Morris worm turns 20: Look what it's done

The Internet will mark an infamous anniversary on Sunday, when the Morris worm turns 20.

Considered the first major attack on the 'Net, the Morris worm served as a wake-up call to the Internet engineering community about the risk of software bugs, and it set the stage for network security to become a valid area of research and development. (Watch a slideshow of the 10 worst moments in network security history.)

"It was a really big deal," says Eric Allman, a computer programmer who in 1981 authored sendmail, open source Internet e-mail software, while he was a student at the University of California. Today, Allman serves as chief science officer at Sendmail, a company that sells commercial-grade versions of the software.

"The biggest implication of the Morris worm was that the Internet was very small ... and it was considered a friendly place, a clubhouse," Allman says. "This [attack] made it clear that there were some people in that clubhouse who didn't have the best interests of the world in mind ... This made it clear we had to think about security."

Despite the high-profile nature of the worm, some experts say its importance was not fully appreciated at the time.

"The really interesting lesson of the Morris Worm is how little long-term impact it had," says Steve Bellovin, a professor in the Department of Computer Science at Columbia University who was developing an early firewall at Bell Labs when the attack occurred. "It showed people who cared how dangerous buggy software could be, but nobody else really paid that much attention to network security afterwards. It wasn't until the mid-1990s that it became an issue again."

The Morris worm was written by Cornell University student Robert Tappan Morris, who was later convicted of computer fraud for the incident. Today, Morris is a respected associate professor of computer science at MIT.

Launched around on November 2, 1988, the Morris worm disabled approximately 10 percent of all Internet-connected systems, which were estimated at more than 60,000 machines.

The Morris worm was a self-replicating program that exploited known weaknesses in common utilities including sendmail, which is e-mail routing software, and Finger, a tool that showed which users were logged on to the network.

The Morris worm was able to break into Sun 3 systems and Digital VAX computers running BSD Unix. The fast-spreading worm kept copying itself and infecting computers multiple times, causing many systems to fail.

Page Break

"At first, we had no idea who sent the worm," Allman says. "It was quite clear it was intentional, but we had no clue who it was or why it was sent. There was a sense of panic at the time, which was unfortunate but very understandable."

The attack disrupted Internet connectivity for several days, prompting some organizations including the US Department of Defense to unplug their Internet gateways to prevent infection.

"People disconnected from the network because they were afraid of what might happen," Allman says. "One of the ironies is that disconnecting from the 'Net also broke down our major communications channel. That's why it took longer to get everyone back up."

At the time the worm was launched, the Internet had no commercial traffic or Web sites. Damage was limited to researchers at government agencies, universities and a handful of corporations who used the network to exchange e-mail and transfer files. Nonetheless, the attack was covered widely by mainstream publications such as The New York Times.

"The Morris worm was the first time most people ever heard the word 'Internet,'" Bellovin says. "For most people, it was a novelty, a strange and wondrous world ... and one rogue operator could take it down. Nobody had ever heard of the Internet unless you were a computer scientist."

For some, the Morris worm was a career-changing event. Eugene Spafford was an assistant professor of computer science at Purdue University when Morris hit. Today, Spafford is executive director of Purdue's Center for Education and Research in Information Assurance and Security, and he is an internationally recognized authority on Internet security issues.

"I had been told by my advisors there was no future in applied computer security research," Spafford says. "When this happened, suddenly a whole lot of people realized that the development of systems had leapfrogged the controlled, mainframe environment and a different kind of security model needed to be observed.... We needed a more engineering approach, a more practical approach."

The Great Worm

The Morris worm was the first major worm attack, and it was dubbed "The Great Worm" in a reference to Tolkein.

Page Break

Previously, researchers had been developing benevolent worms that could be used to automatically install software updates, but no one had launched a malicious worm onto a network in an uncontrolled fashion.

The Morris worm served as a precursor to other well-known worm attacks including 1999's Melissa, 2001's Code Red and 2003's Slammer, all of which targeted systems running Microsoft software.

Lately worms have been less popular attacks than viruses or e-mails with URLs that point to malicious Web sites.

"Worms are actually relatively rare compared to the number of virus attacks," Allman says. "For the average user, phishing is a worse problem."

"We haven't seen a big Internet-clogging worm in several years, and there are several reasons for that including the increasing prevalence of [network address translation] boxes and personal firewalls that make it difficult for a worm to do the scanning the way the Morris worm did," Bellovin says.

The Morris worm foreshadowed how future distributed denial-of-service attacks would be used to overload systems and knock them off the Internet.

"There had never been a simultaneous large-scale security event prior to that," Spafford says. "It was the first significant denial-of-service issue that came to people's attention related to computing. And it was the first event that crossed vendor platforms because it attacked Berkeley Unix and Sun systems, and in that regard I would say we haven't seen many other incidents like that. Most incidents have been directed at one vendor's platform."

Spafford likens the Morris worm to today's botnets, which are large volumes of compromised computers used to send spam.

"The software that turns systems into zombies and adds them to botnets are like slow-moving worms," Spafford says. "They don't cause a denial of service, but they do create a slow infiltration and they spread to other machines automatically. There are quite literally millions of machines -- some estimates are 100 million machines -- that are inside botnets."

While the Morris worm was a high-profile attack that took down large swaths of the Internet, today's Internet attacks are focused on individual systems and tend to be stealthy. Instead of curious college students breaking into systems for bragging rights, it's more common to see criminals infect systems with viruses designed to be invisible.

Page Break

"The focus of today's Internet attacks are profits, and there are no profits in taking down the Internet," Bellovin says. "The sophisticated bad guys are being much more careful about the way they attack systems."

Although it caused far less damage than follow-on attacks, the Morris worm is remembered for its impact on the computer science community.

"The Morris worm opened up computer security as a legitimate topic," Allman says. "Before that, there were a few people who worked on computer security and they were mostly cryptographers, but the concept of computer security as a field of study was legitimized a lot by that."