Morris (computer worm)
Encyclopedia
The Morris worm or Internet worm of November 2, 1988 was one of the first computer worm
s distributed via the Internet
. It is considered the first worm and was certainly the first to gain significant mainstream media attention. It also resulted in the first conviction in the US under the 1986 Computer Fraud and Abuse Act
. It was written by a student at Cornell University
, Robert Tappan Morris
, and launched on November 2, 1988 from MIT
.
sendmail
, finger
, and rsh
/rexec, as well as weak passwords . Due to reliance on rsh
(normally disabled on untrusted networks) it should not succeed with the recent properly configured system.
A supposedly unintended consequence of the code, however, caused it to be more damaging: a computer could be infected multiple times and each additional process would slow the machine down, eventually to the point of being unusable. This would have the same effect as a fork bomb
and crash the computer. The main body of the worm could only infect DEC
VAX
machines running 4BSD
, and Sun-3
systems. A portable C
"grappling hook" component of the worm was used to pull over (download) the main body, and the grappling hook could run on other systems, loading them down and making them peripheral victims.
's mantra
, "Randomization." To compensate for this possibility, Morris directed the worm to copy itself even if the response is "yes", 1 out of 7 times. This level of replication proved excessive and the worm spread rapidly, infecting some computers multiple times. Morris remarked, when he heard of the mistake, that he "should have tried it on a simulator first."
put the cost of the damage at $10M–100M.
The Morris worm prompted DARPA
to fund the establishment of the CERT/CC
at Carnegie Mellon University
to give experts a central point for coordinating responses to network emergencies. Gene Spafford
also created the Phage mailing list to coordinate a response to the emergency.
Robert Morris was tried and convicted of violating United States Code
: Title 18 , the Computer Fraud and Abuse Act
. in United States v. Morris
. After appeals he was sentenced to three years probation, 400 hours of community service, and a fine of $10,000.
The Morris worm has sometimes been referred to as the "Great Worm", because of the devastating effect it had on the Internet at that time, both in overall system downtime and in psychological impact on the perception of security and reliability of the Internet. The name was derived from the "Great Worms" of Tolkien
: Scatha and Glaurung
.
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
s distributed via the Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
. It is considered the first worm and was certainly the first to gain significant mainstream media attention. It also resulted in the first conviction in the US under the 1986 Computer Fraud and Abuse Act
Computer Fraud and Abuse Act
The Computer Fraud and Abuse Act is a law passed by the United States Congress in 1986, intended to reduce cracking of computer systems and to address federal computer-related offenses...
. It was written by a student at Cornell University
Cornell University
Cornell University is an Ivy League university located in Ithaca, New York, United States. It is a private land-grant university, receiving annual funding from the State of New York for certain educational missions...
, Robert Tappan Morris
Robert Tappan Morris
Robert Tappan Morris, , is an American computer scientist, best known for creating the Morris Worm in 1988, considered the first computer worm on the Internet - and subsequently becoming the first person convicted under the Computer Fraud and Abuse Act.He went on to co-found the online store...
, and launched on November 2, 1988 from MIT
Massachusetts Institute of Technology
The Massachusetts Institute of Technology is a private research university located in Cambridge, Massachusetts. MIT has five schools and one college, containing a total of 32 academic departments, with a strong emphasis on scientific and technological education and research.Founded in 1861 in...
.
Architecture of the worm
According to its creator, the Morris worm was not written to cause damage, but to gauge the size of the Internet. However, the worm was released from MIT to disguise the fact that the worm originally came from Cornell. Additionally, the Morris worm worked by exploiting known vulnerabilities in UnixUnix
Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
sendmail
Sendmail
Sendmail is a general purpose internetwork email routing facility that supports many kinds of mail-transfer and -delivery methods, including the Simple Mail Transfer Protocol used for email transport over the Internet....
, finger
Finger protocol
In computer networking, the Name/Finger protocol and the Finger user information protocol are simple network protocols for the exchange of human-oriented status and user information.-Name/Finger protocol:...
, and rsh
Remote Shell
The remote shell is a command line computer program that can execute shell commands as another user, and on another computer across a computer network.The remote system to which rsh connects runs the rshd daemon...
/rexec, as well as weak passwords . Due to reliance on rsh
Remote Shell
The remote shell is a command line computer program that can execute shell commands as another user, and on another computer across a computer network.The remote system to which rsh connects runs the rshd daemon...
(normally disabled on untrusted networks) it should not succeed with the recent properly configured system.
A supposedly unintended consequence of the code, however, caused it to be more damaging: a computer could be infected multiple times and each additional process would slow the machine down, eventually to the point of being unusable. This would have the same effect as a fork bomb
Fork bomb
In computing, the fork bomb is a form of denial-of-service attack against a computer system which makes use of the fork operation whereby a running process can create another running process...
and crash the computer. The main body of the worm could only infect DEC
Digital Equipment Corporation
Digital Equipment Corporation was a major American company in the computer industry and a leading vendor of computer systems, software and peripherals from the 1960s to the 1990s...
VAX
VAX
VAX was an instruction set architecture developed by Digital Equipment Corporation in the mid-1970s. A 32-bit complex instruction set computer ISA, it was designed to extend or replace DEC's various Programmed Data Processor ISAs...
machines running 4BSD
Berkeley Software Distribution
Berkeley Software Distribution is a Unix operating system derivative developed and distributed by the Computer Systems Research Group of the University of California, Berkeley, from 1977 to 1995...
, and Sun-3
Sun-3
Sun-3 was the name given to a series of UNIX computer workstations and servers produced by Sun Microsystems, launched on September 9th, 1985. The Sun-3 series were VMEbus-based systems similar to some of the earlier Sun-2 series, but using the Motorola 68020 microprocessor, in combination with the...
systems. A portable C
C (programming language)
C is a general-purpose computer programming language developed between 1969 and 1973 by Dennis Ritchie at the Bell Telephone Laboratories for use with the Unix operating system....
"grappling hook" component of the worm was used to pull over (download) the main body, and the grappling hook could run on other systems, loading them down and making them peripheral victims.
The mistake
The critical error that transformed the worm from a potentially harmless intellectual exercise into a virulent denial of service attack was in the spreading mechanism. The worm could have determined whether to invade a new computer by asking if there was already a copy running. But just doing this would have made it trivially easy to kill; everyone could just run a process that would answer "yes" when asked if there was already a copy, and the worm would stay away. The defense against this was inspired by Michael RabinMichael O. Rabin
Michael Oser Rabin , is an Israeli computer scientist and a recipient of the Turing Award.- Biography :Rabin was born in 1931 in Breslau, Germany, , the son of a rabbi. In 1935, he emigrated with his family to Mandate Palestine...
's mantra
Mantra
A mantra is a sound, syllable, word, or group of words that is considered capable of "creating transformation"...
, "Randomization." To compensate for this possibility, Morris directed the worm to copy itself even if the response is "yes", 1 out of 7 times. This level of replication proved excessive and the worm spread rapidly, infecting some computers multiple times. Morris remarked, when he heard of the mistake, that he "should have tried it on a simulator first."
Effects of the worm
It is usually reported that around 6,000 major UNIX machines were infected by the Morris worm. Paul Graham has claimed that"I was there when this statistic was cooked up, and this was the recipe: someone guessed that there were about 60,000 computers attached to the Internet, and that the worm might have infected ten percent of them."The U.S. GAO
Government Accountability Office
The Government Accountability Office is the audit, evaluation, and investigative arm of the United States Congress. It is located in the legislative branch of the United States government.-History:...
put the cost of the damage at $10M–100M.
The Morris worm prompted DARPA
Defense Advanced Research Projects Agency
The Defense Advanced Research Projects Agency is an agency of the United States Department of Defense responsible for the development of new technology for use by the military...
to fund the establishment of the CERT/CC
CERT Coordination Center
The CERT Coordination Center was created by DARPA in November 1988 after the Morris worm struck. It is a major coordination center in dealing with Internet security problems....
at Carnegie Mellon University
Carnegie Mellon University
Carnegie Mellon University is a private research university in Pittsburgh, Pennsylvania, United States....
to give experts a central point for coordinating responses to network emergencies. Gene Spafford
Gene Spafford
Eugene Howard Spafford , commonly known as Spaf, is a professor of computer science at Purdue University and a leading computer security expert....
also created the Phage mailing list to coordinate a response to the emergency.
Robert Morris was tried and convicted of violating United States Code
United States Code
The Code of Laws of the United States of America is a compilation and codification of the general and permanent federal laws of the United States...
: Title 18 , the Computer Fraud and Abuse Act
Computer Fraud and Abuse Act
The Computer Fraud and Abuse Act is a law passed by the United States Congress in 1986, intended to reduce cracking of computer systems and to address federal computer-related offenses...
. in United States v. Morris
United States v. Morris
United States v. Morris was an appeal of the conviction of Robert Tappan Morris for creating and releasing the Morris worm, one of the first Internet-based worms. This case resulted in the first conviction under the Computer Fraud and Abuse Act...
. After appeals he was sentenced to three years probation, 400 hours of community service, and a fine of $10,000.
The Morris worm has sometimes been referred to as the "Great Worm", because of the devastating effect it had on the Internet at that time, both in overall system downtime and in psychological impact on the perception of security and reliability of the Internet. The name was derived from the "Great Worms" of Tolkien
J. R. R. Tolkien
John Ronald Reuel Tolkien, CBE was an English writer, poet, philologist, and university professor, best known as the author of the classic high fantasy works The Hobbit, The Lord of the Rings, and The Silmarillion.Tolkien was Rawlinson and Bosworth Professor of Anglo-Saxon at Pembroke College,...
: Scatha and Glaurung
Glaurung
Glaurung is a fictional character in J. R. R. Tolkien's fictional Middle-earth legendarium. He is introduced in The Silmarillion as the first of the Dragons. He is also a major antagonist in The Children of Húrin. He was known as The Deceiver, The Golden, The Great Worm and the Worm of...
.
See also
- Notable computer viruses and worms
- Buffer overflowBuffer overflowIn computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety....
External links
- Cornell commission findings – in the ACM Digital Library ((from the abstract: "sheds new light and dispels some myths"))
- the full text of The Cornell commission findings (.pdf) is also available via paid subscription from the ACM Digital Library
- Archive of worm material, incl. papers and code
- An analysis of the worm by Eugene Spafford
- An analysis of the worm by Mark Eichin and Jon Rochlis
- "The Morris Internet Worm" by Charles Schmidt and Tom Darby
- RFC 1135 – "Helminthiasis of the Internet" – an analysis of the worm infestation
- A Report On The Internet Worm, by Bob Page, University of Lowell
- "A Tour of the Worm" by Donn Seeley, Department of Computer Science University of Utah This paper provides a chronology for the outbreak and presents a detailed description of the internals of the worm, based on a C version produced by decompiling.
- "With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988" by Mark W. Eichin and Jon A. Rochlis, Massachusetts Institute of Technology dated February 9, 1989 We present the chronology of events as seen by our team at MIT...