Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:15 PM
Connect Directly

25 Years After: The Legacy Of The Morris Internet Worm

A look at how worms have evolved from the infamous -- and relatively benign -- Internet worm of 1988 to targeted, destructive attacks

Stuart McClure was an undergraduate student at the University of Colorado in Boulder 25 years ago when dozens of the university's servers suddenly began crashing. The university, like other universities, government agencies, and organizations, had been hit with a historic computer worm that crippled thousands of machines around the Internet in an apparent informal research project gone wrong.

"I basically cut my teeth on the low-level reverse-engineering of that worm," recalls McClure, who analyzed the worm when he became a teaching assistant at the university. "I remember thinking, 'This was way too easy'" to execute, he says of the worm.

Nov. 2 marked the 25th anniversary of the infamous "Morris worm," the Internet's first major cybersecurity event that ultimately propelled the then-nascent Internet into a new world of rogue-code attacks on the once-hallowed ground of academia, research and development, military, and government communications. The worm was written and released by then-Cornell University computer science graduate student Robert Tappan Morris, who later confessed that he wrote the code as an experiment that had inadvertently spun out of his control.

A parade of high-profile worm infections have followed the Morris worm during the past three decades, including Code Red, Blaster, Sasser, ILoveYou, Nimda, and SQL Slammer, all of which were unleashed mainly to grab attention, wreak havoc, and, like the Morris worm, mainly hurt victim organizations' productivity and operations, though they didn't damage their data. That traditionally had been the upside of worms: that they were more of a headache than a destructive attack. But the worm's wrath has changed dramatically with the newest generation of worms, such as the targeted Stuxnet aimed at sabotaging Iran's nuclear facility, and the Shamoon worm, which was unofficially identified as the worm that wiped data from some 30,000 machines at oil giant Saudi Aramco. These newest iterations make the Morris worm look quaint in comparison to their targeted and damage-inflicting missions.

"Anybody who would try convince Saudi Aramco or RASgas that they don't have to worry about malicious worms [today] would get some pushback on that," says Eugene "Spaf" Spafford, a security industry pioneer who was one of the first to analyze the Morris worm, referring to the malicious data-wiping worms that hit those energy organizations last year.

Spaf, who is executive director of Purdue University's Center for Education and Research in Information Assurance and Security and a professor of computer sciences at Purdue, says the Morris worm's impact was more about its timing than its impact. "It would have made news no matter what he had done because we had never seen anything like that," Spaf says. "Not many people had thought about the potential for anything like that" at the time, he says.

The Morris worm wasn't particularly elegant, either, according to Spaf and others who analyzed the code. Although Morris wrote it to exploit flaws in the Sendmail utility in Unix, his worm had some bugs of its own that caused it to go into overdrive and spread out of control. "The code was apparently unfinished and done by someone clever but not particularly gifted, at least in the way we usually associate with talented programmers and designers. There were many bugs and mistakes in the code that would not be made by a careful, competent programmer. The code does not evidence clear understanding of good data structuring, algorithms, or even of security flaws in Unix," Spaf wrote in his renowned 1988 analysis of the Morris worm (PDF).

[Internet security pioneer Eugene Spafford talks about why security has struggled even after its first big wake-up call 25 years ago, the Morris worm. See 'Spaf' On Security.]

NASA-Ames was reportedly one of the first to spot the Internet worm clogging its servers at the time; it wasn't long before other sites were experiencing similar symptoms of unusual files showing up in some machine directories, and odd messages in Sendmail's log files. But it was when those computers became overloaded and infected over and over again as the worm replicated itself on each machine that some machines fell over altogether under the weight of it.

McClure, founder and CEO/president of Cylance and former global CTO and general manager of the Security Management Business Unit for McAfee/Intel, remembers knowing right away that the worm had reached the University of Colorado's servers when systems began going down with no explanation.

The multiplatform capability of the worm -- it infected then-pervasive Unix-based Sun Microsystems Sun 3 and DEC VAX computers running 4 BSD versions of Unix connected to the Internet -- impressed McClure. "It was multiplatform, which was really cool," he says. "It was not just Sendmail, but other pieces that it went after and exploited features.

"When I looked at the code ... it was fascinating. That really kicked off my [security] career."

The Internet has come a long way since 1988, for sure, but there are some hauntingly familiar themes in both the Morris worm and today's threats. Not only did Morris exploit weak passwords in the systems (sound familiar?), but he also exploited a buffer overflow vulnerability, a type of software bug still abused today, notes Marc Maiffret, CTO at BeyondTrust.

Maiffret and colleague Ryan Permeh at eEye Digital Security in July 2001 discovered Code Red. They named it after the cherry Mountain Dew soda of the same name that the two were drinking while they picked apart the worm, which ultimately infected some 350,000 servers running Microsoft's IIS.

Worms throughout history have reflected the times, he says. "If you look at the Morris worm ... it started as seeing if something would work. It was not meant to be malicious in any specific way," he says. "Code Red was very similar in a way, although both worms were written with different intentions ... Code Red had a payload to attack the White House's Web server, but it was not that well-written, and it was malicious in more of a, 'Hey, look at me,'" way, he says.

Cybercrime was still in its infancy in 2001 as well, he notes, and the hackers behind it and worms prior were more about exploration or making a name for themselves rather than a profit, he says. "Code Red was a good [example] of that middle ground. It was not cybercrime and stealing. It was really more to make a name or put out a message, just to make a statement. That mirrored the culture of what was happening" in hacking at the time, he says.

The Morris worm, Code Red, and other early worms were considered more of a nuisance, but they also are credited with raising awareness among the security and user communities.

Fast forward to today's worms, however, and awareness is the least of victim's worries. With a lucrative cybercrime landscape and cyberespionage driving most of today's malware and hacking, worms mostly play a different role. "They are very tailored and very specific," Maiffret says. Worms are deployed via automated command-and-control infrastructures today, and attempt to remain more stealthy for cyberspying purposes, for instance. "The goal there is to be stealthy, not make a name, and extract data," for instance, Maiffret says.

But worms are not the most popular form of malware for most attackers, mainly because it's difficult to remain stealthy if the goal is to spread quietly to a specific target without triggering any alarms. Stuxnet, meanwhile, was used to reach an airgapped environment in such a way that would spread in a worm-like manner. "You can't sit there at the computer and do a targeted attack of an airgapped network. You need something automated that can find its way" in by propagating itself in a controlled way, Maiffret says.

But even the highly sophisticated Stuxnet worm was eventually found out when it landed outside its target zone. "You don't want it to end up detected somewhere or on a researcher's site where it can be reverse-engineered," he says. "Worm-like characteristics are for automatically spreading, but how do you control it? Look how we've seen plenty of mistakes [with targeted worms]."

Then there are the fast-moving, destructive worms like the one that hit Saudi Aramco. It snuck in, but then loudly wiped data from some 30,000-plus Windows machines. "That is definitely a different animal. We've seen old viruses back in the day that at a specific date messed up the BIOS so the system would not boot," Maiffret says. "It was weird that they were using some stealth and also characteristics that are frankly similar to things we have seen more than 10 years ago."

Next Page: Another 'Morris Moment?' Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


Recommended Reading:

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/6/2013 | 2:58:13 AM
re: 25 Years After: The Legacy Of The Morris Internet Worm
Great historical review by Kelly Jackson Higgins of the Morris worm, which was for its time thinking far outside the box. We needed a warning that a poorly administrated Internet server was a dangerous thing, and Robert Morris provided it. I've not read before that it was poorly engineered. Nor is that what interests me. It was Morris' ability to see an opportunity that had been inadvertently created by the pell mell expansion of the Internet that's of interest. We should not forget that it's possible fora large group of people to do one thing with positive goals and at the same time create an opportunity for someone bent on mischief, or worse.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-15
The IRC5 family with UAS service enabled comes by default with credentials that can be found on publicly available manuals. ABB considers this a well documented functionality that helps customer set up however, out of our research, we found multiple production systems running these exact default cre...
PUBLISHED: 2020-07-15
IRC5 exposes an ftp server (port 21). Upon attempting to gain access you are challenged with a request of username and password, however you can input whatever you like. As long as the field isn't empty it will be accepted.
PUBLISHED: 2020-07-15
An issue was discovered in drivers/acpi/acpi_configfs.c in the Linux kernel before 5.7.7. Injection of malicious ACPI tables via configfs could be used by attackers to bypass lockdown and secure boot restrictions, aka CID-75b0cea7bf30.
PUBLISHED: 2020-07-15
In Eclipse OpenJ9 prior to version 0.21 on Power platforms, calling the System.arraycopy method with a length longer than the length of the source or destination array can, in certain specially crafted code patterns, cause the current method to return prematurely with an undefined return value. This...
PUBLISHED: 2020-07-15
An issue was discovered in drivers/firmware/efi/efi.c in the Linux kernel before 5.4. Incorrect access permissions for the efivar_ssdt ACPI variable could be used by attackers to bypass lockdown or secure boot restrictions, aka CID-1957a85b0032.