Have you ever wondered how the first cyberattack in history happened? The Morris Worm was released on November 2, 1988, in the early days of the Internet. It was created by Robert Tappan Morris, a graduate student at Cornell University, who had no idea that a mistake in his code would create havoc on the Internet.
What is a computer worm?
- A computer worm is a type of malicious software (malware) whose primary function is to replicate itself and spread to other computers over a network. Unlike computer viruses, worms don't need to attach themselves to an existing program. Once they have infected a system, they can spread independently across the network without any human action required.
How it worked
Robert Tappan Morris was working on experimental code in an attempt to measure the size of the Internet. This piece of code exploited known vulnerabilities in Unix-based systems and spread by using:
- Buffer overflow in the finger daemon: this service provided user information on remote systems, but it had a bug that allowed the worm to execute arbitrary code remotely.
- Debug mode in sendmail: this mail transfer agent could be exploited to gain access to machines.
- Password guessing: the worm attempted to gain access to systems by trying common passwords and dictionary-based attacks.
How it spread
The worm was designed to copy itself onto other systems connected to the Internet without user intervention.
The code had a bug that caused it to re-infect systems it had already compromised. Instead of recognizing that it was already installed, it would keep replicating, consuming system resources. This caused affected machines to slow down, crash, or become unusable, disrupting critical operations in universities, research institutions, and military networks.
The impact of the incident
The worm infected approximately 6,000 machines, which was a significant portion of the Internet at the time. Given the Internet’s relatively small size (only about 60,000 machines in total), the worm caused massive slowdowns and outages.
Robert Tappan Morris was prosecuted under the Computer Fraud and Abuse Act (CFAA), becoming the first person to be convicted of a cybercrime. In 1990, he was sentenced to three years of probation, 400 hours of community service, and a fine of $10,050.
The Legacy of the Morris Worm
System administrators had to manually clean infected machines to remove the worm, using removal instructions distributed through mailing lists and phone networks.
The effects of the Morris worm triggered a widespread interest in cybersecurity and network defence practices, encouraging the development of more secure coding practices and regular patching mechanisms.
- Indeed, the attack led to the creation of the first Computer Emergency Response Team (CERT) by the Defence Advanced Research Projects Agency (DARPA). CERT's role was to improve incident response and coordinate defences in case of future cyber threats.
The Morris Worm remains a case study for modern cybersecurity, showing how even small software errors can lead to massive disruptions. It is significant not because of the number of systems it infected, but because it showed how vulnerable the early internet was and underscored the need for formal incident response protocols and better security infrastructure.