On November 2, 1988, Robert Tappan Morris, a 23-year-old Cornell University graduate student, released a self-replicating program onto the early internet (then ARPANET). The Morris Worm was intended to gauge the size of the internet by silently spreading between Unix systems. However, a critical design flaw caused the worm to reinfect machines repeatedly, consuming system resources until infected computers became unusable. Within 24 hours, an estimated 6,000 machines, roughly 10% of the entire internet, were affected.
The worm exploited three attack vectors: a buffer overflow in the Unix fingerd daemon, a debug backdoor in sendmail, and the rsh/rexec trusted host mechanism combined with password guessing using a built-in dictionary of common passwords.
The Morris Worm was written in C and targeted VAX and Sun Microsystems machines running 4 BSD Unix. Its propagation logic attempted to connect to remote machines using dictionary attacks against user accounts, exploitation of the fingerd buffer overflow (one of the first documented buffer overflow exploits in the wild), and abuse of the sendmail DEBUG command that allowed remote code execution.
The fatal flaw was the reinfection mechanism. Morris included a check that was supposed to prevent a machine from being infected twice, but he set the override probability at 1 in 7, meaning the worm would reinstall itself on already-infected machines one out of every seven attempts. This caused exponential resource consumption as dozens of worm processes accumulated on each machine.
The Morris Worm was the catalyst for modern internet security. It directly led to the creation of the Computer Emergency Response Team Coordination Center (CERT/CC) at Carnegie Mellon University, the first formal incident response organization. Morris became the first person convicted under the Computer Fraud and Abuse Act of 1986, receiving probation and a fine. The incident demonstrated that the internet's trust-based architecture was fundamentally vulnerable and that network security required deliberate engineering. It remains a foundational case study in cybersecurity education.