It's one of the biggest Internet disasters of
all time, yet many of today's technology consultants don't remember the
Long before virus outbreaks like NakedWife, Kournikova, Melissa and ILOVEYOU, there was the infamous Morris Worm.
Flash back to Nov. 2, 1988. The Los Angeles Dodgers had just won the
World Series, Ronald Reagan was about to exit the White House, and a
shy programmer named Robert T. Morris was set to unleash a digital
plague that infected 10 percent of the Net.
Those closest to the case say Morris' story should be required
reading for aspiring security consultants, e-business partners and
systems integrators alike.
> The Morris case involved a 99-line program written to
infiltrate Digital VAX and Sun 3 systems. The so-called worm didn't
contain any malicious code. Instead, Morris simply wanted to prove that
he could use programs like sendmail to propagate a worm across the
Bad Code But when Morris released the program on the
Internet, a design flaw caused the worm to reproduce faster than a
jackrabbit. It quickly penetrated 10 percent of the Internet and bogged
down thousands of systems. Dozens of major colleges, government
facilities and research centers fell victim to Morris' rogue code. The
casualties included Lawrence Livermore Labs, UC Berkeley, UC San Diego,
Stanford University and dozens of other sites.
"Back then, there was no Web, and the Internet was largely
academically driven," says Keith Bostic, who fought the worm at UC
Berkeley. "The universities ran the big sites, and those were the sites
that the worm hit hardest."
Adds Peter Yee, another UC Berkeley veteran: "I was at school that
night, and we noticed the computers were all getting slower and slower.
The worm crawled into a machine and then tried to get into other
machines. It kept on re-infecting machines that were already infected."
In the days before Internet commerce and global e-mail, the Morris
Worm cleanup effort cost anywhere between $200 to $53,000 per site,
according to court documents. In today's world of interconnected sites,
the clean-up costs for a similar outbreak could be astronomical.
Repeat Offender Could a plague like the Morris Worm infect 10
percent—or more—of today's Internet? It depends upon whom you ask. Some
security experts say today's Internet is too heterogeneous for a single
worm to infiltrate so many different platforms. But Global Integrity
cyber law expert Mark Rasch—the attorney who prosecuted the Morris
case—says the Net is just as vulnerable today as it was in 1988.
Morris, now working at MIT's Lab for Computer Sciences, declined
comment for this article. But interviews with programmers who fought
the worm, as well as court documents and Internet archives, paint a
vivid picture of the disaster and the man behind it all.
Good Kid, Bad Move Morris didn't set out to become a
cyberpunk. And it's certainly unfair to lump Morris in with former
dark-side hackers like Justin Tanner Petersen or media hounds like Kim
Morris' defenders say the worm incident was merely a complicated
software experiment gone bad. "Rob was a curious guy who accidentally
opened a Pandora's box," says a friend of Morris, who requested
At the time of the worm incident, Morris was a first-year graduate
student in Cornell University's computer science Ph.D. program. Morris
wrote the worm in October 1988 and released it onto the Internet on
Nov. 2 of that year. The worm infiltrated systems through holes in
sendmail and finger daemon, among other things. Its first target was a
VAX server at MIT's Artificial Intelligence Lab. Morris selected MIT's
systems to disguise the fact that the worm came from Cornell, according
to court documents.
Morris designed the worm to ask Sun-3 and VAX systems whether they
already had a local copy of the worm. The worm would skip systems that
replied "yes." In theory, this would prevent the worm from copying
itself endlessly and bogging down the Internet.
However, Morris was concerned that systems administrators would
block the worm by programming their computers to falsely respond "yes."
To beat that potential defensive measure, Morris programmed the worm to
duplicate itself every seventh time it received a "yes" response,
according to court documents.
Big Mistake Morris' seven-to-one ratio turned out to be a
fatal design flaw. The ratio wasn't high enough to slow the program's
reproduction. The worm quickly spread from systems on the East Coast to
the West Coast, and the Internet's first disaster was under way.
When Morris realized the worm was reproducing faster than he had
expected, he contacted a friend at Harvard, Andy Sudduth. The two
allegedly discussed fixes for the worm, according to court documents.
Sudduth quickly posted an anonymous message on the Internet, warning
users about a rapidly reproducing worm and instructing readers how to
But Sudduth's message got blocked by a downed Internet gateway. In a
cruel ironic twist, an administrator had shut down the gateway in an
attempt to limit the worm's progress.
Sudduth's warning message didn't get through the gateway for about
two days, but dozens of administrators around the world began to notice
problems within hours of the worm's release.
Yee, a UC Berkeley student and a contract worker for NASA at the
time, was among the first people to spot the problem. "I was up all
night working through the Morris worm," says Yee, who now works for
Spyrus, a security vendor in San Jose, Calif. "I don't think I got home
until 7 a.m. the next day."
Yee posted a message about the problems to a TCP-IP mailing list
within hours of the worm's release. With Sudduth's message still
blocked, Yee's electronic dispatch was one of the first known
communications about the worm. The message suggested turning off
several services that the worm apparently used, including telnet, ftp,
finger, rsh and SMTP.
"Turning off those services was the short-term fix," says Yee. "We
left those services off while the research group worked to decompile
it." Decompiling the worm was a critical step. This procedure unlocked
the worm's source code, allowing researchers to identify security holes
that Morris' program was exploiting. "Once you figure out how the
program works, you can figure out which [security] holes to patch,"
Systems administrators at UC Berkeley, MIT and other schools worked
around the clock for nearly two days to analyze the worm. By noon on
Nov. 4, MIT and Berkeley had completely disassembled the worm. Most of
the infected systems were back online within days of the incident.
Hit and Run Researchers say the worm had an "attack and
defense" design. First, the worm would locate Internet hosts and user
accounts to penetrate, then it would exploit security holes on remote
systems to pass across a copy of the worm. The worm also used three
defense tactics: It changed its name to minimize intrusion detection;
it moved into memory and deleted its own file-system data to cover its
tracks; and it used a short burst of random numbers to test a
connection before moving onto a system.
Fortunately, the worm had no malicious code. Unlike some recent
viruses, the Morris worm didn't erase or corrupt any of the host's
data, and it didn't attempt to steal any information.
"The [Morris] worm took systems down from load," says Eugene
Spafford, a professor of computer sciences at Purdue University and a
widely regarded security expert. "It didn't really damage systems."
"The Morris worm could have been a lot worse," adds Bostic, who now
works for Sleepycat Software. "It just tied up the CPU. Imagine if the
worm had been written to delete all of the host's data instead?
Fortunately, most worm authors don't have malicious intent. It's mostly
kids having fun and showing off. But every once in a while you get an _
_ _hole in the mix."
Such was the case last week, when NakedWife became the latest virus
to spread across the Internet via Microsoft's Outlook program.
While the Morris worm moved from system to system without any user
interaction, a virus like NakedWife (a.k.a. JibJab) needs unsuspecting
users to propagate itself. NakedWife arrives as an e-mail attachment.
When users activate the attachment, the virus wipes out vital Windows
files and uses Outlook to e-mail itself to more unsuspecting users.
As we went to press, NakedWife had infected nearly 70 organizations.
Virtually every major media outlet covered the story, yet NakedWife was
a relatively minor disaster compared with the Morris Worm, which
infected 10 percent of the Internet during its brief outbreak.
Famous Last Words E-commerce proponents downplay the risk of
another Morris-type outbreak. They point out that today's Net is built
on a long list of heterogenous operating systems—including Unix, Linux,
Windows NT, Windows 2000, MacOS and so on.
In theory, the odds are relatively low that a single silver bullet could kill such a diverse system.
Yet those who fought the Morris worm believe history could repeat
itself. "Something like that could certainly happen again," says
Bostic. "As more and more Windows machines get connected to the Net, it
could create a more homogenous system with lots and lots of
That was the case with most recent Internet-related viruses, which
used Outlook—Microsoft's nearly ubiquitous e-mail client—to propagate .
Experts say even the 13-year-old Morris Worm could take down some of
today's Internet sites. Explains Purdue's Spafford: "The old worm would
need to be updated to use current library calls appropriately, but the
basic technology would still allow it to propagate a little—many sites
still haven't fixed the remote login problem. If the Worm were updated
to probe for buffer overflows in other programs than the finger daemon,
then that would work, too. We still have companies releasing software
with that form of bug in place."
So, does anyone actually still have the worm? Reveals Spafford: "I
deleted that information years ago, although I may have it on tape
Maybe there's a sequel in the making. Just don't offer the lead role to Robert T. Morris. He's not much for the limelight.