Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:15 PM
Connect Directly

25 Years After: The Legacy Of The Morris Internet Worm

A look at how worms have evolved from the infamous -- and relatively benign -- Internet worm of 1988 to targeted, destructive attacks

Stuart McClure was an undergraduate student at the University of Colorado in Boulder 25 years ago when dozens of the university's servers suddenly began crashing. The university, like other universities, government agencies, and organizations, had been hit with a historic computer worm that crippled thousands of machines around the Internet in an apparent informal research project gone wrong.

"I basically cut my teeth on the low-level reverse-engineering of that worm," recalls McClure, who analyzed the worm when he became a teaching assistant at the university. "I remember thinking, 'This was way too easy'" to execute, he says of the worm.

Nov. 2 marked the 25th anniversary of the infamous "Morris worm," the Internet's first major cybersecurity event that ultimately propelled the then-nascent Internet into a new world of rogue-code attacks on the once-hallowed ground of academia, research and development, military, and government communications. The worm was written and released by then-Cornell University computer science graduate student Robert Tappan Morris, who later confessed that he wrote the code as an experiment that had inadvertently spun out of his control.

A parade of high-profile worm infections have followed the Morris worm during the past three decades, including Code Red, Blaster, Sasser, ILoveYou, Nimda, and SQL Slammer, all of which were unleashed mainly to grab attention, wreak havoc, and, like the Morris worm, mainly hurt victim organizations' productivity and operations, though they didn't damage their data. That traditionally had been the upside of worms: that they were more of a headache than a destructive attack. But the worm's wrath has changed dramatically with the newest generation of worms, such as the targeted Stuxnet aimed at sabotaging Iran's nuclear facility, and the Shamoon worm, which was unofficially identified as the worm that wiped data from some 30,000 machines at oil giant Saudi Aramco. These newest iterations make the Morris worm look quaint in comparison to their targeted and damage-inflicting missions.

"Anybody who would try convince Saudi Aramco or RASgas that they don't have to worry about malicious worms [today] would get some pushback on that," says Eugene "Spaf" Spafford, a security industry pioneer who was one of the first to analyze the Morris worm, referring to the malicious data-wiping worms that hit those energy organizations last year.

Spaf, who is executive director of Purdue University's Center for Education and Research in Information Assurance and Security and a professor of computer sciences at Purdue, says the Morris worm's impact was more about its timing than its impact. "It would have made news no matter what he had done because we had never seen anything like that," Spaf says. "Not many people had thought about the potential for anything like that" at the time, he says.

The Morris worm wasn't particularly elegant, either, according to Spaf and others who analyzed the code. Although Morris wrote it to exploit flaws in the Sendmail utility in Unix, his worm had some bugs of its own that caused it to go into overdrive and spread out of control. "The code was apparently unfinished and done by someone clever but not particularly gifted, at least in the way we usually associate with talented programmers and designers. There were many bugs and mistakes in the code that would not be made by a careful, competent programmer. The code does not evidence clear understanding of good data structuring, algorithms, or even of security flaws in Unix," Spaf wrote in his renowned 1988 analysis of the Morris worm (PDF).

[Internet security pioneer Eugene Spafford talks about why security has struggled even after its first big wake-up call 25 years ago, the Morris worm. See 'Spaf' On Security.]

NASA-Ames was reportedly one of the first to spot the Internet worm clogging its servers at the time; it wasn't long before other sites were experiencing similar symptoms of unusual files showing up in some machine directories, and odd messages in Sendmail's log files. But it was when those computers became overloaded and infected over and over again as the worm replicated itself on each machine that some machines fell over altogether under the weight of it.

McClure, founder and CEO/president of Cylance and former global CTO and general manager of the Security Management Business Unit for McAfee/Intel, remembers knowing right away that the worm had reached the University of Colorado's servers when systems began going down with no explanation.

The multiplatform capability of the worm -- it infected then-pervasive Unix-based Sun Microsystems Sun 3 and DEC VAX computers running 4 BSD versions of Unix connected to the Internet -- impressed McClure. "It was multiplatform, which was really cool," he says. "It was not just Sendmail, but other pieces that it went after and exploited features.

"When I looked at the code ... it was fascinating. That really kicked off my [security] career."

The Internet has come a long way since 1988, for sure, but there are some hauntingly familiar themes in both the Morris worm and today's threats. Not only did Morris exploit weak passwords in the systems (sound familiar?), but he also exploited a buffer overflow vulnerability, a type of software bug still abused today, notes Marc Maiffret, CTO at BeyondTrust.

Maiffret and colleague Ryan Permeh at eEye Digital Security in July 2001 discovered Code Red. They named it after the cherry Mountain Dew soda of the same name that the two were drinking while they picked apart the worm, which ultimately infected some 350,000 servers running Microsoft's IIS.

Worms throughout history have reflected the times, he says. "If you look at the Morris worm ... it started as seeing if something would work. It was not meant to be malicious in any specific way," he says. "Code Red was very similar in a way, although both worms were written with different intentions ... Code Red had a payload to attack the White House's Web server, but it was not that well-written, and it was malicious in more of a, 'Hey, look at me,'" way, he says.

Cybercrime was still in its infancy in 2001 as well, he notes, and the hackers behind it and worms prior were more about exploration or making a name for themselves rather than a profit, he says. "Code Red was a good [example] of that middle ground. It was not cybercrime and stealing. It was really more to make a name or put out a message, just to make a statement. That mirrored the culture of what was happening" in hacking at the time, he says.

The Morris worm, Code Red, and other early worms were considered more of a nuisance, but they also are credited with raising awareness among the security and user communities.

Fast forward to today's worms, however, and awareness is the least of victim's worries. With a lucrative cybercrime landscape and cyberespionage driving most of today's malware and hacking, worms mostly play a different role. "They are very tailored and very specific," Maiffret says. Worms are deployed via automated command-and-control infrastructures today, and attempt to remain more stealthy for cyberspying purposes, for instance. "The goal there is to be stealthy, not make a name, and extract data," for instance, Maiffret says.

But worms are not the most popular form of malware for most attackers, mainly because it's difficult to remain stealthy if the goal is to spread quietly to a specific target without triggering any alarms. Stuxnet, meanwhile, was used to reach an airgapped environment in such a way that would spread in a worm-like manner. "You can't sit there at the computer and do a targeted attack of an airgapped network. You need something automated that can find its way" in by propagating itself in a controlled way, Maiffret says.

But even the highly sophisticated Stuxnet worm was eventually found out when it landed outside its target zone. "You don't want it to end up detected somewhere or on a researcher's site where it can be reverse-engineered," he says. "Worm-like characteristics are for automatically spreading, but how do you control it? Look how we've seen plenty of mistakes [with targeted worms]."

Then there are the fast-moving, destructive worms like the one that hit Saudi Aramco. It snuck in, but then loudly wiped data from some 30,000-plus Windows machines. "That is definitely a different animal. We've seen old viruses back in the day that at a specific date messed up the BIOS so the system would not boot," Maiffret says. "It was weird that they were using some stealth and also characteristics that are frankly similar to things we have seen more than 10 years ago."

Next Page: Another 'Morris Moment?' Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/6/2013 | 2:58:13 AM
re: 25 Years After: The Legacy Of The Morris Internet Worm
Great historical review by Kelly Jackson Higgins of the Morris worm, which was for its time thinking far outside the box. We needed a warning that a poorly administrated Internet server was a dangerous thing, and Robert Morris provided it. I've not read before that it was poorly engineered. Nor is that what interests me. It was Morris' ability to see an opportunity that had been inadvertently created by the pell mell expansion of the Internet that's of interest. We should not forget that it's possible fora large group of people to do one thing with positive goals and at the same time create an opportunity for someone bent on mischief, or worse.
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-06
Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service sc...
PUBLISHED: 2021-03-05
The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.
PUBLISHED: 2021-03-05
Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
PUBLISHED: 2021-03-05
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
PUBLISHED: 2021-03-05
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.