provocativo_
back to archive
// post-mortem··WormGlobal

The Morris Worm

The first internet worm — and the wake-up call that birthed the security industry.

Worm · 1988The Morris Worm
Floppy disk containing the source code of the Morris Worm, on display at the Computer History Museum.
Floppy disk containing the source code of the Morris Worm, on display at the Computer History Museum.Photo: Go Card USA / Wikimedia Commons (CC BY-SA 2.0)

// overview

What happened

On the evening of November 2, 1988, a small program written by a 23-year-old Cornell graduate student began propagating across the ARPANET. Robert Tappan Morris intended to gauge the size of the network and built in three propagation methods: a buffer overflow in the fingerd daemon, exploitation of sendmail's DEBUG command, and password-guessing over rsh and rexec.

A flaw in the worm's anti-reinfection logic caused it to copy itself onto already-infected hosts at an aggressive rate, consuming CPU and crashing systems. Within hours, thousands of UNIX machines at universities, military sites, and research labs ground to a halt.

Network administrators severed regional links to contain the spread, fracturing the internet for several days while teams reverse-engineered the binary. The shock prompted DARPA to fund the Computer Emergency Response Team Coordination Center (CERT/CC) at Carnegie Mellon within weeks.

Morris was convicted in 1990 — the first felony conviction under the 1986 Computer Fraud and Abuse Act — and sentenced to three years probation, 400 hours of community service, and a $10,000 fine. He later became a tenured professor at MIT and a co-founder of Y Combinator.

// timeline

How it unfolded

  1. Nov 2, 1988 — 18:00 ET

    Worm released from MIT to obscure its origin at Cornell.

  2. Nov 2, 1988 — late night

    Reports of paralysed systems flood mailing lists; admins suspect a UNIX-targeted worm.

  3. Nov 3, 1988

    Berkeley and Purdue teams reverse-engineer the binary; first patches published.

  4. Nov 8, 1988

    DARPA convenes the meeting that authorises CERT/CC at Carnegie Mellon.

  5. Jan 1990

    Morris convicted under the Computer Fraud and Abuse Act of 1986.

// damage

Impact and scale

The worm took roughly 10 percent of the internet offline for days. It triggered the first US federal prosecution under the Computer Fraud and Abuse Act and led directly to the founding of CERT/CC at Carnegie Mellon, which still coordinates global vulnerability response today.

// affected

Who was hit

  • Universities including MIT, Stanford, Berkeley, Princeton, Harvard, Cornell
  • Military research sites and NASA Ames Research Center
  • Lawrence Livermore National Laboratory
  • SRI International and other defence contractors

// lessons

Key takeaways

  • Self-replicating code can do severe damage without any malicious intent — the bug was in the throttle, not the payload.
  • Monoculture is fragile: a single vulnerability in widely-deployed UNIX services brought down a meaningful share of the global network.
  • The incident proved the need for permanent, funded incident-response coordination — the model CERT/CC still embodies.
  • Legal frameworks for computer crime were untested; Morris became the first defendant to test the CFAA in court.

// references

// continue reading

Worm · 2000ILOVEYOU
Source code of the ILOVEYOU worm, written in Visual Basic Script.
·WormGlobal

ILOVEYOU

A four-line subject changed how the world thought about email attachments.

read post-mortem →
Nation-state · 2010Stuxnet
Diagram showing how Stuxnet intercepts Step7 communications to modify Siemens PLC code while reporting normal status to operators.
·Nation-stateCatastrophic

Stuxnet

The malware that crossed the line from data theft into physical sabotage.

read post-mortem →
Wiper · 2014Sony Pictures Hack
Sony Pictures Plaza building in Culver City, California — the corporate headquarters of Sony Pictures Entertainment.
·WiperNational

Sony Pictures Hack

A hermit-kingdom intelligence agency took down a Hollywood studio over a comedy film.

read post-mortem →