The Morris worm or Internet worm of November 2, 1988, is one of the oldest computer worms distributed via the Internet, and the first to gain significant mainstream media attention. It resulted in the first felony conviction in the US under the 1986 Computer Fraud and Abuse Act.[1] It was written by a graduate student at Cornell University, Robert Tappan Morris, and launched on November 2, 1988, from the Massachusetts Institute of Technology network.

The worm was created by Morris simply to see if it could be done,[2] and was released from the Massachusetts Institute of Technology (MIT) in the hope of suggesting that its creator studied there, instead of Cornell.[3] Morris later became a tenured professor at MIT in 2006.[4] The worm's creator Robert Tappan Morris is the son of cryptographer Robert Morris, who worked at the NSA at the time.[5]

Internet Worm Maker

The worm exploited weak passwords.[6] Morris's exploits became generally obsolete due to decommissioning rsh (normally disabled on untrusted networks), fixes to sendmail and finger, widespread network filtering, and improved awareness of weak passwords.

Though Morris did not intend for the worm to be actively destructive, instead seeking to merely highlight the weaknesses present in many networks of the time, an unintentional consequence of Morris's coding resulted in the worm being more damaging and spreadable than originally planned. It was initially programmed to check each computer to determine if the infection was already present, but Morris believed that some system administrators might counter this by instructing the computer to report a false positive. Instead, he programmed the worm to copy itself 14% of the time, regardless of the status of infection on the computer. This resulted in a computer potentially being infected multiple times, with each additional infection slowing the machine down to unusability. This had the same effect as a fork bomb, and crashed the computer several times.

The main body of the worm can only infect DEC VAX machines running 4BSD, alongside Sun-3 systems. A portable C "grappling hook" component of the worm was used to download the main body parts, and the grappling hook runs on other systems, loading them down and making them peripheral victims.[7]

Morris's coding mistake, in instructing the worm to replicate itself regardless of a computer's reported infection status, transformed the worm from a potentially harmless intellectual and computing exercise into a viral denial-of-service attack. Morris's inclusion of the rate of copy within the worm was inspired by Michael Rabin's mantra of randomization.[8]

The resulting level of replication proved excessive, with the worm spreading rapidly, infecting some computers several times. Rabin would eventually comment that Morris "should have tried it on a simulator first".[9]

It is usually reported that around 6,000 major UNIX machines were infected by the Morris worm. However, Morris's colleague Paul Graham claimed, "I was there when this statistic was cooked up, and this was the recipe: someone guessed that there were about 60,000 computers attached to the Internet, and that the worm might have infected ten percent of them."[11] Stoll estimated that "only a couple thousand" computers were affected, writing that "Rumors have it that [Morris] worked with a friend or two at Harvard's computing department (Harvard student Paul Graham sent him mail asking for 'Any news on the brilliant project')."[10]

The Morris worm prompted DARPA to fund the establishment of the CERT/CC at Carnegie Mellon University, giving experts a central point for coordinating responses to network emergencies.[12] Gene Spafford also created the Phage mailing list to coordinate a response to the emergency.

The Morris worm has sometimes been referred to as the "Great Worm", due to the devastating effect it had on the Internet at that time, both in overall system downtime and in psychological impact on the perception of security and reliability of the Internet. The name was derived from the "Great Worms" of Tolkien: Scatha and Glaurung.[15]

Robert Tappan Morris (born November 8, 1965) is an American computer scientist and entrepreneur. He is best known for creating the Morris worm in 1988,[3] considered the first computer worm on the Internet.[4]

Morris was prosecuted for releasing the worm, and became the first person convicted under the then-new Computer Fraud and Abuse Act (CFAA).[2][5]He went on to cofound the online store Viaweb, one of the first web applications,[6] and later the venture capital funding firm Y Combinator, both with Paul Graham.

Morris attended Harvard University, and later went on to graduate school at Cornell University. During his first year there, he designed a computer worm (see below) that disrupted many computers on what was then a fledgling internet. This led to him being indicted a year later.

Morris' computer worm was developed in 1988, while he was a graduate student at Cornell University.[10] He released the worm from MIT, rather than from Cornell.[10] The worm exploited several vulnerabilities to gain entry to targeted systems, including:

The worm was programmed to check each computer it found to determine if the infection was already present. However, Morris believed that some system administrators might try to defeat the worm by instructing the computer to report a false positive. To compensate for this possibility, Morris programmed the worm to copy itself anyway, 14% of the time, no matter what the response was to the infection-status interrogation.

This level of persistence was a design flaw: it created system loads that brought it to the attention of administrators, and disrupted the target computers. During the ensuing trial, it was estimated that the cost in "potential loss in productivity" caused by the worm and efforts to remove it from different systems ranged from $200 to $53,000.[10]

When Robert had realized what was happening he got help from some associates to try to stop the spread of the worm. Many programmers and computer experts worked on the solution. They were from many different institutions, such as, MIT, Berkeley and Purdue. By the time there was a fix it was estimated that about 6000 computers were victimized. At the time, this was about ten percent of the Internet. Along with the 6000 victims there were also the unreported amount of systems and networks that did have a chance to disconnect themselves from the Internet before they got victimized by the worm. These could also be called victims due to the loss in down time. (Fortunately, computers were not as revenue generating as they are today). By the time the incident was isolated it was too late. It was reported that 5-10 percent of the Internet computers were victimized. Estimates on the damage vary but it ranges in the area of $98 million. Most of it was related to man-hours to fix the problem.

There were many first related to this incident. One of the firsts was the creation of the Computer Emergency Response Team (CERT). This organization was comprised of computer scientist from many different and similar industries gathered together to isolate the problem and prevent this sort of thing from happening again. CERT makes references to their existence on their web page due to this worm. Another organization was also created. It was the National Computer Security Center. Which was a part of the National Security Agency.

This worm has been called a virus even to this day. The difference between a worm and a virus is that worms can self-propagate to other machines by themselves. They need no assistance from other sources. A virus needs to be propagated by another source to get to another computer. A source can be a floppy disk or another software program. There seems to be many gray areas lately on the definitions of many variances of how computers are getting victimized. Trojans, viruses, and worms are affecting computers more and more. The one thing that they all have in common is that they cause problems for computer users and the people that support computers. Some of these problems are minor annoyances and some are very malicious and cause companies millions of dollars a year for lost data, and lost hours to recover the data.

Many computer experts believe that the worm incident caused by Morris was newsworthy for not what the worm did but for what it could have done. It is very concerning to imagine what could have happened if Morris was a malicious coder out to damage as many computers as he could. He could have altered the code to go after more than just the machines that he did. He could have purposely started the running of the worm from many different sources worldwide to spread the worm faster before it could get stopped. He could have coded the worm to erase data from the systems. He could have done many things to hide the worm for longer than he did. The worm also brought attention to the New World of the Internet. It only had about 60,000 systems on the Internet then. Today there are millions. The incident surfaced to the computer professionals that security on the Internet was in need of higher security practices for protecting critical data.

If we look at what could have been done to prevent the Morris worm incident could we use that knowledge to guard against new more dangerous issues to come in the future? We cannot change the fact that intelligent people will be able to code malicious programs. They will always be around. The coders will only change in what motivates them to attack systems.

One of the exploits with the Morris worm was that users and some computer professionals were using weak passwords. This still seems to be the fact today. Again, this can change with user awareness or the administrators at these companies to force and monitor strong passwords. If stronger passwords had been used in 1988 the worm would not have been able to use one of its three exploits. Again, an IDS solution may also have prevented this from happening. 2ff7e9595c