net is built on a long list of heterogenous operating systems - including Unix, Linux, Windows NT, Windows 2000, MacOS and so on.

In theory, the odds are relatively low that a single silver bullet could kill such a diverse system.

Yet those who fought the Morris worm believe history could repeat itself. "Something like that could certainly happen again," says Bostic. "As more and more Windows machines get connected to the Net, it could create a more homogenous system with lots and lots of vulnerabilities."

That was the case with most recent Internet-related viruses, which used Outlook - Microsoft's nearly ubiquitous e-mail client - to propagate .

Experts say even the 13-year-old Morris Worm could take down some of today's Internet sites. Explains Purdue's Spafford: "The old worm would need to be updated to use current library calls appropriately, but the basic technology would still allow it to propagate a little - many sites still haven't fixed the remote login problem. If the Worm were updated to probe for buffer overflows in other programs than the finger daemon, then that would work, too. We still have companies releasing software with that form of bug in place."

So, does anyone actually still have the worm? Reveals Spafford: "I deleted that information years ago, although I may have it on tape somewhere."

Maybe there's a sequel in the making. Just don't offer the lead role to Robert T. Morris.. He's not much for the limelight. Outliving the Worm
Unlike many people convicted of computer crimes, Robert T. Morris shies away from the spotlight and has moved on to become a leading researcher at MIT's Lab for Computer Sciences.

The soft-spoken Morris has been around computers his entire life. His father was the chief scientist at the National Computer Security Center. As a teenager, Morris had an account on Bell Labs' computer network. He went on to study at Cornell University and Harvard University, before moving on to his current position at MIT.

Sources at MIT call Morris a "brilliant" computer scientist. In recent years, he has written research papers on TCP congestion control, ATM switching and wireless networks, among other deeply technical subjects.

"I think he works so hard now because he doesn't want to be remembered for a mistake he made in his youth," says a source at MIT, who requested anonymity.

To be sure, writing and releasing the worm was an epic mistake. Several Web sites have chronicled how the worm spread like wildfire across the Net.

Morris received three years of probation, 400 hours of community service and a $10,000 fine for the 1988 worm incident.

Morris politely declined comment for this article.