Morris Worm Turns 25

This weekend we had a memorable date. It marked 25 years since the publication of the first computer malware that was widespread enough to be featured in the news. The

This weekend we had a memorable date. It marked 25 years since the publication of the first computer malware that was widespread enough to be featured in the news. The famous Morris Worm, written by a Cornell University student, infected about 10% of Internet-connected computers up to date. To be more specific, it infected about 6 out of every 60 thousand computers, which might sound ludicrously small today, but this “prehistoric” case is actually very important because it combined DDoS, exploits, stealth technologies, password bruteforcing and other techniques that are widely used in modern malware now. Moreover, it ended with the first conviction in the US under the 1986 Computer Fraud and Abuse Act.

Photo Credit: Intel Free Press
The floppy disk with the source code of the Morris worm is now kept in the Boston Museum of Science

Thanks to Youtube, we can watch how TV told this story back in 1986…

…And now we can tell this story from a security standpoint.

A student at Cornell University called Robert Tappan Morris decided “to gauge the size of the Internet.” To accomplish this task, he wrote a quite complicated program, which was able to replicate itself over the network and prevent third-party attempts to stop it. This functionality matches with the definition of Computer Worm exactly, thus its name. Morris Worm wasn’t developed to cause any harm, however, a programming mistake led to multiple infections of a single computer, causing the server to become overloaded and non-responsive. Sounds like DDoS, doesn’t it?

To spread itself over the Internet, the worm used the same technology as its modern great-grandchildren, by exploiting vulnerabilities. In the case of Morris worm, there were three different vulnerabilities exploited. The implementation of Finger and Sendmail bugs in the popular Unix-based systems allowed remote code execution. If the tactic was not successful, Worm tried to utilize rsh (remote shell) typically used for remote administration. Login and password are required to use rsh, so Morris Worm brutforced them. An impressively high success rate was achieved using only a small dictionary of 400 words, plus some obvious options like having passwords identical to usernames or consisting of the same letters in reverse order. It’s still not obvious to many people today that strong passwords are essential, so 25 years ago even system administrators were unaware of this.

Upon successful computer penetration, the worm changed its process name, deleted temporary files and took some other measures to prevent its revelation, e.g. encrypting its data in memory. On of the first actions upon launch was to check and see if the computer was already infected. When other copy was discovered, two copies “rolled a dice” to decide which one should self-destruct. Maybe it was Morris’ mistake, or maybe it was a measure to counteract easy “vaccination,” nevertheless one of seven copies eventually stopped playing “survival game” and continued its operation regardless of other copies. It was this decision that led to the DDoS effect. Coefficient of 1/7 turned out to be excessively high and many computers became infected dozens times.

Despite not being ready for worm, both technically and conceptually, system administrators over the USA acted quickly. Two working groups were established in MIT and UC Berkley and it took only two days to find and fix vulnerabilities utilized by worm and disassembled worm itself. In general, it was the end of the worm. However, the cost of infection removal was estimated to be between $100 thousand to $10 million.

Quite interestingly, Morris’ effort to remain anonymous was successful. The person who changed that was actually his father, Robert Morris, UNIX OS co-author and chief scientist at NSA’s National Computer Security Center. He convinced his son to confess. The court took this in account, and the sentence for Morris junior was a soft 3 years of probation, $10 thousand fine and 400 hours of community service. This lesson turned to be useful for Morris. He became a respected member of the computer society. Among his achievements are the creation of one of the first e-commerce platforms, Viaweb (later sold to Yahoo and rebranded as Yahoo Store), the creation of the startup fund Y Combinator, the participation in the development of new programming languages and he earned a PHD at MIT.