The Birth Of Incident Response The Story Of The First Internet WormThe Birth Of Incident Response The Story Of The First Internet Worm

Robert Tappan Morris was the first person convicted by a jury under the Computer Fraud and Abuse Act of 1986. The story of the worm he created and what happened to him after it was released is a tale of mistakes, infamy, and ultimately the financial and professional success of its author.

Morris was a 23-year-old graduate student at Cornell University in 1988 when he wrote the first Internet worm in 99 lines of C code. According to him, his worm was an experiment to gain access to as many machines as possible. Morris designed the worm to detect the existence of other copies of itself on infected machines and not reinfect those machines. Although he didn't appear to create the worm to be malicious by destroying files or damaging systems, according to comments in his source code he did design it to "break-in" to systems and "steal" passwords. Morris' worm worked by exploiting holes in the debug mode of the Unix sendmail program and in the finger daemon fingerd.

On November 2, 1988, Morris released his worm from MIT to disguise the fact that the author was a Cornell student. Unfortunately for Morris, his worm had a bug and the part that was supposed to not reinfect machines that already harbored the worm didn't work. So systems quickly became infested with dozens of copies of the worm, each trying to break into accounts and replicate more worms. With no free processor cycles, infected systems soon crashed or became completely unresponsive. Rebooting infected systems didn't help. Killing the worm processes by hand was futile because they just kept multiplying. The only solution was to disconnect the systems from the Internet and try to figure out how the worm worked.

Programmers at the University of Berkeley, MIT, and Purdue were actively disassembling copies of the worm. Meanwhile, once he realized the worm was out of control, Morris enlisted the help of a friend at Harvard to stop the contagion. Within a day, the Berkeley and Purdue teams had developed and distributed procedures to slow down the spread of the worm. Also, Morris and his friend sent an anonymous message from Harvard describing how to kill the worm and patch vulnerable systems. Of course, few were able to get the information from either the universities or Morris because they were disconnected from the Internet.

Eventually the word got out and the systems came back online. Within a few days things were mostly back to normal. It is estimated that the Morris worm infected more than 6,000 computers, which in 1988 represented one-tenth of the Internet. Although none of the infected systems were actually damaged and no data was lost, the costs in system downtime and man-hours were estimated at $15 million. Victims of the worm included computers at NASA, some military facilities, several major universities, and medical research facilities.

Writing a buggy worm and releasing it was Morris' second mistake. His first mistake was talking about his worm for months before he released it. The police found him without much effort, especially after he was named in the New York Times as the author.

The fact that his worm had gained unauthorized access to computers of "federal interest" sealed his fate, and in 1990 he was convicted of violating the Computer Fraud and Abuse Act (Title 18). He was sentenced to three years probation, 400 hours of community service, a fine of $10,500, and the costs of his supervision. Ironically, Morris' father, Robert Morris Sr., was a computer security expert with the National Security Agency at the time.

As a direct result of the Morris worm, the CERT Coordination Center (CERT/CC) was established by the Defense Advanced Research Projects Agency (DARPA) in November 1988 to "prevent and respond to such incidents in the future". The CERT/CC is now a major reporting center for Internet security problems.

After the incident, Morris was suspended from Cornell for acting irresponsibly according to a university board of inquiry. Later, Morris would obtain his Ph.D. from Harvard University for his work on modeling and controlling networks with large numbers of competing connections.

In 1995, Morris co-founded a startup called Viaweb with fellow Harvard Ph.D. Paul Graham. Viaweb was a web-based program that allowed users to build stores online. Interestingly, they wrote their code primarily in Lisp, an artificial intelligence language most commonly used at universities. Viaweb was a success, and in 1998, ten years after Morris released his infamous worm, Viaweb was bought by Yahoo! for $49 million. You can still see the application Morris and Graham developed in action as Yahoo! Shopping.

Robert Morris is currently an assistant professor at MIT (apparently they forgave him for launching his worm from their network) and a member of their Laboratory of Computer Science in the Parallel and Distributed Operating Systems group. He teaches a course on Operating System Engineering and has published numerous papers on advanced concepts in computer networking.

by Marc Menninger
References and Bibliography


Marc R. Menninger is a Certified Information Systems Security Professional (CISSP) and is the founder and site administrator for the OpenCSOProject, a knowledge base for security professionals. To download security policies, articles and presentations, click here: Security Officer Forums.

Rated:NR/0 Votes
Add To My Article Reading List
Add To My Article Reading List
Print Article
More Article By Marc Menninger
More Article by Marc Menninger
More Articles From Security
More Articles From Security
Related Articles and Readings
What is Company Fraud and How Do You Stop It Part 1 of 2 By: Peter Granger
Did you know that it is very likely your company is a victim of fraud? In fact, it's probably happening right now! Fraud takes many forms - some obvious and well known, others subtle and unmarked. This two-part article sheds some light on the topic. Part 1 helps you determine ...
Advocate For Senior Citizens Protecting Against Abuse and Fraud By: Barbara Mascio
Ruth is 87 years old this year and has been living alone since 1997. She is in good health, however the daily chores around the home became increasingly difficult. Ruth turned to her church bulletin and found a ?Home Care Company? advertised.Ruth is not unique in the fact ...
Stop Waste Fraud and Abuse By: Chris Anderson
Each year, businesses write-off six percent of revenue to waste, fraud and abuse. But why would managers throw all that hard-earned money away when there is a reliable way to eliminate waste, fraud and abuse using accounting policies & procedures to create internal controls.Internal controls eliminate uncollectible receivables; prevent ...
Fraud Tax Fraud By: Michael Russell
In this article we're going to go over a type of fraud that can hit you in multiple directions. This is tax fraud.There is an old saying that what goes around comes around. Tax fraud may be the first thing the gods were talking about when they came ...
Email Fraud Beware of 419 Fraud By: Christopher Okoh
Email Fraud is no more news. We regularly, hear of successful frauds committed on the Internet through the use of fraudulent mails. 419 fraud is a code name for an Email Fraud originating from Nigeria.Take note, do not be deceived 419 fraud is a code name for an email fraud ...
The information provided in this article and/or the comments is the sole responsibility of their respective authors and does not necessarily reflect the opinion of  does not endorse any article and/or comments published by our web users unless otherwise noted. 

Member Panel

login to submit articles and more


  • » Active Categories: 419
  • » Active Articles:252609
  • » Active Authors:31915
  • » Active Members: 38222
  • » Statistics Updated:
    - Thu May 7th, 2020 12:50AM EST