Historic Hacks – The Morris Worm

Welcome to Historic Hacks, where we’ll be shining a light on some of the more notable hacks in history. Today we’ll be traveling back to the 2nd November 1988, and looking at the Morris worm.

The Morris Worm story

The Morris Worm was created by Robert Tappan Morris, whose claimed intent was to try to map out the scale of the internet as it stood at the tail end of the 1980s. He wrote software designed to spread itself between computers on the internet with no intention or design to cause damage to the machines that it found. Unfortunately for Morris, he didn’t create it quite as he hoped, and his worm caused a raft of problems.
The worm was designed to spread by making use of known flaws in Sendmail, Finger and rsh/rexec. It also made use of weak passwords to brute force its way into systems. The worm came in two parts. The first part was installed to the compromised system, then attempted to download the main body of the worm which would then go about infecting other computers. The main body of the worm could only run on DEC VAX computers, though the first part of the worm could run on others.

Design flaw gone rogue

While this worm in itself would have been relatively harmless, and likely have gone unnoticed for some time, it had a critical flaw that caused the wider problems. The worm would spread indiscriminately from system to system, so Morris added functionality whereby it could check if the system it was trying to infect was previously infected. If it determined that the system was already infected, it could, in turn, avoid infecting it. Realizing that this feature could be used against the worm to stop it spreading, a randomization factor was added meaning that it would attempt to infect 1 in 7 systems that reported already being infected.
Unfortunately, this meant that the worm could end up running multiple infection attempts on the same system. When out in the wild, the speed at which the worm spread meant that this is exactly what did happen, but also those infection attempts were successful and many systems ended up running multiple copies of the worm. As the number of copies running on those systems increased, so the number of resources consumed by the worm increased until the systems crashed.  This turned a relatively harmless piece of malware into something destructive. It was reported to have infected 10 % of systems connected to the internet at the time, including systems at universities, the Pentagon and NASA.

Thus malware was born…

While Morris’s worm contained no code that indicated any malicious intent on his part, the fallout from the problems the worm caused lead to Morris being the first malware writer to be convicted, and also the first person prosecuted using the 1986 computer fraud law. This led to a $10,000 fine, 400 hours of community service and a three-year probation period.
A legacy of this worm was highlighting the importance of bug finding and fixing in software to prevent similar events from occurring again. The Morris Worm led to the creation of the Computer Emergency Response Team (CERT), which organized information about vulnerabilities and security in computer systems and responses to them. These days, many countries operate their own CERT teams. Similar to Morris’s worm, modern white hat hackers create malware and tools like this to both exploit and gauge vulnerabilities in systems while not intending to cause damage.  Their use against systems is normally carried out with permission, or with care to ensure that the tools don’t cause problems for others. Tools specifically exploiting flaws in software are used as evidence when disclosing them to software writers.