​The day computer security turned real: The Morris Worm turns 30

Three decades ago, the internet was hit by its first major security attack. The world has never been the same since.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

On Nov. 2, 1988, I was working at NASA's Goddard Space Flight Center in the data communications branch. Everything was fine. Then, our internet servers running SunOS and VAX/BSD Unix slowed to a stop. It was a bad day.

We didn't know it yet, but we were fighting the Morris Internet Worm. Before the patch was out, 24 hours later, 10 percent of the internet was down, and the rest of the network had slowed to a crawl. We were not only facing the first major worm attack, we were seeing the first distributed denial-of-service (DDoS) attack.

Also: Russian election hacking hits a bump, but it's still going on CNET

Unlike the hundreds of thousands of hackers that would follow, Robert Tappan Morris, then a graduate student at Cornell, wasn't trying to "attack" the internet's computers. He thought his little experiment would spread far more slowly and not cause any real problems. He was wrong.

Well, that's what he said afterward. I'm also not at all certain that that was the case.

Consider, the Morris worm had three attack vectors: sendmail, fingerd, and rsh/rexec. It also used one of the now-classic attack methods: Stack overflow in its attack.

It was also one of the first attack programs to use what we'd call a dictionary attack with its list of popular passwords. The passwords and other strings hid in the Worm's binary by XORing, a simple encryption method.

Morris also tried to hide his tracks. He started the worm from a MIT computer. It hid its files by unlinking them after trying to infect as many other servers as possible.

Even without a malicious payload, the Worm did serious damage. Infected systems quickly did nothing but trying to spread the worm, thus slowing them down to a crawl. Some, most of them running SunOS, a Unix variant and the ancestor of Solaris, crashed under the load.

Also: Why hiring more cybersecurity pros may not lead to better security TechRepublic

In the meantime, Morris, who included code to keep the worm from spreading too fast, had realized he was no longer in control. Morris called a friend -- who subsequently said Morris "seemed preoccupied and appeared to believe that he had made a 'colossal' mistake.'"

He had indeed. Thanks to efforts led by Eugene "Spaf" Spafford, then an assistant professor of computer science at Purdue University and current editor-in-chief of Computers and Security, the Worm was conquered.

Before the Worm was finished, it successfully attacked about 6,000 of the 1988 internet's 60,000 servers. In the aftermath, DARPA created the first CERT/CC (Computer Emergency Response Team/Coordination Center) at Carnegie Mellon University to deal with future security attacks.

But the Worm's biggest legacy to date was that it started a wave after wave of computer and internet attacks. If Robert Morris hadn't done it, someone else would have. But, regardless, today we live in a world where a day doesn't go by without a serious attack.

Also: Cyber security: Your boss doesn't care and that's not OK

Twitter personality SwiftOnSecurity recently asked: "When will computer security be fixed?" My answer is "never."

These are 2018's biggest hacks, leaks, and data breaches

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

Related stories:

Editorial standards