Last Saturday marked 25 years of what has been one of the most important pieces of malicious code in the history of malware: the Morris worm. On November 2nd, 1988 the worm was released by its author and, less than twenty-four hours later, it caused the greatest damage ever witnessed by a piece of malware up to that point. The worm slowed thousands of systems down to a crawl by creating processes and files in temporary folders and triyng to spread copies of itself.  By the following day (Thursday, November 3rd), it had the attention of thousands of users who started to get worried about these unusual facts. Ever since, this worm has been considered the first worm to spread over the Internet, and given the fact that it propagated through the exploitation of vulnerabilities on VAX and Sun Microsystems systems as well as vulnerabilities in the UNIX email delivery software – sendmail, the first multi-platform malware

The worm infected systems through two propagation vectors: TCP connections (1), or SMTP connections (2), as can be seen in the following code pieces, explained in the  paper about the threat by Professor Eugene H. Spafford from Purdue University:

On the one hand, this malicious code has marked the history of malware and, at the same time, several curiosities emerge from its analysis, which clearly explain the moment when the worm propagated and how it has changed the Internet and malware in these 25 years. That is why we have compiled these five interesting facts about the Morris worm:

  1. Extent of the Infection - the Morris worm infected about 10% of the computers connected to the Internet, the only malware case in history that reached that magnitude (at least, which was verified.) It is worth mentioning that the numbers at that time were much lower, since the ARPANET network connected around 60,000 computers and 6,000 became infected by the malware. The compromised computers belonged to the NASA, Berkley and Stanford universities, MIT and the Pentagon, among many others, and stayed infected for almost 72 hours.

  2. The Heritage - the worm writer, Robert Tappan Morris, Jr. is the son of Robert Morris, Sr. a famous cryptographer and computer professional who, in the 1960s and '70s, while working for the Bell Labs, made significant contributions to UNIX, such as the bc programming language, the program crypt and the el encryption scheme used by passwords in this operating system. Robert Morris, Sr., (father) was also one of the creators of CoreWar, a game that used assembly language to leave the computer out of memory, and which is considered one of the predecessors of computer viruses. A chip off the old block...

  3. The Force of the Law - on January 22nd, 1990, Robert Tappan Morris was prosecuted under the charge of fraud and deception and was convicted by the Syracuse Federal Court in New York. He was sentenced to three years of probation, plus a fine of $10,000 and 400 hours of community work. Such sentence was the first one which used the 1986 computer fraud law, and Morris was the first malware writer who was convicted in history.

  4. The Size of the Internet - The report developed by the GAO (US General Accounting Office) described the Internet as "the main computer network used by the U.S. research community" and began its report indicating that the Internet was "a multi-network system connecting more than 60 thousand computers nationwide and overseas". This report also mentioned that "no one organization is responsible for Internet-wide management" and that there were plans for the "Internet to evolve into a faster, more accessible, larger capacity network system." Apparently, they have achieved their goal - according to the Internet WorldStats Website, nowadays Internet has more than 7 billion users.

  5. Regarding Operating Systems - the same GAO report mentioned above indicated that "UNIX is the most commonly used operating system on the Internet. [It is] estimated that about three-quarters of the computers attached to the Internet use some version of UNIX".

For technology geeks and programmers, it is possible to check the source code of the threat developed in C. It is worth mentioning that its writer has included several comments making the routines even clearer. This is how we start the week, by remembering that a day like last Saturday, 25 years ago, the history of the Internet, malware and computer security began to change.

Sebastian Bortnik
Education & Research Manager