Flashback Tuesday: The Morris Worm

On November 2nd 1988, the history of the internet and information security changed. The Morris Worm, released at 6pm EST that night, brought the internet to an effective standstill causing the greatest damage ever seen by malware to that date. Thousands of computers were affected and systems brought to a halt as the Morris Worm exploited their vulnerabilities. Normal activity was disrupted and connectivity impeded for many days, as the first multi-platform malware spread across the internet.

Making an impact

No other case in malware history has quite reached the same magnitude as the Morris Worm. It infected 6,000 of 60,000 computers connected to the internet, of which many remained infected for almost 72 hours. Unusual files were left in the directories of some machines and systems began to slow down as they became more and more loaded with running processes, as noted by Professor Eugene H. Spafford from Purdue University in a paper at the time.

Some machines even shut down as they became repeatedly infected thanks to the worm’s design, which sees it replicating itself over a computer network and performing malicious actions such as using up a machine’s resources.

Worryingly, it was America’s leading universities and government institutions that were ARPANET connected at this time. This meant that computers belonging to the NSA, MIT and Pentagon were affected, among others.

Exploitation of flaws

While the worm’s design may have appeared sophisticated to the outside world, the shock of its spread was more to do with the fact that it was unexpected. The worm itself was actually full of flaws – its success was much to do with luck as it was programming skill.

The Morris Worm infected systems through exploitation of two major flaws in TCP and SMTP connections. These flaws made it incredibly easy for an attacker to pass commands to the host system. And while the flaws of UNIX systems were well known to many, the scope of the attack still came as a huge surprise – even to the worm’s writer, Robert Tappan Morris, Jr.

Morris: Curious or criminal?

Morris, a 23-year-old student at Cornell University, was just as shocked at the program’s spread as his peers. His program, written, he has stated, without malicious intent – to gauge the size of the internet he has explained – caused mayhem due to errors of his own. The crucial errors saw Morris unleash something he could not control – malware that caused an estimated $100,000 and $10,000,000 of economic damage, according to a Harvard spokesman.

Some sources, however, question Morris’ innocence. With Morris’ father, ironically, the chief scientist for a computer security arm of the NSA, it may be argued that Morris was simply trying to get away from his father’s image and create one of his own. Especially since his creation went after password files – his father having created the computer password.

ESET’s senior research fellow David Harley has also pointed out to the fact that the worm had questionable characteristics, such “as a somewhat buggy replication process that could have a serious impact on the host system”.

Whatever Morris’ intent, he became the first malware writer ever to be convicted (he was found guilty of violating the 1986 Computer Fraud and Abuse Act – also the first conviction of its kind).

Systems restored

Quick-thinking, panicked experts from the University of California at Berkeley and at Massachusetts Institute of Technology went on tackle the spread of the worm, analyzing the program and how to stop it. The morning after, within 12 hours of the discovery, the Computer Systems Research Group at Berkeley had developed a set of steps to halt the worm’s spread. Later that evening, another method of stopping the infection was discovered at Purdue University and widely published.

On November 8th, once order was restored, the National Computer Security Center held a workshop to discuss the impact of Morris’ program. It was decided that those present would not share copies of the reverse engineered code in fear of the outcome. However, this only served as a delaying tactic.

The Morris Worm’s lasting impact

By December 8th there were at least 11 versions of the decompiled code – proving that skills and tools to create malware were already widespread. Of course, this was just the beginning of malware’s creation for malicious intent. Since this date, there’s been a surge of potent malware infections inspired by Morris’ decompiled code – from the Code Red worm to the famous Conficker worm, which have infected millions of computers to date.

Despite the increase in malware attacks, there are, however, a few positives to come out of Morris’ creation. It helped make complacency a thing of the past – pushing forward computer security and forcing software vendors to take flaws in their products seriously. The creation of the Computer Emergency Response Team (CERT) was another first to come as a consequence of this incident.

While The Morris Worm has taught us to be more aware of potential threats online, there is still the risk of history repeating itself. And with millions more computers connected to the internet today, and with many businesses relying on the internet for everyday processes and generating revenue, the damage wouldn’t just come as a shock – it could result in a global disaster.

Author , ESET

Follow us

Copyright © 2016 ESET, All Rights Reserved.