Throwback Attack: The Morris Worm launches the first major attack on the internet

A hacker in the background.
Courtesy: CFE Media and Technology

The internet was still primitive in 1988. The entire network consisted of about 60,000 people, and was mostly limited to universities, research facilities and government offices. The World Wide Web, as we know it, was not even invented until the following year. In fact, “the internet” had never been mentioned in the venerable New York Times prior to Nov. 5, 1988, when the paper reported on the Morris Worm, which brought the fledgling computer network some unwanted attention and gave users a glimpse into the not-too-distant future.

On the morning of Nov. 3, 1988, 6,000 internet users — a full one-tenth of the “international group of computer communications networks, the internet,” as the Times article by John Markoff put it — woke up to an unwelcome surprise. When they booted up their systems, they found their programs were nearly ground to a halt, riddled with strange, repetitive instructions that made regular work (already a bit slow back then) all but impossible.

Again, the internet was new, and security was more of a theoretical concept than an actual set of defensive techniques intended to protect systems. As many reporters posited at the time, the internet was like a small town where users worried little about leaving their front doors unlocked at night. In this fledgling environment, the worm spread quickly, running itself over and over again and clogging up systems around the country. But the Morris Worm did more than that — it also shattered the cyber world’s early illusion of safety and changed the culture of the internet forever.

Catching the virus

If the internet was a safe, sleepy community, the Morris Worm shook it from its slumber. For the first time, the peace and calm of the nascent network had been disturbed, and the potential for future, more disruptive attacks made clear.

The Morris Worm was unleashed by 23-year-old Harvard alum and Cornell University grad student Robert Tappan Morris on the evening of Nov. 2, 1988. Morris was a computer science expert and the son of Robert Morris Sr., the chief scientist for a computer security arm of the National Security Agency (NSA). Morris had grown up around computers and was known for his skill, especially in Unix. Shortly after being accepted into Cornell, he started working on a program that could spread slowly and stealthily across the internet. Perhaps to cover his tracks, he hacked into an MIT computer from his terminal in Ithaca, New York, to release the worm.

By morning, thousands of computers around the country were clogged with copies of his program, which jumped from terminal to terminal like a particularly virulent virus. Government and university systems slowed to a crawl and emails were delayed, as the internet community and computer experts struggled to figure out how the malware worked and what could be done about it. Estimates by the U.S. Government Accountability Office put the damage done by the Morris Worm at somewhere between $10 million and $100 million.

In some ways, this was the first distributed denial-of-service (DDoS) attack, an attempt to disrupt normal operations on a network by overwhelming the target with a torrent of internet traffic. Unlike worms that would plague the internet decades later, such as ILOVEYOU, or major attacks like the ones on Colonial Pipeline or SolarWinds, the Morris Worm didn’t seek to destroy or encrypt files. It did, however, cause a panic among internet denizens. According to the FBI, some institutions wiped their systems, while others disconnected from the internet for weeks.

The Morris Worm is often thought of as the first internet virus, but viruses and worms operate differently. A virus requires external commands from a user to run its program, whereas a worm does not need a software host and can propagate on its own.

Morris took advantage of a hole in the Unix sendmail program, weak passwords and other vulnerabilities to gain access to systems at prestigious institutions and research centers like Harvard, Stanford, Berkeley, NASA and the Lawrence Livermore National Laboratory.

While an internet attack that impacted only 6,000 people seems almost quaint at this point, and would most certainly not draw the attention of the media, the Morris Worm caused quite a stir, making national headlines. For most people, it was the first time they had heard of both malware and the internet. No one really understood the scope or ramifications of what had occurred, but they knew it was scary and sensationalistic.

“I got one call from a newspaper in Southern Indiana,” Eugene Spafford, an assistant professor of computer science at Purdue, told the Washington Post. “The reporter asked me, in all earnestness, ‘Do our readers need to worry about catching this virus?'”

“Gosh, I don’t know,” Spafford deadpanned in response. “We don’t have a medical school. You ought to call the folks at Indiana University.”

Of course, none of this was part of Morris’ plan.

What was the Morris Worm?

What motivated Morris to unleash the first computer worm and tarnish the innocence of the early internet? Unlike other high-profile worms, the Morris Worm was apparently not designed to harm the network, destroy files or steal trade secrets. The graduate student appears to have been motivated by nothing more than intellectual curiosity. By all accounts, he never intended his worm to be destructive; he just wanted to know how big the internet was and highlight some of the weaknesses present at the time.

Just hours after releasing his work into the wild, however, Morris realized he had made a colossal mistake. He called a friend at a Harvard computer lab and asked him to post an anonymous message to Usenet, an internet bulletin board, with an apology and instructions on how to disable the worm. But because most computer experts were busy battling Morris’ creation and dealing with damaged computers, few saw the missive until they had already figured out the worm on their own.

The worm spread much more quickly and easily than Morris intended because of an unintentional coding oversight. The worm was programmed to check each computer to see if the infection was already present, but when it found an infected system, it didn’t just move on. Morris asked it to replicate itself 14% of the time, regardless of whether the computer was already infected. This resulted in many systems being infected multiple times, with each infection further slowing the computer’s operations. In other words, Morris’ program worked — a little too well.

It took researchers at Purdue and Berkeley about 72 hours to finally put an end to the world’s first internet worm.

The aftermath

After the incident became public, it didn’t take long for the FBI to figure out who was behind it. Morris was prosecuted under the relatively new Computer Fraud and Abuse Act, signed in 1986, which outlawed unauthorized access to protected computers. Morris was indicted in 1989, and a jury found him guilty the following year, making him the first person convicted under the new law. Because most agreed Morris didn’t have malicious intentions and was contrite about what he had done, he was spared jail time. He was ultimately charged with a single felony count, and sentenced to three years of probation, 400 hours of community service and a $10,000 fine.

Morris never spoke to the media about the worm in the ensuing years or tried to gain notoriety from the event, but he did continue to work with the internet. He earned his doctorate from Harvard in 1999, became a dot com millionaire and is now a tenured professor at MIT.

While the effects on Morris’ life were perhaps minimal, the incident had huge ramifications for the future of the internet. The Morris Worm taught a community just beginning to understand how vulnerable it was that cybersecurity needed to be taken seriously.

Shortly after the Morris Worm burrowed into the Internet, the Defense Advanced Research Projects Agency (DARPA) formed the Computer Emergency Response Team (CERT) to deal with future such incidents. The worm also showed a new generation of hackers what was possible and helped inspire many of the attacks that continue today.

Now, the Morris Worm is more of a curiosity, a nondestructive artifact of a simpler digital time, but it was also a clarion call signaling the internet’s “small town” ways were fast coming to an end.

The source code for the Morris Worm is now available online, and the original floppy disc is on display in Silicon Valley’s Computer History Museum.

“The rogue program … did not launch missiles, disrupt the stock market or shut down the telephone network,” wrote the New York Times. “But it did scare the wits out of a lot of people who run computer systems.”




Keep your finger on the pulse of top industry news