Attacks/Breaches
11/4/2013
05:15 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

25 Years After: The Legacy Of The Morris Internet Worm

A look at how worms have evolved from the infamous -- and relatively benign -- Internet worm of 1988 to targeted, destructive attacks

Stuart McClure was an undergraduate student at the University of Colorado in Boulder 25 years ago when dozens of the university's servers suddenly began crashing. The university, like other universities, government agencies, and organizations, had been hit with a historic computer worm that crippled thousands of machines around the Internet in an apparent informal research project gone wrong.

"I basically cut my teeth on the low-level reverse-engineering of that worm," recalls McClure, who analyzed the worm when he became a teaching assistant at the university. "I remember thinking, 'This was way too easy'" to execute, he says of the worm.

Nov. 2 marked the 25th anniversary of the infamous "Morris worm," the Internet's first major cybersecurity event that ultimately propelled the then-nascent Internet into a new world of rogue-code attacks on the once-hallowed ground of academia, research and development, military, and government communications. The worm was written and released by then-Cornell University computer science graduate student Robert Tappan Morris, who later confessed that he wrote the code as an experiment that had inadvertently spun out of his control.

A parade of high-profile worm infections have followed the Morris worm during the past three decades, including Code Red, Blaster, Sasser, ILoveYou, Nimda, and SQL Slammer, all of which were unleashed mainly to grab attention, wreak havoc, and, like the Morris worm, mainly hurt victim organizations' productivity and operations, though they didn't damage their data. That traditionally had been the upside of worms: that they were more of a headache than a destructive attack. But the worm's wrath has changed dramatically with the newest generation of worms, such as the targeted Stuxnet aimed at sabotaging Iran's nuclear facility, and the Shamoon worm, which was unofficially identified as the worm that wiped data from some 30,000 machines at oil giant Saudi Aramco. These newest iterations make the Morris worm look quaint in comparison to their targeted and damage-inflicting missions.

"Anybody who would try convince Saudi Aramco or RASgas that they don't have to worry about malicious worms [today] would get some pushback on that," says Eugene "Spaf" Spafford, a security industry pioneer who was one of the first to analyze the Morris worm, referring to the malicious data-wiping worms that hit those energy organizations last year.

Spaf, who is executive director of Purdue University's Center for Education and Research in Information Assurance and Security and a professor of computer sciences at Purdue, says the Morris worm's impact was more about its timing than its impact. "It would have made news no matter what he had done because we had never seen anything like that," Spaf says. "Not many people had thought about the potential for anything like that" at the time, he says.

The Morris worm wasn't particularly elegant, either, according to Spaf and others who analyzed the code. Although Morris wrote it to exploit flaws in the Sendmail utility in Unix, his worm had some bugs of its own that caused it to go into overdrive and spread out of control. "The code was apparently unfinished and done by someone clever but not particularly gifted, at least in the way we usually associate with talented programmers and designers. There were many bugs and mistakes in the code that would not be made by a careful, competent programmer. The code does not evidence clear understanding of good data structuring, algorithms, or even of security flaws in Unix," Spaf wrote in his renowned 1988 analysis of the Morris worm (PDF).

[Internet security pioneer Eugene Spafford talks about why security has struggled even after its first big wake-up call 25 years ago, the Morris worm. See 'Spaf' On Security.]

NASA-Ames was reportedly one of the first to spot the Internet worm clogging its servers at the time; it wasn't long before other sites were experiencing similar symptoms of unusual files showing up in some machine directories, and odd messages in Sendmail's log files. But it was when those computers became overloaded and infected over and over again as the worm replicated itself on each machine that some machines fell over altogether under the weight of it.

McClure, founder and CEO/president of Cylance and former global CTO and general manager of the Security Management Business Unit for McAfee/Intel, remembers knowing right away that the worm had reached the University of Colorado's servers when systems began going down with no explanation.

The multiplatform capability of the worm -- it infected then-pervasive Unix-based Sun Microsystems Sun 3 and DEC VAX computers running 4 BSD versions of Unix connected to the Internet -- impressed McClure. "It was multiplatform, which was really cool," he says. "It was not just Sendmail, but other pieces that it went after and exploited features.

"When I looked at the code ... it was fascinating. That really kicked off my [security] career."

The Internet has come a long way since 1988, for sure, but there are some hauntingly familiar themes in both the Morris worm and today's threats. Not only did Morris exploit weak passwords in the systems (sound familiar?), but he also exploited a buffer overflow vulnerability, a type of software bug still abused today, notes Marc Maiffret, CTO at BeyondTrust.

Maiffret and colleague Ryan Permeh at eEye Digital Security in July 2001 discovered Code Red. They named it after the cherry Mountain Dew soda of the same name that the two were drinking while they picked apart the worm, which ultimately infected some 350,000 servers running Microsoft's IIS.

Worms throughout history have reflected the times, he says. "If you look at the Morris worm ... it started as seeing if something would work. It was not meant to be malicious in any specific way," he says. "Code Red was very similar in a way, although both worms were written with different intentions ... Code Red had a payload to attack the White House's Web server, but it was not that well-written, and it was malicious in more of a, 'Hey, look at me,'" way, he says.

Cybercrime was still in its infancy in 2001 as well, he notes, and the hackers behind it and worms prior were more about exploration or making a name for themselves rather than a profit, he says. "Code Red was a good [example] of that middle ground. It was not cybercrime and stealing. It was really more to make a name or put out a message, just to make a statement. That mirrored the culture of what was happening" in hacking at the time, he says.

The Morris worm, Code Red, and other early worms were considered more of a nuisance, but they also are credited with raising awareness among the security and user communities.

Fast forward to today's worms, however, and awareness is the least of victim's worries. With a lucrative cybercrime landscape and cyberespionage driving most of today's malware and hacking, worms mostly play a different role. "They are very tailored and very specific," Maiffret says. Worms are deployed via automated command-and-control infrastructures today, and attempt to remain more stealthy for cyberspying purposes, for instance. "The goal there is to be stealthy, not make a name, and extract data," for instance, Maiffret says.

But worms are not the most popular form of malware for most attackers, mainly because it's difficult to remain stealthy if the goal is to spread quietly to a specific target without triggering any alarms. Stuxnet, meanwhile, was used to reach an airgapped environment in such a way that would spread in a worm-like manner. "You can't sit there at the computer and do a targeted attack of an airgapped network. You need something automated that can find its way" in by propagating itself in a controlled way, Maiffret says.

But even the highly sophisticated Stuxnet worm was eventually found out when it landed outside its target zone. "You don't want it to end up detected somewhere or on a researcher's site where it can be reverse-engineered," he says. "Worm-like characteristics are for automatically spreading, but how do you control it? Look how we've seen plenty of mistakes [with targeted worms]."

Then there are the fast-moving, destructive worms like the one that hit Saudi Aramco. It snuck in, but then loudly wiped data from some 30,000-plus Windows machines. "That is definitely a different animal. We've seen old viruses back in the day that at a specific date messed up the BIOS so the system would not boot," Maiffret says. "It was weird that they were using some stealth and also characteristics that are frankly similar to things we have seen more than 10 years ago."

Next Page: Another 'Morris Moment?' Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
cbabcock
50%
50%
cbabcock,
User Rank: Apprentice
11/6/2013 | 2:58:13 AM
re: 25 Years After: The Legacy Of The Morris Internet Worm
Great historical review by Kelly Jackson Higgins of the Morris worm, which was for its time thinking far outside the box. We needed a warning that a poorly administrated Internet server was a dangerous thing, and Robert Morris provided it. I've not read before that it was poorly engineered. Nor is that what interests me. It was Morris' ability to see an opportunity that had been inadvertently created by the pell mell expansion of the Internet that's of interest. We should not forget that it's possible fora large group of people to do one thing with positive goals and at the same time create an opportunity for someone bent on mischief, or worse.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2336
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.