The day #computer #security turned real: The Morris Worm turns 30

On Nov. 2, 1988, I was working at NASA’s Goddard Space Flight Center in the data communications branch. Everything was fine. Then, our internet servers running SunOS and VAX/BSD Unix slowed to a stop. It was a bad day.

We didn’t know it yet, but we were fighting the Morris Internet Worm. Before the patch was out, 24 hours later, 10 percent of the internet was down, and the rest of the network had slowed to a crawl. We were not only facing the first major worm attack, we were seeing the first distributed denial-of-service (DDoS) attack.

Unlike the hundreds of thousands of hackers that would follow, Robert Tappan Morris, then a graduate student at Cornell, wasn’t trying to “attack” the internet’s computers. He thought his little experiment would spread far more slowly and not cause any real problems. He was wrong.

Well, that’s what he said afterward. I’m also not at all certain that that was the case.

Consider, the Morris worm had three attack vectors: sendmail, fingerd, and rsh/rexec. It also used one of the now-classic attack methods: Stack overflow in its attack.

It was also one of the first attack programs to use what we’d call a dictionary attack with its list of popular passwords. The passwords and other strings hid in the Worm’s binary by XORing, a simple encryption method.

Morris also tried to hide his tracks. He started the worm from a MIT computer. It hid its files by unlinking them after trying to infect as many other servers as possible.

Even without a malicious payload, the Worm did serious damage. Infected systems quickly did nothing but trying to spread the worm, thus slowing them down to a crawl. Some, most of them running SunOS, a Unix variant and the ancestor of Solaris, crashed under the load.

In the meantime, Morris, who included code to keep the worm from spreading too fast, had realized he was no longer in control. Morris called a friend — who subsequently said Morris “seemed preoccupied and appeared to believe that he had made a ‘colossal’ mistake.'”

He had indeed. Thanks to efforts led by Eugene “Spaf” Spafford, then an assistant professor of computer science at Purdue University and current editor-in-chief of Computers and Security, the Worm was conquered.

Before the Worm was finished, it successfully attacked about 6,000 of the 1988 internet’s 60,000 servers. In the aftermath, DARPA created the first CERT/CC (Computer Emergency Response Team/Coordination Center) at Carnegie Mellon University to deal with future security attacks.

But the Worm’s biggest legacy to date was that it started a wave after wave of computer and internet attacks. If Robert Morris hadn’t done it, someone else would have. But, regardless, today we live in a world where a day doesn’t go by without a serious attack.

Twitter personality SwiftOnSecurity recently asked: “When will computer security be fixed?” My answer is “never.”


. . . . . . . .

Leave a Reply