Morris Worm: How a Simple Experiment Led to the First Computer Worm
Not so long ago, in 1988 to be exact, computer worms weren’t even a thought in a programmer’s mind. The internet, a veritable network of 100,000 linked computers, was then in its infancy and only a tiny fraction of what we see today. Yet Robert Tappan Morris, a 23-year-old Harvard graduate saw its possibilities. Morris was an aspiring innovator in the field and attending graduate school at Cornell. In the fall of 1988, he was hard at work on an experiment to determine if he could create a program that would spread from one computer to another on its own.
By the next morning after releasing the program, the effects of Morris’s project were felt by internet users across the country, spreading far faster than even he had anticipated. It took months to clean up the damage and before it was all over, Morris was standing in front of a federal jury. But his experiment led to the beginnings of security regulations and laws that permeate the internet today.
Fraud and abuse act
When Morris launched his worm, hacking wasn’t yet on the radar for most people, but the U.S. legal system was ready to tackle it. In 1984, provisions were added to the Comprehensive Crime Control Act that covered protections for computers and computer networks. However, as the internet began to evolve, it became necessary to take that a step further. In 1986, Congress passed the Computer Fraud and Abuse Act, which extended the law to also cover hacking.
Despite his efforts to disguise the release of the worm, it was eventually traced back to servers at Cornell and Morris. Although Cornell suspended him in 1989, it took eight months for a federal jury to indict him under the Computer Fraud and Abuse Act. He wasn’t put behind bars, though. His sentence included a $10,050 fine, 400 hours of community service, and probation for three years. He has gone on to an impressive career as an entrepreneur, computer scientist, investor, and MIT professor.
About the worm
Although Morris insisted his intentions weren’t malicious, the Morris Worm, as it would later become known, caused plenty of damage during its brief time in cyberspace. The worm was different from a virus in that it was a standalone program that could self-replicate and propagate through networks. A virus requires an active host program or a compromised operating system to run. It’s important to note that the worm didn’t cause mass destruction. Its effect was merely to slow computers down. However, the “damage” came in the form of lost time for the many systems administrators who had to work for hours to clean up the mess.
The Morris Worm specifically targeted Unix operating systems, but it had multiple vectors that allowed it to spread beyond that initial limitation. While the worm didn’t wipe out information or destroy operating systems, it did slow things down so severely that emails were delayed for days and revenue as a consequence.
Morris designed the worm to use several modes of attacks to spread from computer to computer. One attack exploited a common Internet service known as the “name/finger protocol,” which was installed on most Unix machines and used for supplying information about other users of the network.
Another targeted easy-to-guess passwords. Once the worm obtained a computer’s password file it could then access the encrypted copies of every user’s password. Next it systematically guessed the passwords by comparing encrypted versions and mapping them to a dictionary of common words. If it was successful at hacking in, it continued to use the user’s password and ID to access other servers where that same user had an account.
A third exploit targeted a security vulnerability in “sendmail,” a common utility that was used to send email.
Morris had programmed the worm to duplicate itself at every seventh instance of a “yes” response to get around computers that said they already had the worm installed. However the seven-to-one ratio wasn’t high enough to slow the program’s reproduction. This self-duplication led the worm to spread much faster than Morris could have ever envisioned, infecting thousands of computers at universities, research centers, and military installations. The U.S. General Accounting Office estimated that between $100,000 and $10 million was lost due to the internet inaccessibility that resulted from the attack.
The lasting repercussions
So why wasn’t Morris more heavily punished? After all, today hackers can face serious jail time under the same law. Even those within the technology industry were divided over whether Morris deserved the five years behind bars that was being predicted at the time. Morris’s argument that he was conducting an experiment, not intending harm, seemed to go a long way with his defenders.
There’s also the fact that as soon as he saw how quickly his worm was replicating, Morris made efforts to mitigate damage. Working with a friend from Harvard, he sent out a message with instructions on how to dismantle the worm. The network was too congested, though, which prevented the message from getting through.
The unwitting result of Morris’s experiment was it served as a wake-up call for the internet community. One expert compared the internet at the time to a small, friendly clubhouse where everyone trusted each other. The Morris Worm made it clear that individuals with criminal intent could have access to that clubhouse, so it was time to install some locks.
Foreshadowing a near future
The Washington Post article reported that an early version of the worm recovered from an automatic backup of Morris’s Cornell files included extensive comments describing Morris’s vision for the project. It is believed those comments may suggest that Morris had ambitious goals beyond what he achieved.
His vision was not the worm that ensued, a program that silently and efficiently replicated itself across the Internet. It was more along the lines of what we now know as a botnet: a massive network of hundreds of thousands of computers and devices communicating with one another and controlled by bot herders to take down sites or launch other denial of service attacks.
Morris was unable to create a command-and-control center which would have let him coordinate the infected machines. According to The Washington Post:
“Morris did implement a mechanism designed to prevent multiple copies of the worm from running on the same computer. If two worms found themselves on the same machine, they would flip a virtual coin, and then the losing copy of the worm would commit electronic seppuku.
“But Morris modified this scheme in a way that made it ineffective. One time out of seven, selected at random, the losing worm would make itself immortal rather than committing suicide.”
The programming error which led to a failure of the worms to self-destruct resulted in the worms growing exponentially and exhausting the computer’s resources.
Morris’s legacy serves as an example of how far the internet has come since its earliest days. Today, experts like Morris are invited to experiment on various systems in white hat hacking, underscoring the need to test the resilience of systems and uncover unknown and potential threats.
Exabeam News Wrap-up – Week of September 12, 2022
The 4 Steps to a Phishing Investigation
Subscribe today and we'll send our latest blog posts right to your inbox, so you can stay ahead of the cybercriminals and defend your organization.
See a world-class SIEM solution in action
Most reported breaches involved lost or stolen credentials. How can you keep pace?
Exabeam delivers SOC teams industry-leading analytics, patented anomaly detection, and Smart Timelines to help teams pinpoint the actions that lead to exploits.
Whether you need a SIEM replacement, a legacy SIEM modernization with XDR, Exabeam offers advanced, modular, and cloud-delivered TDIR.
Get a demo today!