The Story of the Morris Worm – First Malware hits the Internet

The Original Source Disk of the Morris Worm, @Go Card USA

The Original Source Disk of the Morris Worm, photo: Go Card USA, CC BY-SA 2.0, via Wikimedia Commons

On November 2, 1988, Cornell student Robert T. Morris launched the very first computer worm on the internet – and subsequently becoming the first person convicted under the Computer Fraud and Abuse Act. Today his programme is referred to as “Morris Worm” and he is a tenured professor in the department of Electrical Engineering and Computer Science at the Massachusetts Institute of Technology.

“There may be a virus loose on the internet.”
— Andy Sudduth of Harvard, 34 minutes after midnight, Nov. 3, 1988;

Only an Experimental Program

Morris created an experimental program — today known as a worm — that was able to self-replicate as well as also to self-propagate and injected it into the Internet. When a worm gains access to a computer  it launches a program which searches for other computers on the internet to infect them if possible. The worm acts all of its own. At no time does the worm need user assistance in order to operate its programming. Moreover, the worm spreads itself over the internet, so all machines attached to an infected machine are at risk of attack. Morris created the worm while he was a graduate student at Cornell University with the original intent — according to him — to gauge the size of the Internet. He released the worm from MIT to conceal the fact that it actually originated from Cornell.

But Faster than Anticipated…

The worm exploited several vulnerabilities to gain entry to targeted systems. Among them was a hole in the debug mode of the Unix sendmail program in combination with a buffer overrun hole in the fingerd network service as well as the transitive trust enabled by people setting up rexec/rsh network logins without password requirements. Morris soon discovered that the program was replicating and reinfecting machines at a much faster rate than he had anticipated. Although the worm was intended to be harmless, Morris made some mistakes, when writing it. The worm was programmed to check each computer it found to determine if the infection was already present. However, Morris believed that some administrators might try to defeat his worm by instructing the computer to report a false positive. To compensate for this possibility, Morris directed the worm to copy itself anyway, 14% of the time, no matter the response to the infection-status interrogation. This level of replication created system loads that not only brought it to the attention of system administrators, but also disrupted the target computers.

“VAX and Sun machines across the country were being overloaded by invisible tasks, preventing users from being able to use the machines effectively, if at all, and eventually forcing system administrators to cut off many of their machines from the internet entirely in an attempt to cut off the source of infection.” [1]

The Damage Caused by the Worm

In the End, many computers at locations around the United States either crashed or became unresponsive. When Morris realized what was happening, he contacted a friend at Harvard to discuss a solution. Eventually, they sent an anonymous message from Harvard over the network, instructing programmers how to kill the worm and prevent reinfection. However, because the network route was clogged, this message did not get through until it was too late. Computers were affected at many sites, including universities, military sites, and medical research facilities.

Clifford Stoll, who helped fight the worm, wrote in 1989, “I surveyed the network, and found that two thousand computers were infected within fifteen hours. These machines were dead in the water — useless until disinfected. And removing the virus often took two days.” Overall, about 6,000 computers were infected, which come to about 10% of the entire internet by that time. It was guessed by the time that the cost in “potential loss in productivity” caused by the worm and efforts to remove it ranged at each system from $200 to more than $53,000. According to estimates by the U.S. General Accounting Office, between $100,000 and $10 million was lost due to lack of access to the Internet. And the program responsible for all this was a small fragment of code, only containing 99 lines not including object files.

The Morris Worm and its Consequences

At the University of California at Berkeley and at MIT teams of programmers used copies of the program to actively disassembling it, i.e. returning the program back into its source form that is readable for humans, too — to try to figure out how it worked. They worked non-stop to come up with at least a temporary fix, to prevent the continued spread of the worm. After about twelve hours, the Berkeley team came up with steps that would help retard the spread of the virus. The information didn’t get out as quickly as it could have, however, since so many sites had completely disconnected themselves from the network. After a few days, things slowly began to return to normal and everyone wanted to know who was the behind the attack. Morris was later named in The New York Times as the author. Although this hadn’t yet been officially proven, there was a substantial body of evidence pointing to Morris. Thus, Morris only received a light sentence: a $10,050 fine, 400 hours of community service, and a three-year probation.

The First Internet Worm (Morris Worm) – Computerphile, [7]

References and Further Reading:


Leave a Reply

Your email address will not be published. Required fields are marked *

Relation Browser
0 Recommended Articles:
0 Recommended Articles: