Morris Worm

Discussions for technical problems, or just chatter about your latest toy!

Morris Worm

Postby Zagreus » 15 Feb 2006, 23:33

Hey all. Stuck at work studying for my Information Assurance Security Officer certification, boring stuff.

Anyway, I was reading some optional material and stumbled across this I thought you tech folks might find amusing.

Morris Worm
On 2 November 1988, Robert Tappan Morris, then a first-year graduate student in computer science at Cornell University, released his worm that effectively shut down the Internet for several days.

The Morris Worm used four different ways to get unauthorized access to computers connected to the Internet:
exploit a defect in sendmail when DEBUG was enabled during compile
exploit a defect in fingerd buffer overflow
trusted hosts feature that allows use without a password (rexec, rsh)
an algorithm that tried 432 common passwords, plus variations on the user's name, and then /usr/dict/words/.
The worm only infected SUN-3 and Digital Equipment Corp. VAX computers running versions of the Berkeley UNIX operating system.

The Morris Worm succeeded in infecting approximately 3000 computers, which was about 5% of the Internet at that time. Among the affected computers were those at the University of California at Berkeley, MIT, Stanford, Princeton , Purdue, Harvard, Dartmouth, University of Maryland, University of Utah, Georgia Institute of Technology, and many other universities, as well as computers at military and government laboratories.

When Morris understood that his worm was propagating faster than he had expected, he called a friend at Harvard University. The friend then sent the following anonymous message with a false source address to the TCP-IP mailing list via the Internet:
A possible virus report:
There may be a virus loose on the internet.
Here is the gist of a message I got:
I'm sorry.
Here are some steps to prevent further transmission:
[three terse suggestions for how to stop the worm omitted here]
Hope this helps, but more, I hope it is a hoax.
However, because the Internet was already clogged with copies of his worm or because computers were disconnected from the Internet to avoid infection by the Morris Worm, the message did not arrive until after system administrators had devised their own techniques for removing the worm. Further, the anonymous source, and also the tentative tone (i.e., "possible virus report", "may be a virus loose", "I hope it is a hoax."), make this message much less helpful than it could have been. If Morris had really been innocent, he could have faxed the source code for his worm to system administrators at University of California at Berkeley, MIT, Purdue, University of Utah, etc. who were trying to decompile the worm and understand it. And Morris could have given system administrators authoritative suggestions for how to stop his worm.

Morris apparently never personally explained his intentions or motives in designing and releasing his worm. Some of his defenders have said that Morris did not intend the consequences of his worm. A Cornell University Report by Ted Eisenberg, et al. at pages 17, 27 and especially at Appendix 8, [bibliographic citation below], mentions comment lines by Morris in his 15 Oct 1988 source code that say:
"the goal is to infect about 3 machines per ethernet."
"2) methods of breaking into other systems."
"10) source code, shell script, or binary-only? latter makes it harder to crack once found, but less portable"
"hitting another system:
1) rsh from local host, maybe after breaking a local password and ....
2) steal his password file, break a password, and rexec."
Such comments appear as clear indications of criminal intent by Morris. In a 17 Oct 1994 UseNet posting, Prof. Spafford at Purdue, who has also actually seen the worm's source code at Cornell that was written by Morris (including the comment lines by Morris that are not present in the decompiled versions), said:
The comments in the original code strongly suggested that Robert intended it to behave the way it did – no accidents involved.

Morris was the first person to be arrested, tried, and convicted for writing and releasing a malicious computer program. He was found guilty on 22 Jan 1990 and appealed, but the U.S. Court of Appeals upheld the trial court's decision. The U.S. Supreme Court refused to hear an appeal from Morris.
U.S. v. Morris, 928 F.2d 504, 506 (2dCir. 1991), cert. denied, 502 U.S. 817 (1991).

The Court of Appeals noted that: "Morris released the worm from a computer at the Massachusetts Institute of Technology [MIT]. MIT was selected to disguise the fact that the worm came from Morris at Cornell." Id. at 506. The Court of Appeals also noted that the cost of removing the worm from each installation on the Internet was estimated to be "from $ 200 to more than $ 53000." Id.

There are no precise figures on the amount of damage that Morris did, but a widely quoted estimate by Clifford Stoll at Harvard is that the total cost of dealing with the Morris Worm is somewhere between US$ 105 and US$ 107.

Despite the severity of this damage, Morris was sentenced in May 1990 to a mere:
three years of probation,
400 hours of community service,
a fine of US$ 10050,
the US$ 3276 cost of his supervision during probation, but
no incarceration in prison.

In addition to this legal punishment, Cornell University suspended him from the University for at least one year. When Morris applied for re-admission a few years later, Cornell refused to accept him. Morris earned his Ph.D. at Harvard University in 1999.

Bibliography on the Morris Worm
There are a number of technical publications that discuss the Morris worm and its effect on computers that constituted the Internet:
Peter J. Denning, editor, Computers Under Attack, Addison-Wesley, 1990. A collection of reprinted articles from computer science journals, which has about 90 pages on the Morris Worm.

Mark Eichin and Jon Rochlis, With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988, Feb 1989. Available from the MIT website and published in various places.

Ted Eisenberg, David Gries, Juris Hartmanis, Don Holcomb, M. Stuart Lynn, and Thomas Santoro, The Computer Worm, A Report to the Provost of Cornell University on an Investigation Conducted by The Commission of Preliminary Enquiry, 45 pp., 6 Feb 1989. Available from the Office of Information Technologies at Cornell University.

Bob Page, A Report on the Internet Worm, University of Lowell, 5 pp., 7 Nov 1988. Available from a website in Canada and also from Purdue.

Donn Seeley, A Tour of the Worm, Computer Science Department, University of Utah, 18 pp., 1988. Available from Francis Litterio's website.

Eugene H. Spafford, The Internet Worm Program: An Analysis Technical Report CSD-TR-823, Purdue University, 41 pp., 8 Dec 1988. Available from Purdue University.

Eugene H. Spafford, The Internet Worm Incident, Technical Report CSD-TR-933, Purdue University, 18 pp., 19 Sep 1991. Available from Purdue University. (I recommend this report as the best place to start reading about the effect of the worm on the Internet and ethical issues.)

The June 1989 issue (Vol. 32, Nr. 6) of Communications of the ACM, a major journal for professional computer programmers, contains several articles concerning the Morris Worm.
I have posted the unpublished Judgment of the trial court in U.S. v. Robert Tappan Morris, as well as the opinion of the appellate court that was published at 928 F.2d. 504.

I'm surprised what his penalties for causing all that were.

By the way, forum doesn't support it, but those estimated damages are $ 10 to the power of 5 to $ 10 to the power of 7, not 105 and 107 bucks. Actualy my math isn't that great, I think that's how you say it, anyway, lets just say it's A LOT of money. :)
-Insert sig here

Cannon Fodder
Cannon Fodder
Posts: 43
Joined: 12 Feb 2006, 23:51
Location: Virginia

Postby Xuluu » 15 Feb 2006, 23:47


Whack a Newbie!
Whack a Newbie!
Posts: 19
Joined: 13 Feb 2006, 12:06

Return to Hardware/OS Discussions

Who is online

Users browsing this forum: No registered users