That time when an NSA bloke's son borked the ENTIRE INTERNET... It's 25 years since the Morris Worm taught the world that computers were capable of contracting viruses. The Morris Worm hit on 2 November 1988, spreading rapidly by exploiting vulnerabilities in sendmail, the email server software that was the most commonly used technology of its type at the time. Many contemporary Unix …
...but only rarely do they have such widespread impact. However, he paid his debt to society and went on to make himself quite a bit of money and get hired as a prof at MIT. Kid's done OK, I'd say.
He probably leaves the worm off his resume, though
// the one with the floppy disk in the pocket
I like hats and I think it is sad that brimmed hats went out of fashion. That being said, you've got to choose a hat that suits your physique. If you choose poorly, the hat becomes the object of people's focus, not you. However, that video was made during what will ultimately be viewed by anthropologists as a period of desperation, so it isn't completely his fault. Everyone during that period forgot about accessories merely enhancing someone, and made the accessories the someone.
I remember getting a copy of the Morris Worm in an email - yes I am that old!
It would either have been on an IBM Bitnet account or a DECNET email address.
Gogling also proves that I might be remembering wrong - a REXX based virus which affected BITNET precedfd the Morris worm (writing viruese in REXX!)
http://homepage.cs.uiowa.edu/~jones/assem/summer97/notes/33.html
and yeah, that is some Unix beard.
Yes,
I remember it too. I know exactly where I was when the shit hit the fan. ;-)
I want to say that thanks to Morris, we have CERT, or was it that Morris put CERT on the map.
(Spafford was at Purdue if memory serves...)
(Its been a very long time and I've destroyed too many brain cells.)
Because I was a student system admin for one of the departments at my University... I got a boat load of emails and stuff on the worm.
The biggest thing that saved Morris was that he didn't think that it would replicate as quickly as it did and he was very repentant at the time. (Or that it would spread as quickly as it did...) The bottom line I don't think Morris thought about what could happen when he wrote it and launched it.
I used to ask people who insisted on .rhosts or /etc/hosts.equiv entries where they were when Morris released his worm. If they give me a blank stare, I'd give them the 15 min lecture. Or if they remembered... they would just quietly go away.
I don't think you remembered it wrong.
The thing about Morris was that he took advantage of a couple of major flaws and the worm over replicated quickly. Also he took out what was then the 'net or internet that grew out of arpanet.
The .rhosts, /etc/hosts.equiv was one insecurity. There were a couple of other things... but lets not go there.
(Geez, I hadn't thought about it for years... kinda surprised I remembered as much as I did. ;-)
a REXX based virus which affected BITNET
CHRISTMA EXEC was not a virus. It may have been a Trojan Horse, but more likely was simply an accident. It was simply a REXX script that displayed a Christmas tree and then emailed itself to everyone in your email contacts list. (The Wikipedia entry calls it a worm, which is equally inaccurate.)
CHRISTMA EXEC hit IBM's internal VNET network (which was larger than BITNET) just as hard.
That reminds me - this tale and a couple others are recounted in the excellent book "The Cuckoo's Egg", by Clifford Stoll. I lost mine years ago... so off to find a copy.
I remember one of the tales where they were tracking someone coming in via dialup modem, but weren't ready to log quite yet. They didn't want to pull the plug as the miscreant might have got suspicious. So they jangled car keys over the wires to the modem, creating noise and eventually a dropped carrier...
Of course: Stalking the Wily Hacker.
or the final article in CACM here: Stalking the Wily Hacker.
ah, yes, The Shockwave Rider by Brunner, an excellent early treaty on the subject. I of course cannot confirm or deny having anything to do with a small programme on the BBC that reformatted all attached disk drives if anyone tried to copy my software. There were not that many disk users in them days, but the code did attach itself to every file the potential pirate then created and sent to friends...... :-)
Eugene Spafford's article as it appeared in Communications of the ACM 1989-06 is not to be missed.
I remember taking in for the first time what "networking" meant.
There was also an article in that CACM issue by Paul Saffo about how RTM (1988) was inspired by Wiliam Gibson's Neuromancer (1984). Romantic terrorist-enabling literature in the eighties? Sure we can: "The growing body of material is by no means inspiration for every aspiring digital alchemist. I am particularly struck by the "generation gap" in the computer community when it comes to "Neuromancer": Virtually every teenage hacker I spoke with has the book, but almost none of my friends over 30 have picked it up."
If only the script kiddies of today had a miniscule percentage of this mans ingenuity we wouldn't be moaning about them because the internet would be forever down and we would be working on local intranets of just a few machines
Oh i would love a world with no faceboo, twatter and the rest of them data sinkholes
Well I had (mostly) unaffected or minimally affected machines (one of the few times I was very very grateful to have IBM RT's) but we noticed it bigtime.
If for no other reason that the internet was basically down. Even a VMS shop, should it be emailing to machines on the internet (as opposed to some internal DECnet) would have to have noticed.
I remember setting up phone trees for the next time so, should the network die, the sysadmins could still talk to each other.
Of course now the phone network is a packet-switched affair.....oh. Time to dust off the CB and HAM radios.
We were running exclusively VMS machines at the time, and even those with TCP/IP were unaffected because the stack had different implementations of all those things than BSD did.
The fingerd and sendmail exploits (gets-buffer-overflow and script-injection respectively) were only two of the worm's propagation methods. In theory the worm could potentially have infected VMS machines with accounts protected by weak passwords or with ports of the BSD r-commands1. But its exploit code assumed UNIX filesystem layout, tooling, etc, so even if it got in, the script wouldn't have done anything useful.
By the same token, even if VMS had straight ports of BSD fingerd and sendmail with the same vulnerabilities, all the worm would have done would have been to crash the former and cause the latter to write some small files to disk.
It's a classic example of monoculture vulnerability.
1I don't recall ever seeing a VMS box with the r-commands, but it wouldn't have been difficult to get them running on one. (At least not rexec and rsh. rlogin would have been trickier because of its dependency on UNIX pseudo-tty arcana.)
I know Morris and his dad (his father worked in dept 1127 at Bell Labs, where UNIX was created, before moving to the NSA). He was a bright kid, and I'm sure he intended no real harm, but it was certainly poor judgment. The whole affair seems to have been very traumatic for him, and he's never discussed it or responded to any questions or comments about it.
Several years before the he wrote the worm, Morris was a summer intern at the labs, and he helped me convert a fast DES subroutine I wrote, to perform the UNIX password hashing operation. As I understand it, he incorporated that code in the worm, and Spafford wondered in his report where it came from.
The worm is also a tribute to the crappy programming and systems design that seems to go into all email software. Sendmail was a never-ending source of security problems in the early days of BSD UNIX, and it was an unbelievable resource hog. When it first came out, it had a remote root-shell feature, the author put in to make it easier for him to troubleshoot it. Thoughtless. We called it "mailer science". When BSD 4.3 came out, sending an email to all 40 or so people in our division would take 5 or 10 minutes of processing time, the whole system was brought to its knees.
Yes, the technical details are somewhat sloppy in the article. There's also the "spreading rapidly by exploiting vulnerabilities in sendmail" bit, for example.
The sendmail exploit was of course only one of four propagation methods the worm used (unauthenticated rsh, fingerd buffer overflow, sendmail debug mode, and password brute forcing). All are of interest, but the fingerd one got the most attention at the time, at least in the circles I ran in. This was long before Aleph One's "Smashing the Stack for Fun and Profit", and buffer overflows were widely considered too difficult to exploit.
The article does briefly mention the other exploits further down, but that earlier paragraph is simply misleading.
(I'm not entirely sure that sendmail was the most common MTA at the time, either, though by 1988 it quite possibly was. A few years earlier, it probably wasn't - around 1986, there were almost certainly more RSCS nodes than sendmail ones.)
> Many contemporary Unix servers were running versions of sendmail featuring buggy debugging code, a shortcoming the worm exploited to devastating effect ..
"Vulnerability description: Very old installations of the Sendmail mailing system contained a feature that allows a remote attacker connecting to the SMTP port to enter the "WIZ" command and be given an interactive shell with root privileges."
http://www.iss.net/security_center/reference/vuln/Email_WIZ.htm
Remember in those times you trusted the other machines on the network. And you trusted government. (and people minding your own business were not over everything looking for gender discrimination, rape culture and anti-feminism but this may just be my memory...)
Sendmail has had problems into the 00's of course, which is why everyone is running Postfix (right?). That and the M4 retardation.
"Remember in those times you trusted the other machines on the network"
And that was a time when the firewall actually did something usefull. As in only authorized processes could open priviliged ports and if you had the same user-name on another machine you could log-in locally. Arrr, twere a kinder more innocent age ...
I remember when it hit too.
There were some really nice things that went on as it spread and was contained. But the thing that most sticks in my mind is the warning message that was sent around in the first day. It contained a couple of very interesting sentiments.
Paraphrasing, as it has been a long time, and I don't have a copy of the that message anymore. (Although I would love a copy.)
"We all knew that it was possible to write something like this" "We just didn't think anyone would be dumb enough"
It ended with: "This is bad news."
The bad news was the loss of innocence. This was the moment when the mutual trust ethos died.
It ended with: "This is bad news."
Which is completely wrong, of course. It was very good news, in that it taught many people in the industry a valuable lesson.
There's an anecdote in The Cuckoo's Egg where Stoll realizes that one of the attackers he's tracking is copying /etc/passwd to do an offline dictionary attack against the hashes - an attack he'd never considered before. When he mentions it to Bob Morris Sr (Morris Jr's dad at the NSA), Morris says, oh yes, we're well aware of the possibility.
That was typical of the attitude in the late '80s: a small number of computing-security professionals, generally working for the government or for businesses with serious research programs (like IBM), and a small number of academics were conscious of the gaping vulnerabilities in common systems of the day. And everyone else was cheerfully ignorant of or blithely disregarded the dangers. We needed CHRISTMA EXEC and the Morris Worm to start building the public IT-security mentality.
Things are still pretty bad, but they'd be even worse if not for those early wake-up calls.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
