• SEARCH
  • eWeek
  • All Ziff Davis Sites
  •    
Sign In | Not a member? Register now
ADVERTISEMENT


Who Let The Worms Out?
By Joseph C. Panettieri


It's one of the biggest Internet disasters of all time, yet many of today's technology consultants don't remember the online carnage.

ADVERTISEMENT

Long before virus outbreaks like NakedWife, Kournikova, Melissa and ILOVEYOU, there was the infamous Morris Worm.

Flash back to Nov. 2, 1988. The Los Angeles Dodgers had just won the World Series, Ronald Reagan was about to exit the White House, and a shy programmer named Robert T. Morris was set to unleash a digital plague that infected 10 percent of the Net.

Those closest to the case say Morris' story should be required reading for aspiring security consultants, e-business partners and systems integrators alike.

> The Morris case involved a 99-line program written to infiltrate Digital VAX and Sun 3 systems. The so-called worm didn't contain any malicious code. Instead, Morris simply wanted to prove that he could use programs like sendmail to propagate a worm across the Internet.

Bad Code But when Morris released the program on the Internet, a design flaw caused the worm to reproduce faster than a jackrabbit. It quickly penetrated 10 percent of the Internet and bogged down thousands of systems. Dozens of major colleges, government facilities and research centers fell victim to Morris' rogue code. The casualties included Lawrence Livermore Labs, UC Berkeley, UC San Diego, Stanford University and dozens of other sites.

"Back then, there was no Web, and the Internet was largely academically driven," says Keith Bostic, who fought the worm at UC Berkeley. "The universities ran the big sites, and those were the sites that the worm hit hardest."

Adds Peter Yee, another UC Berkeley veteran: "I was at school that night, and we noticed the computers were all getting slower and slower. The worm crawled into a machine and then tried to get into other machines. It kept on re-infecting machines that were already infected."

In the days before Internet commerce and global e-mail, the Morris Worm cleanup effort cost anywhere between $200 to $53,000 per site, according to court documents. In today's world of interconnected sites, the clean-up costs for a similar outbreak could be astronomical.

Repeat Offender Could a plague like the Morris Worm infect 10 percent—or more—of today's Internet? It depends upon whom you ask. Some security experts say today's Internet is too heterogeneous for a single worm to infiltrate so many different platforms. But Global Integrity cyber law expert Mark Rasch—the attorney who prosecuted the Morris case—says the Net is just as vulnerable today as it was in 1988.

Morris, now working at MIT's Lab for Computer Sciences, declined comment for this article. But interviews with programmers who fought the worm, as well as court documents and Internet archives, paint a vivid picture of the disaster and the man behind it all.

Good Kid, Bad Move Morris didn't set out to become a cyberpunk. And it's certainly unfair to lump Morris in with former dark-side hackers like Justin Tanner Petersen or media hounds like Kim Schmitz.

Morris' defenders say the worm incident was merely a complicated software experiment gone bad. "Rob was a curious guy who accidentally opened a Pandora's box," says a friend of Morris, who requested anonymity.

At the time of the worm incident, Morris was a first-year graduate student in Cornell University's computer science Ph.D. program. Morris wrote the worm in October 1988 and released it onto the Internet on Nov. 2 of that year. The worm infiltrated systems through holes in sendmail and finger daemon, among other things. Its first target was a VAX server at MIT's Artificial Intelligence Lab. Morris selected MIT's systems to disguise the fact that the worm came from Cornell, according to court documents.

Morris designed the worm to ask Sun-3 and VAX systems whether they already had a local copy of the worm. The worm would skip systems that replied "yes." In theory, this would prevent the worm from copying itself endlessly and bogging down the Internet.

However, Morris was concerned that systems administrators would block the worm by programming their computers to falsely respond "yes." To beat that potential defensive measure, Morris programmed the worm to duplicate itself every seventh time it received a "yes" response, according to court documents.

Big Mistake Morris' seven-to-one ratio turned out to be a fatal design flaw. The ratio wasn't high enough to slow the program's reproduction. The worm quickly spread from systems on the East Coast to the West Coast, and the Internet's first disaster was under way.

When Morris realized the worm was reproducing faster than he had expected, he contacted a friend at Harvard, Andy Sudduth. The two allegedly discussed fixes for the worm, according to court documents. Sudduth quickly posted an anonymous message on the Internet, warning users about a rapidly reproducing worm and instructing readers how to defeat it.

But Sudduth's message got blocked by a downed Internet gateway. In a cruel ironic twist, an administrator had shut down the gateway in an attempt to limit the worm's progress.

Sudduth's warning message didn't get through the gateway for about two days, but dozens of administrators around the world began to notice problems within hours of the worm's release.

Yee, a UC Berkeley student and a contract worker for NASA at the time, was among the first people to spot the problem. "I was up all night working through the Morris worm," says Yee, who now works for Spyrus, a security vendor in San Jose, Calif. "I don't think I got home until 7 a.m. the next day."

Yee posted a message about the problems to a TCP-IP mailing list within hours of the worm's release. With Sudduth's message still blocked, Yee's electronic dispatch was one of the first known communications about the worm. The message suggested turning off several services that the worm apparently used, including telnet, ftp, finger, rsh and SMTP.

"Turning off those services was the short-term fix," says Yee. "We left those services off while the research group worked to decompile it." Decompiling the worm was a critical step. This procedure unlocked the worm's source code, allowing researchers to identify security holes that Morris' program was exploiting. "Once you figure out how the program works, you can figure out which [security] holes to patch," says Yee.

Systems administrators at UC Berkeley, MIT and other schools worked around the clock for nearly two days to analyze the worm. By noon on Nov. 4, MIT and Berkeley had completely disassembled the worm. Most of the infected systems were back online within days of the incident.

Hit and Run Researchers say the worm had an "attack and defense" design. First, the worm would locate Internet hosts and user accounts to penetrate, then it would exploit security holes on remote systems to pass across a copy of the worm. The worm also used three defense tactics: It changed its name to minimize intrusion detection; it moved into memory and deleted its own file-system data to cover its tracks; and it used a short burst of random numbers to test a connection before moving onto a system.

Fortunately, the worm had no malicious code. Unlike some recent viruses, the Morris worm didn't erase or corrupt any of the host's data, and it didn't attempt to steal any information.

"The [Morris] worm took systems down from load," says Eugene Spafford, a professor of computer sciences at Purdue University and a widely regarded security expert. "It didn't really damage systems."

"The Morris worm could have been a lot worse," adds Bostic, who now works for Sleepycat Software. "It just tied up the CPU. Imagine if the worm had been written to delete all of the host's data instead? Fortunately, most worm authors don't have malicious intent. It's mostly kids having fun and showing off. But every once in a while you get an _ _ _hole in the mix."

Such was the case last week, when NakedWife became the latest virus to spread across the Internet via Microsoft's Outlook program.

While the Morris worm moved from system to system without any user interaction, a virus like NakedWife (a.k.a. JibJab) needs unsuspecting users to propagate itself. NakedWife arrives as an e-mail attachment. When users activate the attachment, the virus wipes out vital Windows files and uses Outlook to e-mail itself to more unsuspecting users.

As we went to press, NakedWife had infected nearly 70 organizations. Virtually every major media outlet covered the story, yet NakedWife was a relatively minor disaster compared with the Morris Worm, which infected 10 percent of the Internet during its brief outbreak.

Famous Last Words E-commerce proponents downplay the risk of another Morris-type outbreak. They point out that today's Net is built on a long list of heterogenous operating systems—including Unix, Linux, Windows NT, Windows 2000, MacOS and so on.

In theory, the odds are relatively low that a single silver bullet could kill such a diverse system.

Yet those who fought the Morris worm believe history could repeat itself. "Something like that could certainly happen again," says Bostic. "As more and more Windows machines get connected to the Net, it could create a more homogenous system with lots and lots of vulnerabilities."

That was the case with most recent Internet-related viruses, which used Outlook—Microsoft's nearly ubiquitous e-mail client—to propagate .

Experts say even the 13-year-old Morris Worm could take down some of today's Internet sites. Explains Purdue's Spafford: "The old worm would need to be updated to use current library calls appropriately, but the basic technology would still allow it to propagate a little—many sites still haven't fixed the remote login problem. If the Worm were updated to probe for buffer overflows in other programs than the finger daemon, then that would work, too. We still have companies releasing software with that form of bug in place."

So, does anyone actually still have the worm? Reveals Spafford: "I deleted that information years ago, although I may have it on tape somewhere."

Maybe there's a sequel in the making. Just don't offer the lead role to Robert T. Morris. He's not much for the limelight.

     
Email Order Reprints of this Article.
  • Add to My Yahoo!
  • Add to Google
  • Add to My MSN



Ziff Davis IT LinkZiff Davis IT Link
Click Here


Fill-in form below to apply.
Cover: October 27 Filter
Renew today
Try digital eWEEK!
Subscription Help

FREE ZIFF DAVIS MEDIA ESEMINARS AT ESEMINARSLIVE.COM
  • Jun 26, 12 p.m. ET
    When It's Time to Move: Data Center Relocation Strategies
    with Michael Krieger. Sponsored by Brocade
  • Jun 26, 12:30 p.m. ET
    Fraud and AML Solutions for Banking and Securities
    with Frank Derfler. Sponsored by IBM
  • Jun 26, 1 p.m. ET
    Pacific Sunwear Retail Case Study: Increased IT Uptime with Automated Monitoring
    with Cameron Crotty. Sponsored by CITTIO
  • Jun 26, 4 p.m. ET
    Learning How to Slip Disk into Your Backup Budget
    with Cameron Crotty. Sponsored by ExaGrid & Symantec
  • On-Demand eSeminars

  • Datacenters: Scaling Your Enterprise with Blade Servers with Cameron Crotty. Sponsored by Dell & Cisco

    Top Considerations for Managing Virtual Platform Environments with Frank Derfler. Sponsored by CA

    Backup Exec 11d - The Gold Standard in Windows Data Recovery with Frank Derfler. Sponsored by Symantec

    VARcast: Grow Your Windows Revenue with Backup Exec System Recovery with Frank Derfler. Sponsored by Symantec

    Featured eVideos

    Exchange Server 2007 Touts New Security Features
    When dealing with messaging systems, IT managers must constantly battle spam, phishing, and viruses; set policies for and enforce data retention to meet new regulations.

    Exchange Server 2007
    Exchange Server 2007 touts new features and benefits that address changing security, data protection, and user communications needs.
    Sponsored By
    eSeminars
    Virtual Tradeshow
    Secure, On-Demand Information for the Bulletproof Business
    In the information-driven economy, data is your most valuable asset. Protecting that data is a constant challenge as business information must be simultaneously secure from interlopers and instantly available to authorized users under any circumstances. Explore the critical space where information security and availability meet in order to protect your data and ensure business continuity.
    CURRENT ISSUE
    Cover: June 25, 2007

    eWEEK of June 25:

    eWEEK CAREER CENTER

    FREE NEWSLETTERS

    Get eWEEK's FREE online newsletters. Fill-in the form below:

    • 1. Make your selections:
    • 2. Select email format:
    • 3. Enter email address:
    eWEEK EDITORIAL CALENDAR
    eWEEK Quick LInks
    Ziff Davis Footer Logo