The Morris Worm: a Malware Prototype

Randy has just reminded me that today is the 20th anniversary of the Morris Worm (sometimes known as the Internet Worm), which came as close as anything else to shutting down the entire internet. It didn’t, of course: it  only ran on and propagated from machines running specific versions of Unix on specific hardware platforms. However, the internet was, and to some extent still is, definable as the sum of the computers that are connected to it, and a small but significant group of affected (and infected) server had a major and debilitating effect on the entire internet. Most people remember its (considerable) impact on mail services, but a lot of other services were affected.

The worm used two notable exploits. It exploited a buffer overflow vulnerability in a widely used version of fingerd. (The once widely-used finger service is both less exciting and more interesting than it sounds: it enables pretty much anyone to harvest more information about you than you might be altogether comfortable with. Which is one of the reasons why, by the time I became a Unix administrator in the early 90s, it was already common practice to disable or restrict the service.) It also made use of the fact that sendmail was, at that time, commonly shipped with debug mode enabled, making it rather easy for an attacker to pass commands to the host system.

It’s usually accepted that the Morris Worm was not intentionally destructive. However, it included a somewhat buggy replication process that could have a serious impact on the host system, resulting in the degradation of a number of processes and services (a characteristic shared by many later viruses and worms). Furthermore, it attempted to break into user accounts on an infected machine, using basic guessing and dictionary techniques similar to those used by many bots and mass-mailers. It even included a routine that was supposed to pass back information about its own progress to a machine at the University of California (as it happens, it didn’t work), which could be seen as a first step towards the tracking and Command & Control features of so much later malware.

In fact, in "Viruses Revealed", Robert Slade and I said that ""In many ways, the Internet Worm is the story of data security in miniature." Seven years on from that book, though, I’m not so sure. 1987’s CHRISTMA EXEC worm included the social engineering dimension that doesn’t seem to have interested Morris, whose worm was strictly self-launching, and prefigured the mass-mailers that plagued our lives by the turn of the century.

Next year, by the way, is the 20th anniversary of the "AIDS" Trojan, and therefore of my own assimilation into the security industry. Watch this space (sometime around the 19th December 2009…)

Director of Malware Intelligence


"The Internet Worm Program: an Analysis": Eugene H. Spafford);

"With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988": Mark W. Eichin, Jon Rochlis; Proceedings of the 1989 IEEE Computer Society Symposium on Security and Privacy, 1988

"The Morris Worm (Internet Worm)" in "Viruses Revealed" by David Harley, Robert Slade and Urs Gattiker (Osborne 2008)

"The Art of Computer Virus Research and Defense": Peter Szor (Addison-Wesley 2005)

"21st Century Paranoid Man" by David Harley and Ken Bechtel in "AVIEN Malware Defense Guide for the Enterprise", edited Harley (Syngress 2007)

Author David Harley, ESET

Follow us

Copyright © 2016 ESET, All Rights Reserved.