Who Let The Worms Out?
Its one of the biggest Internet disasters of all time, yet many of todays technology consultants dont remember the online carnage.
Long before virus outbreaks like NakedWife, Kournikova, Melissa and ILOVEYOU, there was the infamous Morris Worm.
Flash back to Nov. 2, 1988. The Los Angeles Dodgers had just won the World Series, Ronald Reagan was about to exit the White House, and a shy programmer named Robert T. Morris was set to unleash a digital plague that infected 10 percent of the Net.
Those closest to the case say Morris story should be required reading for aspiring security consultants, e-business partners and systems integrators alike.
> The Morris case involved a 99-line program written to infiltrate Digital VAX and Sun 3 systems. The so-called worm didnt contain any malicious code. Instead, Morris simply wanted to prove that he could use programs like sendmail to propagate a worm across the Internet.
Bad Code But when Morris released the program on the Internet, a design flaw caused the worm to reproduce faster than a jackrabbit. It quickly penetrated 10 percent of the Internet and bogged down thousands of systems. Dozens of major colleges, government facilities and research centers fell victim to Morris rogue code. The casualties included Lawrence Livermore Labs, UC Berkeley, UC San Diego, Stanford University and dozens of other sites.
"Back then, there was no Web, and the Internet was largely academically driven," says Keith Bostic, who fought the worm at UC Berkeley. "The universities ran the big sites, and those were the sites that the worm hit hardest."
Adds Peter Yee, another UC Berkeley veteran: "I was at school that night, and we noticed the computers were all getting slower and slower. The worm crawled into a machine and then tried to get into other machines. It kept on re-infecting machines that were already infected."
In the days before Internet commerce and global e-mail, the Morris Worm cleanup effort cost anywhere between $200 to $53,000 per site, according to court documents. In todays world of interconnected sites, the clean-up costs for a similar outbreak could be astronomical.
Repeat Offender Could a plague like the Morris Worm infect 10 percentor moreof todays Internet? It depends upon whom you ask. Some security experts say todays Internet is too heterogeneous for a single worm to infiltrate so many different platforms. But Global Integrity cyber law expert Mark Raschthe attorney who prosecuted the Morris casesays the Net is just as vulnerable today as it was in 1988.
Morris, now working at MITs Lab for Computer Sciences, declined comment for this article. But interviews with programmers who fought the worm, as well as court documents and Internet archives, paint a vivid picture of the disaster and the man behind it all.
Good Kid, Bad Move Morris didnt set out to become a cyberpunk. And its certainly unfair to lump Morris in with former dark-side hackers like Justin Tanner Petersen or media hounds like Kim Schmitz.
Morris defenders say the worm incident was merely a complicated software experiment gone bad. "Rob was a curious guy who accidentally opened a Pandoras box," says a friend of Morris, who requested anonymity.
At the time of the worm incident, Morris was a first-year graduate student in Cornell Universitys computer science Ph.D. program. Morris wrote the worm in October 1988 and released it onto the Internet on Nov. 2 of that year. The worm infiltrated systems through holes in sendmail and finger daemon, among other things. Its first target was a VAX server at MITs Artificial Intelligence Lab. Morris selected MITs systems to disguise the fact that the worm came from Cornell, according to court documents.
Morris designed the worm to ask Sun-3 and VAX systems whether they already had a local copy of the worm. The worm would skip systems that replied "yes." In theory, this would prevent the worm from copying itself endlessly and bogging down the Internet.
However, Morris was concerned that systems administrators would block the worm by programming their computers to falsely respond "yes." To beat that potential defensive measure, Morris programmed the worm to duplicate itself every seventh time it received a "yes" response, according to court documents.
Big Mistake Morris seven-to-one ratio turned out to be a fatal design flaw. The ratio wasnt high enough to slow the programs reproduction. The worm quickly spread from systems on the East Coast to the West Coast, and the Internets first disaster was under way.
When Morris realized the worm was reproducing faster than he had expected, he contacted a friend at Harvard, Andy Sudduth. The two allegedly discussed fixes for the worm, according to court documents. Sudduth quickly posted an anonymous message on the Internet, warning users about a rapidly reproducing worm and instructing readers how to defeat it.
But Sudduths message got blocked by a downed Internet gateway. In a cruel ironic twist, an administrator had shut down the gateway in an attempt to limit the worms progress.
Sudduths warning message didnt get through the gateway for about two days, but dozens of administrators around the world began to notice problems within hours of the worms release.
Yee, a UC Berkeley student and a contract worker for NASA at the time, was among the first people to spot the problem. "I was up all night working through the Morris worm," says Yee, who now works for Spyrus, a security vendor in San Jose, Calif. "I dont think I got home until 7 a.m. the next day."
Yee posted a message about the problems to a TCP-IP mailing list within hours of the worms release. With Sudduths message still blocked, Yees electronic dispatch was one of the first known communications about the worm. The message suggested turning off several services that the worm apparently used, including telnet, ftp, finger, rsh and SMTP.
"Turning off those services was the short-term fix," says Yee. "We left those services off while the research group worked to decompile it." Decompiling the worm was a critical step. This procedure unlocked the worms source code, allowing researchers to identify security holes that Morris program was exploiting. "Once you figure out how the program works, you can figure out which [security] holes to patch," says Yee.
Systems administrators at UC Berkeley, MIT and other schools worked around the clock for nearly two days to analyze the worm. By noon on Nov. 4, MIT and Berkeley had completely disassembled the worm. Most of the infected systems were back online within days of the incident.
Hit and Run Researchers say the worm had an "attack and defense" design. First, the worm would locate Internet hosts and user accounts to penetrate, then it would exploit security holes on remote systems to pass across a copy of the worm. The worm also used three defense tactics: It changed its name to minimize intrusion detection; it moved into memory and deleted its own file-system data to cover its tracks; and it used a short burst of random numbers to test a connection before moving onto a system.
Fortunately, the worm had no malicious code. Unlike some recent viruses, the Morris worm didnt erase or corrupt any of the hosts data, and it didnt attempt to steal any information.
"The [Morris] worm took systems down from load," says Eugene Spafford, a professor of computer sciences at Purdue University and a widely regarded security expert. "It didnt really damage systems."
"The Morris worm could have been a lot worse," adds Bostic, who now works for Sleepycat Software. "It just tied up the CPU. Imagine if the worm had been written to delete all of the hosts data instead? Fortunately, most worm authors dont have malicious intent. Its mostly kids having fun and showing off. But every once in a while you get an _ _ _hole in the mix."
Such was the case last week, when NakedWife became the latest virus to spread across the Internet via Microsofts Outlook program.
While the Morris worm moved from system to system without any user interaction, a virus like NakedWife (a.k.a. JibJab) needs unsuspecting users to propagate itself. NakedWife arrives as an e-mail attachment. When users activate the attachment, the virus wipes out vital Windows files and uses Outlook to e-mail itself to more unsuspecting users.
As we went to press, NakedWife had infected nearly 70 organizations. Virtually every major media outlet covered the story, yet NakedWife was a relatively minor disaster compared with the Morris Worm, which infected 10 percent of the Internet during its brief outbreak.
Famous Last Words E-commerce proponents downplay the risk of another Morris-type outbreak. They point out that todays Net is built on a long list of heterogenous operating systemsincluding Unix, Linux, Windows NT, Windows 2000, MacOS and so on.
In theory, the odds are relatively low that a single silver bullet could kill such a diverse system.
Yet those who fought the Morris worm believe history could repeat itself. "Something like that could certainly happen again," says Bostic. "As more and more Windows machines get connected to the Net, it could create a more homogenous system with lots and lots of vulnerabilities."
That was the case with most recent Internet-related viruses, which used OutlookMicrosofts nearly ubiquitous e-mail clientto propagate .
Experts say even the 13-year-old Morris Worm could take down some of todays Internet sites. Explains Purdues Spafford: "The old worm would need to be updated to use current library calls appropriately, but the basic technology would still allow it to propagate a littlemany sites still havent fixed the remote login problem. If the Worm were updated to probe for buffer overflows in other programs than the finger daemon, then that would work, too. We still have companies releasing software with that form of bug in place."
So, does anyone actually still have the worm? Reveals Spafford: "I deleted that information years ago, although I may have it on tape somewhere."
Maybe theres a sequel in the making. Just dont offer the lead role to Robert T. Morris. Hes not much for the limelight.