The Morris Worm turns 30

Sunday, 3 March 2019

Morris Worm

On 02nd of November 1988, world’s first major malware attack on the internet called ‘Morris Worm’ was unleashed. Even though this was not the first worm, it was considered the first major attack, which was a wakeup call to internet security engineers to consider the risk of software bugs and start research and development of network security (Ivey, 2018; Marsan, 2008).

Robert Tappan Morris

At 22 years, while attending Cornell graduate university Robert Tappan Morris developed the worm that spread via internet.

Robert Tappan Morris (creator of the ‘Morris Worm’) was born in 1965 and his father was a computer scientist at Bell Labs, who helped design Multics and Unix; and later became the chief scientist at the National Computer Security Center, a division of the National Security Agency (NSA).

What / why was it?

Nowadays worms are very common on the internet, 30 years back Morris Worm had affected 6000 UNIX based systems. Before the security experts released patches 24hours later, the worm had affected and crashed 10 percent of internet usage. Rest of the networks were slow. Reports say Morris Worm is not only a worm attack, but also the first distributed DDoS attack (Vaughan-Nichols, 2018).

Morris worm can be considered as self-replicating software, which exploited common weakness of famous soft wares such as ‘Sendmail’ mail sending program, ‘Finger’ tool software help to find logged on users in system. Morris Worm, had exploited three weakness of internet to enter target networks and UNIX systems.

1. Vulnerability in the debug mode of UNIX’s sendmail program

2.A buffer overrun hole in the finger daemon protocol

3.rexec/rsh network logins set up without passwords

Not only that but ‘Moris Worm’ was the first worm which used a list of popular passwords as a dictionary attack and used simple ‘Xoring’ encryption method to hide password and other strings (Ivey, 2018). According to the security experts, ‘Moris worm’ started from MIT computers and hid, back tracking by unlinking after affecting other networks on the internet. Even though the worm did not include malicious payload, worm caused serious damages to the infected systems as the infected systems tried to spread the worm. Because of this, infected networks slowed down and some systems, which depended on Sun OS, variant of Linux and Solaris, crashed due to the heavy load. At the same time, Morris had included sets of codes to spread fast and finally he had realized the worm was no longer in his control (Vaughan-Nichols, 2018). Out of control the worm started wave after wave of computer and system attacks.

Morris worm spread fast in 1988 when internet was small and people thought it was a very friendly place. Many other organizations, including the U.S. Department of Defense, had to unplug, internet cables to prevent worm infection (Marsan, 2008).


Because of the damages occurred by ‘Morris worm’ attack, an independent response team named CERT was created at Carnegie Mellon University,  which was funded by the US Department of Defense’s Defense Advanced Research Projects Agency (DARPA). CERT security expert teams had to identify and address potential security threats, risks while consulting vendors, and independent security response teams around the world.

What happen to creator of ‘Morris’?

In 1991, Morris was sentenced to a three-year probation with 400 hours of community service and a $10,000 fine. Further, Morris was the first person who was tried and convicted of violating the 1986 Computer Fraud and Abuse Act.

After completing his sentence Morris founded two companies and one of his companies were sold to a search giant Yahoo Inc. Morris continued his computer network architectures at Massachusetts Institute of Technology as a professor (Ivey, 2018).

In 1988, when the worm was launched, there was not much commercial traffic or web sites in the internet. Since then, worm damages were limited to government agencies, universities and organizations that used internet networks to exchange e-mails and files.

Modern attackers

Today, crashing the internet is not profitable for attackers.  Therefore modern cyber attackers are trickier when attacking systems, they gather information from affected computers, display ads etc.

‘Morris Worm’ made cyber security a legitimate topic among cyber security communities. In early days of computer security, only a few people worked on cyber security and all of them were cryptographers. After ‘Morris Worm’, security experts started to pay much more attention to cyber security as a field of study.

  By Dinesh Abeywickrama Ph.D.(reading), MBCS, MBA, BCS

Co-author : Inoshi Ratnasekera MBA, BS.c (Hons)