The Worm that Changed the Internet

"There might be a virus loose on the Internet. I'm sorry. Here are some steps to prevent further transmission."

An anonymous user sent this message to a network discussion board on November 2, 1988. It outlined three ways for system managers to avoid contracting one of the first network-wide worms in Internet history, but it was too late.

The network was already too bogged down for most people to receive the message. Even if the network hadn't ground to a halt under the weight of the self-replicating code, many of the system managers had already unplugged their sluggish, infected computers, and started the arduous cleaning and immunization process.

Around midnight on November 3, 1988, system managers at the Army's Ballistic Research Laboratory noticed their computers slowing down to a crawl as the worm stole precious computing processing time. Fearing a foreign attack, they pulled their computers off the nationwide network predating the Internet, called ARPAnet. At almost the same time, system managers at Rand Corporation, Stanford, MIT, Los Alamos National Laboratory, and NASA were doing the same thing.

The person who sent that message across the crippled network was Robert Tappan Morris, a computer science graduate student at Cornell known among his peers as a talented programmer and security specialist.

For nearly a year before breaking the Internet, he had been stealthily using UNIX backdoors via bugs in sendmail and finger daemon to surreptitiously enter computers all over the country, grab encrypted passwords, and decrypt them. He did these types of things in the spirit of what we'd today call ethical hacking, and also as an experiment. The 1988 worm was an experiment run amok.

The Internet's first pandemic

The goal of the program was to gauge the size of the Internet, which meant that it needed to enter as many computers as it could find. So, Morris cast the widest net possible by targeting the popular Sun Microsystems and VAX machine running UNIX.

As planned, the worm propagated the network by crashing the finger daemon, calling back across the network and bringing the entire body of the virus into the target computer. When it got into the computer, it would look for a copy of itself. As originally designed, if the worm found a copy, then it wouldn't replicate.

Morris also realized that programmers defending their system could easily trick the worm into thinking a copy of itself already existed. As a countermeasure, Morris programmed a randomization mechanism into the program. If the worm entered a computer and found a copy of itself, the two versions of the worm would "flip a coin" to determine which one should stop running. As a final measure to nearly guarantee the program's survival, he told the worm to never stop running regardless of whether it finds a version of itself in one out of every n computers.

The number he chose: 7.

The worm ignored the coin flip in one out of every seven computers. On a network of thousands of machines with almost no security features, what could possibly go wrong?

Awakening to the possibility of bad behavior

This scenario is unimaginable now, but in 1988, the Internet was quite different.

The Internet was conceived in the spirit of open collaboration by scientists who needed to share knowledge, information, and geographically-separated computing resources. There were certainly discussions about security, but ARPAnet had very few locked doors.

Scientists were initially the only ones who even had access to ARPAnet, and they didn't think that anyone would abuse the network in such a manner.

Before the Morris worm, ARPAnet was considered a safe community where security was a low priority, and a network-wide attack was still hypothetical among computer scientists. The Morris worm caught them off guard, and also opened their eyes to the destructive possibility.

What happened to Robert Morris?

Robert Morris was convicted on a number of felonies under the Computer Fraud and Abuse Act of 1986, and sentenced to three years probation, 400 hours of community service, a $10,050 fine, and the costs of his supervision. The court proceedings from United States v Morrisconclude that damages at each federal installation "ranged from $200 to more than $53,000." The Government Accountability Office estimated Morris caused up to $10 million in damages.

Many in his discipline shunned him, thinking his act criminal. Others saw it as a mistake, but not criminal. Everyone agreed that he should have checked his program in a test environment first.

You can still find the Morris worm source code on GitHub, but I'm pretty sure the original UNIX bugs have long since been fixed. Or at least I hope so.

Resources:

Where Wizards Stay Up Late: The Origins of the Internet by Katie Hafner and Matthew Lyon Outlaws and Hackers on the Computer Frontier by Katie Hafner and John Markoff Inventing the Internet by Janet Abbate

P.S. Not a subscriber? Start your free week.