The Morris Worm Turns 25

morrisworm177709182In November 1988, the first large-scale malware called the Morris Worm was unleashed on an Internet still mostly populated by academics and technology hobbyists.

This wasn’t the first worm to reach the fledging Internet, but it was the first to get the attention of the mainstream media, due mainly to its wide effect on users across the globe.

Harvard grad Robert Morris developed the worm in 1988 at Cornell University, where he was attending graduate school.

Today malware is as common as the sun coming up. But 25 years ago, the Morris Worm infected 6,000 UNIX-based machines and caused major damage estimated into the millions. Ironically, Morris’s father, also named Robert, helped design UNIX at Bell Labs before becoming chief scientist at the National Computer Security Center, a division of the National Security Agency.

The Morris Worm exploited three key Internet weaknesses to gain entry to UNIX machines and targeted networks:

  • rexec/rsh network logins set up without passwords
  • A vulnerability in the debug mode of UNIX’s sendmail program
  • A buffer overrun hole in the finger daemon protocol

Morris’s intent was not to bring the information superhighway to its knees. Instead, he simply wanted to measure the size of the Internet. That seems like an innocent enough of a cause.

But, his creation spread to computers multiple times, slowing computers considerably with additional infection until they stopped working completely. It was the worm’s spreading mechanism that enabled it to change from an academic endeavor into a viral denial of service attack like the Internet had not yet seen.

If the Morris Worm had simply looked to see if a version was already running on a computer, it would have been easy to end. But Morris allowed for the worm to randomly infect again, sometimes even if a version was already running. It was enough to infect thousands of machines and accompanying networks.

Because of its vast destructive path, the Morris Worm has also been called the “Great Worm,” a reference to the great dragon Glaurung from J.R.R. Tolkien’s “Lord of the Rings” books. The name fits, since at the time, the Internet had never experienced this level of devastation in infected equipment and downtime, not to mention the impact psychologically now that the Internet was not as secure and reliable as once thought.

The extent of the damage caused by the Morris Worm lead directly to the creation of an incident response team known as the CERT Coordination Center (CERT/CC) at Carnegie Mellon University. Funded by the US Department of Defense’s Defense Advanced Research Projects Agency (DARPA), the security experts at CERT/CC address risks at the software and system level, focusing on identifying and addressing potential threats and alerting vendors and other incident response teams around the world about them.

So, what happened to the creator of the Morris Worm? Well, he holds the unique distinction of being the first person tried and convicted of violating the 1986 Computer Fraud and Abuse Act. In 1991, Morris was sentenced to three years probation as well as 400 hours of community service, and he was fined $10,000.

Since completing his sentence, Morris has co-founded two companies, one he sold to Yahoo. Today, he is a tenured professor at the Massachusetts Institute of Technology where he continues to pursue research on computer network architectures.

In this article

Join the Conversation