On the evening of 2 November 1988, the computer centres of America’s most prestigious universities and research laboratories were in chaos. System administrators watched in disbelief as their powerful machines, the backbone of the fledgling Internet, slowed down and then froze completely.
In just 24 hours, the mysterious programme infected around 6,000 of the 60,000 computers connected to the global network – crippling nearly 10 per cent of the entire internet at the time.
The incident, which became known as the ‘Morris Worm’ attack, was an unprecedented event.
It slowed down key military and university operations, and delayed email exchanges for days, severing the delicate threads of digital communication.
An experiment that got out of hand
The creator of the programme was Robert Tappan Morris, a bright 23-year-old computer science student at Cornell University. His official motivations, later presented at trial, indicated a desire to “demonstrate the inadequacy of current security measures” or, according to other sources, an attempt to measure the size of the internet. To cover his tracks, Morris released the worm from a computer at MIT.
The Morris worm, unlike the primitive viruses of the time, was an advanced programme. Its strength lay in its multi-vector nature – it used several different, independent methods to spread :
- Software vulnerabilities: The worm exploited flaws in popular UNIX system programs, such as the sendmail mail server and the finger service, which was used to check user information. One of these methods was an early example of a buffer overflow attack, which involves sending too much data to a program, allowing it to take control.
- Abuse of trust: The programme used trusted host mechanisms that allowed logins between machines on the network without a password.
- Password cracking: The last resort was to guess passwords. The worm had a built-in dictionary of common words and tried simple combinations such as username.
Fatal design error
The worm was intended to be discreet. It had a mechanism that checked whether a computer was already infected, to avoid multiple infections. However, Morris, fearing that system administrators might outsmart it, made a fatal modification to the code: even if a computer reported that it was already infected, the worm had a 14% probability of reinfecting it anyway.
This decision proved disastrous. Morris underestimated the power of exponential growth. Computers were repeatedly infected, and each successive copy of the worm launched new processes, rapidly consuming CPU and memory resources. Thus, through a single error in logic, a harmless experiment turned into a global denial-of-service attack that crippled the network.
Digital immune response
Faced with an unprecedented crisis, the decentralised academic community had to self-organise. Over the next 48 hours, experts from centres such as MIT and UC Berkeley undertook a race against time, decompiling the worm’s code to understand its operation and create safeguards. Eugene Spafford of Purdue University played a key role, creating a phage mailing list that became an informal coordination centre for experts across the country.
As the technical chaos began to subside, the hunt for the culprit began. Morris, realising the consequences of his experiment, asked a friend to anonymously circulate a message with apologies and instructions on how to stop the bug. Unfortunately, due to network paralysis, the message never arrived in time. Shortly afterwards, The New York Times identified Morris as the culprit.
Legacy: The end of innocence and the birth of cyber security
Morris’ trial was historic. It was the first conviction under the recently enacted Computer Fraud and Abuse Act (CFAA). Robert Tappan Morris was found guilty and sentenced to three years of probation, 400 hours of community service and a fine.
The 2 November 1988 incident was a painful but necessary shock that ended the era of innocence on the Internet forever. Its consequences shaped the cyber security landscape for decades to come.
- Birth of CERT: In response to the crisis, DARPA funded the creation of the world’s first computer incident response team, the Computer Emergency Response Team (CERT). It became a model for hundreds of similar organisations around the world.
- The end of an era of trust: The Morris worm made the entire technology community realise that the network is inherently vulnerable and security must become an integral part of its architecture.
- The start of an industry: the incident has given a powerful boost to the commercial cyber security industry, creating real demand for anti-virus software and firewalls.
It can be argued that the Morris Worm was a ‘happy disaster’. It exposed fundamental weaknesses early in the development of the web, long before the era of e-commerce and online banking. In doing so, it became a painful but necessary ‘vaccine’ for the internet that triggered a global immune response and allowed us to prepare for the much more dangerous pathogens of the future.
