Introduction
Imagine a disease for which there is no cure. Like the coronavirus in 2020 and the Spanish flu in 1918. It's scary to think about, right? Something similar happened in history when the internet first fell ill. The world's first major cyberattack, a virus outbreak. Behind it was a college student whose curiosity infected and shut down 6,000 computers worldwide. This might not seem like a big number today, but at that time, it was 10% of the internet. Today, there are billions of internet users, and it's a dream for any celebrity to break the internet. It takes years of effort, skill, and luck for content to go viral according to social media algorithms. But 37 years ago, a college student did it. Welcome to the first episode of our cyber documentary. Let's learn about Morris Worm.
Today, cyberattacks and viruses spreading are common. Every other day, there's some attack, and we don't even know about 90% of them because we have very mature security programs and organized policies that can effectively stop these attacks and alert us instantly. The growth of cybersecurity today is also due to the major cyberattacks in history that shook the world. But for that first cyberattack, we were not ready.
State of the Internet
It was November 1988, exactly one year after the invention of the World Wide Web. At that time, there were a total of 60,000 to 65,000 internet users worldwide, and the internet was only available in 20 countries. Regular people didn't have internet at home; it was only available in universities, research centers, and government institutions because, at that time, the internet was largely funded by the US government, which we know as ARPANET.
What Actually Happened?
On November 2nd, at 8:30 PM, something happened that shocked everyone. Within 24 hours, a virus spread that automatically shut down more than 6,000 internet-connected machines, and researchers named it the "computer worm". This attack infected major universities and research centers, including Harvard, Princeton, Berkeley, Stanford, John Hopkins, and NASA. The good thing is that this worm didn't delete or modify any personal files or data. It only affected system performance and uptime. However, major operations like military and education were delayed for weeks, and it had a significant impact on the economy.
The Man Behind
But why did Morris do this? What was his motivation? Robert Tappan Morris was born on November 8, 1965, in the US. He was the son of a cryptographer, also named Robert Morris, who worked at Bell Labs and and the National Security Agency (NSA). So, computers and hacking were in his blood. He completed his graduation from Harvard University in June 1988, after which he got admission to Cornell University in August. His friends and teachers called him a brilliant programmer. From the beginning, he had a great interest in operating systems and networking, and he was a very gifted programmer. He spent his entire life with computers and coding. He was also known as a prankster in school. He was a very curious student who kept experimenting. This incident was also part of his experiment, but he had no idea how big it would become and how it would change his life. He carried out this incident at just 23 years old.
Robert Morris (the creator of the Morris Worm) is currently a computer scientist at the Massachusetts Institute of Technology (MIT). He works in the Computer Science and Artificial Intelligence Laboratory (CSAIL), specifically within the PDOS group. He holds a tenured position in the Department of Electrical Engineering and Computer Science.
Technicalities of Morris Worm
Now, let's talk about the worm in detail. I told you that researchers named it a worm, but this wasn't the first incident where a virus was called a worm. Thirteen years before the Morris Worm, a novel called "The Shockwave Rider" by John Brunner was published. It was a cyberpunk-style novel that featured a software capable of surviving in a network by making copies of itself. A self-replicating program was termed a "tapeworm," but gradually it was optimized and simply called a "worm".
Just as every computer requires an operating system like Windows or Linux, and many programs run in the background consuming data and system performance, this worm also performed similarly. It exploited vulnerabilities in those programs and affected your system's performance and uptime. It could also completely shut down your system and perform many other things. So, it can definitely be said that Morris popularized and brought this term to people through this worm. Since then, many computer worms have spread throughout history, but we will always talk about the Morris Worm.
It could spread itself in the network without any human interaction. Because it was self-replicating, it made copies of itself and spread in the network by abusing a networking protocol. Similarly, there have been many programs in history that were distributed by worms. Most commonly, it is used to distribute malware and ransomware. You must have heard of a very popular name for a major cyberattack, WannaCry, which spread through a worm. We will talk about WannaCry in another article, but this worm's intention was not malicious. It wasn't meant to infect anyone; it was basically created to expose system vulnerabilities and weaknesses to raise awareness about cybersecurity. Like an antivirus program that tells you if you have a virus in your system, this was similar. Its intentions were not bad. However, a coding mistake happened that changed the whole scene.
It basically targeted a specific version of the Unix OS. And it spread so quickly because it had exploits for multiple vulnerabilities written into it, even at a time when there weren't many programs. So, that person used a very research-oriented mind to cleverly write this worm. And there were many programs with multiple things written here. The first program was Sendmail, which is a Unix mailing program; it had a bug in debug mode. The second program was Finger, which had a buffer overflow vulnerability present; its exploit was written. The third is very common, which we still see today: people don't set strong passwords. At that time, when there wasn't much awareness about strong password policies, people left default common passwords or blank passwords in networking protocols like SSH, so it exploited that and spread further in the network.
Its interface was very simple; it would ask people a question. The question was whether a copy of this program was already on the system. And the answer had to be Yes or No. If you answered "Yes," the program would not copy itself further, meaning it would not spread further or execute on your system because it would think the computer was already affected. And if you said "No," it meant you were not infected, and it would copy itself and execute on your computer, infecting you. Now, you and I are smart enough to always choose "Yes" because we know we want to protect our system, so it won't be copied. But Morris was just as smart, and he knew that anyone with a bit of a technical background and knowledge would say "Yes"; no one would say "No". So, he made a change in the code that even if you said "Yes," the virus would execute, and you would think you were safe. So, it didn't matter if you said "Yes" or "No"; the virus would come to your system and infect it.
And this caused a problem: thousands of copies of the virus were created on a single system. So, the intensity of the attack was amplified on a single system, causing it to shut down. This caused thousands of systems to aggressively crash and eventually created a mass denial-of-service situation. It was also designed in such a way that a normal user couldn't see it. It was made stealthy so that it would remain hidden, and you wouldn't even know there was a problem with your system. At that time, all internet users were high-profile, involving crucial operations like military, research centers, and universities. So, it infected those high-value computers, causing huge economic damage. An exact figure is not available, but it is estimated that the damage ranged from $100,000 to $1 million USD.
The Aftermath and Investigations
So, containing and removing it as soon as possible became very important. Many computer experts got behind it to understand it, and everyone wanted to know who was responsible for it. Within hours of the attack, a frightened programmer called two of his friends. He said that he had accidentally launched a worm, a code, on the internet that had spread too much and gone out of control. He told one friend to prepare an anonymous message and send it on the internet on his behalf, which contained his apology and instructions on how to stop this attack. But the irony was that at that time, all systems and networks were infected with this worm, so very few people knew about this message. But his other step-brother anonymously called the New York Times and told them everything, which spread the news worldwide from the front page. He also told the reporter that he knew who was responsible for it, who its creator was.
And as I said, its purpose was not bad. It wanted to expose systems in a good way. Just a coding mistake happened that launched it. But you know how media people manipulate things and how big an issue they can make. They are very clever, no less than any investigation department. So, they questioned that friend and asked such questions that the friend unknowingly revealed the creator's initials, R.P.M.. Which we know today is Morris's name. After that, it was a piece of cake. The FBI got involved and traced Morris, caught him, and The Times reported him to the whole world as a 23-year-old criminal.
It is said that Morris launched that worm. But Morris was at Cornell at that time, so how could it be that a programmer working at MIT launched this worm from his system? How was this worm launched from MIT? The FBI investigated this and found that the author, the mastermind, Robert Morris, had hacked an MIT computer and remotely launched this attack from his Cornell system, from his Cornell terminal. And this attack did not go from his system; it went to some other system at MIT and was launched from there. That's why it seemed like an MIT student had launched it, not Morris.
In those days, there were highly skilled students, very technical students from Harvard and Stanford; many of them wrote such viruses, but no one launched them like that. And the problem was that computers of that era were quite monocultured and monolithic, so everyone would get infected by the same type of virus; everyone had a common kernel, and many things were the same; there were not many patches at that time. According to FBI reports, some institutions even changed the infected systems, put them in scrap, and the systems that were not affected went offline for 6-7 days.
Criminal Trials on Morris
Then what was supposed to happen? The case had a high-profile trial in court, and Morris was put before it. He was charged because he had violated federal law. Due to this incident, the word "internet" was used for the first time in any print media. The New York Times did this for the first time on November 5, 1988. Experts said that this would give wrong motivation to many technical people to spread malicious code and write wrong worms and viruses. So, many more bad intentioned hackers could be born in the world. Congress had released an act in 1986, the Computer Fraud and Abuse Act. Morris became the first person to be convicted under that act, CFA. It could have been very bad. Today, if we see someone who has committed major cyberattacks, caused millions of dollars in damage, they get jail time, millions in fines, maybe a lifetime sentence for all this. But at that time, Morris's intention was not bad, and he was only 23 years old.
So, there were many appeals, a lot of back and forth in court, and he didn't go to jail, but he was fined $10,000 and put on probation for 3 years. During this, he had to appear before a probation officer in court and do volunteer work in the field of computer science, basically teach students about computer science and good practices. During this period, he was not supposed to commit any other crime, and restrictions were also placed on his system and internet access, the deep details of which are not available to us. He had to perform 400 hours of community work and unpaid service. So, if we add all the expenses, probation dues, etc., Morris was fined a total of $3,000.
What Happened to Robert?
This incident changed Morris's life forever, even if he didn't do it intentionally. He was greatly shaken and regretted that he had acquired a bad image in front of the whole world. Everyone talked about Morris, that cyberattack, and fear spread among people just because of that person. So, he didn't like this at all. He wanted to stay away from media coverage. He told big journals and institutions that he didn't want to give any interviews. Big media houses approached him for interviews, but he refused everyone. He didn't want any kind of media coverage.
But now everything gets resolved with time. So, gradually, this situation also relaxed. He also moved on in life. A few years later, in 1995, he completed his PhD from Harvard, and with two of his colleagues, he created a web application called Viaweb, which was an e-commerce platform. It is also called the world's first web application, and the funny thing is that Yahoo acquired it three years later for $50 million USD.
Morris never gave up his passion. He was always interested and always followed his interest. Although he spent many years in court, he launched many big projects and programs and remained active in the programmer community for many years.
The Modern Day Significance
The significance of the Morris Worm has brought about a very important change in cybersecurity. It is also called the Great Worm because it didn't just have an objective impact on cybersecurity. It also changed people's perception of the internet and security forever. It created so much fear in people's minds because all these things were happening for the first time in their lives, that their system would suddenly shut down by someone else. So, people became so scared that some even talked about never coming online again. This story was spreading so much in the news and media that for the first time, people openly started talking about systems and security. It was after this that people started coding good software. Big companies were formed, and antivirus software started being launched.
Today, we are used to this. But think about that time when there were no antivirus programs. People had no way to protect their systems. Computers couldn't even protect themselves. So, what kind of impact must it have had on people? I'm not saying that no virus had ever spread in the world before this. But this was the first incident that gained mainstream media coverage. In those days, when computers and the internet were very new things. After this, the government also started taking security seriously. Big companies were formed, developers came forward, and security programs started being coded, and that's how we started seeing antivirus programs. Gradually, antivirus and intrusion detection systems started coming into the market. The US itself created a Computer Emergency Response Team (CERT) under the Department of Defense. A new wave of new generation hackers started, which is still going on today and tries to harm the internet every day, every hour. So, this wake-up call for the internet and cybersecurity was received 35 years ago.
Conclusion
Today, the source code of the Morris Worm is kept on a floppy disk in the Computer History Museum in California. But don't worry, even if it gets leaked, it won't work on today's computers because the vulnerabilities it exploited do not exist in today's systems. So, this was the world's first cyberattack, the Morris Worm.
I hope you learned something and liked this story. Please let me know how it was, and your feedback will tell me how you like these types of articles, as this is my first attempt at this type of case study and documentary-style article.
So please tell me in the comments and share your feedback on whether I should continue this. Because many such insightful cyber incidents have happened in the past from which much has been learned, and the industry has changed a lot. Like WannaCry and Log4j, so do tell. And these types of articles provide a lot of general knowledge, so they become necessary, and not many people create such content. I hope you will share this article with your friends because it must have been interesting. So, I keep bringing such cybersecurity articles in the future. So, keep watching, and keep learning.
