Morris Worm (1988)
The first major internet worm, released in 1988, which infected 10% of the internet and led to the creation of CERT/CC and the first Computer Fraud and Abuse Act conviction.
The first major internet worm, released in 1988, which infected 10% of the internet and led to the creation of CERT/CC and the first Computer Fraud and Abuse Act conviction.
Continue your mission
On November 2, 1988, Robert Tappan Morris, a 23-year-old Cornell University graduate student, released a self-replicating program onto the early internet (then ARPANET). The Morris Worm was intended to gauge the size of the internet by silently spreading between Unix systems. However, a critical design flaw caused the worm to reinfect machines repeatedly, consuming system resources until infected computers became unusable. Within 24 hours, an estimated 6,000 machines, roughly 10% of the entire internet, were affected.
The worm exploited three attack vectors: a buffer overflow in the Unix fingerd daemon, a debug backdoor in sendmail, and the rsh/rexec trusted host mechanism combined with password guessing using a built-in dictionary of common passwords.
The Morris Worm was written in C and targeted VAX and Sun Microsystems machines running 4 BSD Unix. Its propagation logic attempted to connect to remote machines using dictionary attacks against user accounts, exploitation of the fingerd buffer overflow (one of the first documented buffer overflow exploits in the wild), and abuse of the sendmail DEBUG command that allowed remote code execution.
The fatal flaw was the reinfection mechanism. Morris included a check that was supposed to prevent a machine from being infected twice, but he set the override probability at 1 in 7, meaning the worm would reinstall itself on already-infected machines one out of every seven attempts. This caused exponential resource consumption as dozens of worm processes accumulated on each machine.
The Morris Worm was the catalyst for modern internet security. It directly led to the creation of the Computer Emergency Response Team Coordination Center (CERT/CC) at Carnegie Mellon University, the first formal incident response organization. Morris became the first person convicted under the Computer Fraud and Abuse Act of 1986, receiving probation and a fine. The incident demonstrated that the internet's trust-based architecture was fundamentally vulnerable and that network security required deliberate engineering. It remains a foundational case study in cybersecurity education.
CDA Theater missions that address topics covered in this article.
The Enigma machine was an electro-mechanical cipher device used primarily by Nazi Germany during World War II to encrypt military communications.
On November 2, 1988, a Cornell University graduate student named Robert Tappan Morris released a self-replicating computer program onto the ARPANET, the research network that would become the public internet.
Written by CDA Editorial
Found an issue? Help improve this article.