The Morris Worm: Internet malware turns 25

25 years ago this Saturday, November 2, 1988, much of the Internet - still very small at the time - crashed. The cause was a selfish experiment, turned Frankenstein monster, instigated by a graduate student at Cornell named Robert Morris.

On Wednesday, November 2, 1988 the Internet was still young, small and dominated by academics and engineers. It was all very collegial, and there wasn't much in the way of security work, even if the topic existed in theory.

Robert Morris. Image shared by Trevor Blackwell.

Robert Tappan Morris, then a graduate student at Cornell, wasn't trying to "attack" other computers when he unleashed the first great incidence of malware, known thereafter as the Morris Worm, on the Internet. It changed everything.

The worm had no 'payload,' as we would say today. Its point was simply to propagate. A contemporaneously-written technical description of the worm makes clear that Morris went to some trouble to get his program running on other people's systems, that it tried to do so with stealth and that it used the then-novel technique of a stack buffer overflow to get itself running.

One method it used to attempt access was to log in using what we would now call a dictionary attack; that is, it had an embedded list of "popular" passwords. Morris was based at Cornell, but he started the worm going from a computer at MIT to attempt to hide its source. The code also attempts to thwart one possible mechanism of stopping it. All this demonstrates that even if there is no payload, clearly Morris knew he was breaking surreptitiously into other people's computers whether they likes it or not. There's no way Morris was young and inexperienced enough to mistake the fact that what he was doing was wrong.

The source code also shows that Morris attempted to keep the spread of the worm under control, but he was more confident in his code than he should have been. Bugs in the code caused it to crash many systems, basically all SunOS systems, and to execute more than once on many other systems, devouring system resources.

Hacking skills were of high value as administrators attempted to recover from the Morris Worm attacks. To quote the technical description I linked to above:

Initially, the fastest defense against the worm is is to create a directory called /usr/tmp/sh. The script that creates /usr/tmp/sh from one of the .o files checks to see if /usr/tmp/sh exists, but not to see if it's a directory. This fix is known as 'the condom'.

Everyone realized at the time that computer security was no longer just theory, but something that needed to be taken seriously. That doesn't mean that people actually went to the trouble of taking it seriously, just that it couldn’t be dismissed as science fiction anymore. DARPA created the CERT/CC (CERT Coordination Center) at Carnegie Mellon University to deal with such incidents in the future. They're still in business as are CERTs all over the world. US CERT calls itself Computer Emergency ReadinessTeam now, which I guess is meant to sound more proactive. In 2003 the Department of Homeland Security to create US-CERT, "...a coordination point for prevention,   protection, and response to cyber attacks across the Internet."

A disk containing the complete source code to the Morris Worm. Image shared via Creative Commons by the Computer History Museum, Boston

How many systems were affected by the Morris Worm? There's a number that is still thrown about, that 6,000 of the 60,000 host systems on the Internet were affected. Morris's friend and colleague Paul Graham writes that the number was just someone's wild guess, and that he was there when it happened. The problem is that the solution to the worm was to reboot systems, and this deleted all traces of it. Nobody knew at the time how many hosts were on the Internet or how many wre affected. Suffice it to say that it was big enough that everyone on the Internet knew about it, but then again the Internet was a small place at the time.

Morris, now a tenured Professor in the Parallel and Distributed Operating Systems (PDOS) Group of the Computer Science and Artificial Intelligence Laboratory (CSAIL) at MIT, was the first person convicted under the fairly new Computer Fraud and Abuse Act and sentenced to three years' probation and a fine. An appeals court confirmed that his lack of intent to cause harm was irrelevant, and that what mattered was his intent to access other computers without authorization.

If Morris hadn't launched his eponymous worm, someone else would have done something similar, perhaps with genuine malicious intent. Given that he was still basically a kid and didn't intend harm, his punishment was probably appropriate. It doesn't seem to have hurt his career.