Morris Worm Explained – The First Computer Worm
By Nick Anderson 5 minutes
November marks the 33rd anniversary of the Morris Worm. It is a malicious computer program dubbed as the first – or at least one of the earliest – computer worm. Its history is an interesting one, and it paved the way for future malware. Let’s look back at what is Morris Worm, its history, and why it’s regarded as one of the most destructive malware of all time.
What is Robert Morris Worm?
In 1988, when computers were in infancy, a student named Robert Tappan Morris at Cornell University created what is widely believed to be the world’s first computer worm.
The internet then was not the vast, seemingly endless resource of information as we know it to be today. It was in an experimental phase and used to be known as ARPANET, which stands for Advanced Research Projects Agency Network. Only as little as 60,000 computers were connected to the internet back then. While the number is not low, it is certainly a fraction of the internet of today that consists of billions of devices.
Malware is a term given to define malicious software. A computer worm is a type of malware that has self-replicating characteristics. It means that once the malware infects a device, it will proceed to replicate and spread itself to other computers connected to it. In contrast to a virus, a worm does not need to be triggered by the user and operates entirely independently.
What Does the Morris Worm Do?
As a computer worm, it was programmed to replicate itself. But what Morris didn’t see coming was a bug in the code that allowed the program to replicate itself much faster than he had predicted. And that’s where the trouble began.
On November 2, 1988, Morris used a computer at the Massachusetts Institute of Technology (MIT) to spread the malware to avoid detection. What he didn’t see coming is the fast self-replicating nature that started to bog down computers around the world as the worm began spreading from computer to computer. According to an estimate, it had spread to and infected 6,000 computers.
The program was not designed to attack computers because Morris was not aiming to destroy data or cause damage to computers. Morris intended to find out how big the internet was and make the worm travel and send a pingback to him. But it caused the network to get clogged.
The weight of the worm’s self-replicating nature brought down the processing capabilities of the computers. You have to remember that we are talking about computers in the 80s when processing power was hundreds of times slower than today’s computers and the internet was in an experimental phase.
It exploited a vulnerability in Unix’s sendmail program, finger (buffer overflow), and rsh/rexec to infect a system, make copies of itself, and spread to other computers. It also relied on weak passwords to guess and attempted to access servers to reach more computers. It’s another reminder of why weak passwords are a huge security risk, and measures like two-factor authentication prove instrumental in deterring unauthorized login.
Morris had programmed the worm in a way that if it found a computer already infected with the malware, one of them would terminate itself to prevent reinfection and multiple copies of itself. The mechanism didn’t work as intended, and the losing worm made itself indestructible to prevent a fake worm from triggering the deletion response. It was one of the reasons why the worm overwhelmed systems.
What Happened to the Morris Worm?
After Morris realized that the worm was traveling faster than he had anticipated, he asked his friend to send an anonymous message on Usenet bulletin board system from Harvard to alert others about it and instructions on how to fight the Morris worm program. Unfortunately, the message did not reach others in time due to network clogging.
Researchers at Berkeley and a team at Purdue began investigating the worm and how to stop it. After a day, they had an understanding of how the worm worked and shared their findings with others.
The source code of the Morris Code sits on a floppy disk inside a glass case at Computer History Museum.
Robert Morris was convicted under the Fraud and Abuse Act in the United States. He was fined $10,000, 400 hours of community service, and sentenced to serve three years of probation. Morris later joined MIT as faculty and went on to co-found a startup accelerator called YCombinator.
The Morris Worm Pushed Cybersecurity Efforts
Back in the 80s, there were few computers in the world and even fewer security threats. Cybersecurity wasn’t really a concern. The internet was mostly used by researchers. The Morris Worm introduced the world to the catastrophe of a Distributed Denial of Service (DDoS) attack. It made researchers pay more attention to cybersecurity to prevent future attacks that have the potential to cause worldwide panic.
You can say that Morris Worm was one of the turning points in the history of computers that paved the way for modern cybersecurity.
It is also seen as an inspiration for future malware. Morris also intended to develop a botnet in the program, allowing the worm to communicate and receive new instructions from a command and control center (C&C). We have explained how botnets today can create a swarm of infected computers for malicious purposes such as cryptojacking.
Hopefully, the story of the Morris worm has inspired you to take cybersecurity seriously. An antivirus is an absolute must in today’s world, where threats are lurking at every corner. Antivirus programs combat malware using traditional and unique detection methods, and they are updated frequently with new malware definitions.
Like how an antivirus protects you against malware, VPN delivers security for web traffic. It hides your web activity and data through encryption. It also spoofs your IP address to make you anonymous on the web.