A look at how worms have evolved from the infamous -- and relatively benign -- Internet worm of 1988 to targeted, destructive attacks

Stuart McClure was an undergraduate student at the University of Colorado in Boulder 25 years ago when dozens of the university's servers suddenly began crashing. The university, like other universities, government agencies, and organizations, had been hit with a historic computer worm that crippled thousands of machines around the Internet in an apparent informal research project gone wrong.

"I basically cut my teeth on the low-level reverse-engineering of that worm," recalls McClure, who analyzed the worm when he became a teaching assistant at the university. "I remember thinking, 'This was way too easy'" to execute, he says of the worm.

Nov. 2 marked the 25th anniversary of the infamous "Morris worm," the Internet's first major cybersecurity event that ultimately propelled the then-nascent Internet into a new world of rogue-code attacks on the once-hallowed ground of academia, research and development, military, and government communications. The worm was written and released by then-Cornell University computer science graduate student Robert Tappan Morris, who later confessed that he wrote the code as an experiment that had inadvertently spun out of his control.

A parade of high-profile worm infections have followed the Morris worm during the past three decades, including Code Red, Blaster, Sasser, ILoveYou, Nimda, and SQL Slammer, all of which were unleashed mainly to grab attention, wreak havoc, and, like the Morris worm, mainly hurt victim organizations' productivity and operations, though they didn't damage their data. That traditionally had been the upside of worms: that they were more of a headache than a destructive attack. But the worm's wrath has changed dramatically with the newest generation of worms, such as the targeted Stuxnet aimed at sabotaging Iran's nuclear facility, and the Shamoon worm, which was unofficially identified as the worm that wiped data from some 30,000 machines at oil giant Saudi Aramco. These newest iterations make the Morris worm look quaint in comparison to their targeted and damage-inflicting missions.

"Anybody who would try convince Saudi Aramco or RASgas that they don't have to worry about malicious worms [today] would get some pushback on that," says Eugene "Spaf" Spafford, a security industry pioneer who was one of the first to analyze the Morris worm, referring to the malicious data-wiping worms that hit those energy organizations last year.

Spaf, who is executive director of Purdue University's Center for Education and Research in Information Assurance and Security and a professor of computer sciences at Purdue, says the Morris worm's impact was more about its timing than its impact. "It would have made news no matter what he had done because we had never seen anything like that," Spaf says. "Not many people had thought about the potential for anything like that" at the time, he says.

The Morris worm wasn't particularly elegant, either, according to Spaf and others who analyzed the code. Although Morris wrote it to exploit flaws in the Sendmail utility in Unix, his worm had some bugs of its own that caused it to go into overdrive and spread out of control. "The code was apparently unfinished and done by someone clever but not particularly gifted, at least in the way we usually associate with talented programmers and designers. There were many bugs and mistakes in the code that would not be made by a careful, competent programmer. The code does not evidence clear understanding of good data structuring, algorithms, or even of security flaws in Unix," Spaf wrote in his renowned 1988 analysis of the Morris worm (PDF).

[Internet security pioneer Eugene Spafford talks about why security has struggled even after its first big wake-up call 25 years ago, the Morris worm. See 'Spaf' On Security.]

NASA-Ames was reportedly one of the first to spot the Internet worm clogging its servers at the time; it wasn't long before other sites were experiencing similar symptoms of unusual files showing up in some machine directories, and odd messages in Sendmail's log files. But it was when those computers became overloaded and infected over and over again as the worm replicated itself on each machine that some machines fell over altogether under the weight of it.

McClure, founder and CEO/president of Cylance and former global CTO and general manager of the Security Management Business Unit for McAfee/Intel, remembers knowing right away that the worm had reached the University of Colorado's servers when systems began going down with no explanation.

The multiplatform capability of the worm -- it infected then-pervasive Unix-based Sun Microsystems Sun 3 and DEC VAX computers running 4 BSD versions of Unix connected to the Internet -- impressed McClure. "It was multiplatform, which was really cool," he says. "It was not just Sendmail, but other pieces that it went after and exploited features.

"When I looked at the code ... it was fascinating. That really kicked off my [security] career."

The Internet has come a long way since 1988, for sure, but there are some hauntingly familiar themes in both the Morris worm and today's threats. Not only did Morris exploit weak passwords in the systems (sound familiar?), but he also exploited a buffer overflow vulnerability, a type of software bug still abused today, notes Marc Maiffret, CTO at BeyondTrust.

Maiffret and colleague Ryan Permeh at eEye Digital Security in July 2001 discovered Code Red. They named it after the cherry Mountain Dew soda of the same name that the two were drinking while they picked apart the worm, which ultimately infected some 350,000 servers running Microsoft's IIS.

Worms throughout history have reflected the times, he says. "If you look at the Morris worm ... it started as seeing if something would work. It was not meant to be malicious in any specific way," he says. "Code Red was very similar in a way, although both worms were written with different intentions ... Code Red had a payload to attack the White House's Web server, but it was not that well-written, and it was malicious in more of a, 'Hey, look at me,'" way, he says.

Cybercrime was still in its infancy in 2001 as well, he notes, and the hackers behind it and worms prior were more about exploration or making a name for themselves rather than a profit, he says. "Code Red was a good [example] of that middle ground. It was not cybercrime and stealing. It was really more to make a name or put out a message, just to make a statement. That mirrored the culture of what was happening" in hacking at the time, he says.

The Morris worm, Code Red, and other early worms were considered more of a nuisance, but they also are credited with raising awareness among the security and user communities.

Fast forward to today's worms, however, and awareness is the least of victim's worries. With a lucrative cybercrime landscape and cyberespionage driving most of today's malware and hacking, worms mostly play a different role. "They are very tailored and very specific," Maiffret says. Worms are deployed via automated command-and-control infrastructures today, and attempt to remain more stealthy for cyberspying purposes, for instance. "The goal there is to be stealthy, not make a name, and extract data," for instance, Maiffret says.

But worms are not the most popular form of malware for most attackers, mainly because it's difficult to remain stealthy if the goal is to spread quietly to a specific target without triggering any alarms. Stuxnet, meanwhile, was used to reach an airgapped environment in such a way that would spread in a worm-like manner. "You can't sit there at the computer and do a targeted attack of an airgapped network. You need something automated that can find its way" in by propagating itself in a controlled way, Maiffret says.

But even the highly sophisticated Stuxnet worm was eventually found out when it landed outside its target zone. "You don't want it to end up detected somewhere or on a researcher's site where it can be reverse-engineered," he says. "Worm-like characteristics are for automatically spreading, but how do you control it? Look how we've seen plenty of mistakes [with targeted worms]."

Then there are the fast-moving, destructive worms like the one that hit Saudi Aramco. It snuck in, but then loudly wiped data from some 30,000-plus Windows machines. "That is definitely a different animal. We've seen old viruses back in the day that at a specific date messed up the BIOS so the system would not boot," Maiffret says. "It was weird that they were using some stealth and also characteristics that are frankly similar to things we have seen more than 10 years ago."

Next Page: Another 'Morris Moment?' Given the diversity and spread of the Internet and the Internet of Things today, it's unlikely another big-time Internet worm could be unleashed that could be relatively as powerful as Morris' was back in the day. But that doesn't mean the Internet isn't at risk of another "Morris moment" of sorts.

"It would definitely be much harder to do," Maiffret says. "A lot of the previous worms were propagated by targeted, server-side vulnerabilities, and most modern types are targeting client-side applications software."

And with the disappearing network perimeter, it would be more difficult to spread from organization to organization, he says.

Spaf says another big Internet worm like Morris' would be difficult to pull off. "I won't say it is impossible, but I think it is unlikely. We have too many systems with dissimilar rules, software, and network filters," Spaf says. "If something did occur, it would be more like the Slammer worm in behavior."

So what ever happened to Morris? At the time, he was found guilty of violating the 1986 Computer Fraud and Abuse Act and sentenced to three years' probation, 400 hours of community service, and more than $10,000 in fines. He is currently a member of the faculty at MIT's computer science department -- the very university where he first unleashed the worm in 1988.

Spaf says Morris indeed paid his dues and made amends for the 1988 worm. "He has not used [the worm] for any personal gain, he has not bragged about it, written about it, nor advertised it to the security business. He instead went on to found a company and get his Ph.D., and he's a valued member of the academic community now," Spaf says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights