Cybercom › Chapter 2

The Morris Worm

1988  ·  Part 2  ·  scripted  ·  Morris Worm, ARPANET, Robert Morris, Cornell, buffer overflow, sendmail

Chapter 2 — The Morris Worm (1988)

Ithaca, New York. Cornell University. November 2, 1988.

Robert Tappan Morris is a 23-year-old graduate student in computer science.

His father, Robert Morris Sr., is the chief scientist at the NSA's National Computer Security Center.

The son is about to make history. The kind of history you don't want to make.

The Release

At 8:30pm, Morris logs into a terminal at MIT — not Cornell. Deniability.

He releases a worm onto ARPANET.

The worm exploits three separate vulnerabilities:

  1. sendmail debug mode — a feature that lets administrators test the mail system. Morris uses it to execute arbitrary commands remotely.
  2. fingerd buffer overflow — the finger daemon copies user input into a fixed-size buffer without checking length. Morris overflows it and redirects execution to a shell.
  3. rsh/rexec trust relationships — Unix machines trusted other machines on their network implicitly. If machine A trusted machine B, the worm could pivot from one to the other without any password.

Three different doors. All of them open.

The Bug

Morris intends the worm to be subtle. To avoid detection, he programs it to check whether a copy is already running on a machine — and if so, only reinfect it 1 in 7 times, to prevent obvious accumulation.

He gets the logic wrong.

Instead of reinfecting 1-in-7 already-infected machines, the worm reinfects every machine, every time, and the 1-in-7 check has the inverse effect.

Machines spawn new copies of the worm continuously. They slow down. Then they stop responding. Then they crash.

The Night

By midnight, machines across ARPANET are going dark.

6,000 systems — approximately 10% of the entire internet — are taken offline.

Universities. Research institutions. Military contractors.

A fix is developed at Berkeley and Purdue, partly through an anonymous tip that is later attributed to Morris himself. By morning, a patch exists.

But the internet will not be the same.

The Proverbial Cat

Panel: A cartoon cat sits on a server rack.

"The proverbial cat was out of the bag."

Cat: "I'm a proverbial cat? That's insulting."

Under the Hood — Worms vs. Viruses

A virus attaches itself to an existing file. It needs a host. It spreads when humans share files.

A worm is self-contained. It finds its own way across a network. No human action required.

The Morris Worm is the first worm to spread across the internet at scale. It demonstrates something the security community cannot ignore:

The network itself can be the attack surface.

Aftermath

Morris is prosecuted under the Computer Fraud and Abuse Act — the first conviction under that law.

He is sentenced to three years' probation, 400 hours of community service, and a $10,000 fine.

He later co-founds a startup called Viaweb, which is acquired by Yahoo for $49 million. It becomes Yahoo Stores.

He is now a professor at MIT.

Next: 1992. A kid from Los Angeles who learned to hack by listening to phone lines is about to become the most wanted computer criminal in America.

→ Chapter 3: The Most Wanted