25 Years After: The Legacy Of The Morris Internet Worm
Stuart McClure was an undergraduate student at the University of Colorado in Boulder 25 years ago when dozens of the university’s servers suddenly began crashing. The university, like other universities, government agencies, and organizations, had been hit with a historic computer worm that crippled thousands of machines around the Internet in an apparent informal research project gone wrong.
“I basically cut my teeth on the low-level reverse-engineering of that worm,” recalls McClure, who analyzed the worm when he became a teaching assistant at the university. “I remember thinking, ‘This was way too easy'” to execute, he says of the worm.
Nov. 2 marked the 25th anniversary of the infamous “Morris worm,” the Internet’s first major cybersecurity event that ultimately propelled the then-nascent Internet into a new world of rogue-code attacks on the once-hallowed ground of academia, research and development, military, and government communications. The worm was written and released by then-Cornell University computer science graduate student Robert Tappan Morris, who later confessed that he wrote the code as an experiment that had inadvertently spun out of his control.
A parade of high-profile worm infections have followed the Morris worm during the past three decades, including Code Red, Blaster, Sasser, ILoveYou, Nimda, and SQL Slammer, all of which were unleashed mainly to grab attention, wreak havoc, and, like the Morris worm, mainly hurt victim organizations’ productivity and operations, though they didn’t damage their data. That traditionally had been the upside of worms: that they were more of a headache than a destructive attack. But the worm’s wrath has changed dramatically with the newest generation of worms, such as the targeted Stuxnet aimed at sabotaging Iran’s nuclear facility, and the Shamoon worm, which was unofficially identified as the worm that wiped data from some 30,000 machines at oil giant Saudi Aramco. These newest iterations make the Morris worm look quaint in comparison to their targeted and damage-inflicting missions.
“Anybody who would try convince Saudi Aramco or RASgas that they don’t have to worry about malicious worms [today] would get some pushback on that,” says Eugene “Spaf” Spafford, a security industry pioneer who was one of the first to analyze the Morris worm, referring to the malicious data-wiping worms that hit those energy organizations last year.
Spaf, who is executive director of Purdue University’s Center for Education and Research in Information Assurance and Security and a professor of computer sciences at Purdue, says the Morris worm’s impact was more about its timing than its impact. “It would have made news no matter what he had done because we had never seen anything like that,” Spaf says. “Not many people had thought about the potential for anything like that” at the time, he says.
The Morris worm wasn’t particularly elegant, either, according to Spaf and others who analyzed the code. Although Morris wrote it to exploit flaws in the Sendmail utility in Unix, his worm had some bugs of its own that caused it to go into overdrive and spread out of control. “The code was apparently unfinished and done by someone clever but not particularly gifted, at least in the way we usually associate with talented programmers and designers. There were many bugs and mistakes in the code that would not be made by a careful, competent programmer. The code does not evidence clear understanding of good data structuring, algorithms, or even of security flaws in Unix,” Spaf wrote in his renowned 1988 analysis of the Morris worm (PDF).
[Internet security pioneer Eugene Spafford talks about why security has struggled even after its first big wake-up call 25 years ago, the Morris worm. See ‘Spaf’ On Security.]
NASA-Ames was reportedly one of the first to spot the Internet worm clogging its servers at the time; it wasn’t long before other sites were experiencing similar symptoms of unusual files showing up in some machine directories, and odd messages in Sendmail’s log files. But it was when those computers became overloaded and infected over and over again as the worm replicated itself on each machine that some machines fell over altogether under the weight of it.
McClure, founder and CEO/president of Cylance and former global CTO and general manager of the Security Management Business Unit for McAfee/Intel, remembers knowing right away that the worm had reached the University of Colorado’s servers when systems began going down with no explanation.
The multiplatform capability of the worm — it infected then-pervasive Unix-based Sun Microsystems Sun 3 and DEC VAX computers running 4 BSD versions of Unix connected to the Internet — impressed McClure. “It was multiplatform, which was really cool,” he says. “It was not just Sendmail, but other pieces that it went after and exploited features.
“When I looked at the code … it was fascinating. That really kicked off my [security] career.”
The Internet has come a long way since 1988, for sure, but there are some hauntingly familiar themes in both the Morris worm and today’s threats. Not only did Morris exploit weak passwords in the systems (sound familiar?), but he also exploited a buffer overflow vulnerability, a type of software bug still abused today, notes Marc Maiffret, CTO at BeyondTrust.
Maiffret and colleague Ryan Permeh at eEye Digital Security in July 2001 discovered Code Red. They named it after the cherry Mountain Dew soda of the same name that the two were drinking while they picked apart the worm, which ultimately infected some 350,000 servers running Microsoft’s IIS.
Worms throughout history have reflected the times, he says. “If you look at the Morris worm … it started as seeing if something would work. It was not meant to be malicious in any specific way,” he says. “Code Red was very similar in a way, although both worms were written with different intentions … Code Red had a payload to attack the White House’s Web server, but it was not that well-written, and it was malicious in more of a, ‘Hey, look at me,'” way, he says.
Cybercrime was still in its infancy in 2001 as well, he notes, and the hackers behind it and worms prior were more about exploration or making a name for themselves rather than a profit, he says. “Code Red was a good [example] of that middle ground. It was not cybercrime and stealing. It was really more to make a name or put out a message, just to make a statement. That mirrored the culture of what was happening” in hacking at the time, he says.
The Morris worm, Code Red, and other early worms were considered more of a nuisance, but they also are credited with raising awareness among the security and user communities.
Fast forward to today’s worms, however, and awareness is the least of victim’s worries. With a lucrative cybercrime landscape and cyberespionage driving most of today’s malware and hacking, worms mostly play a different role. “They are very tailored and very specific,” Maiffret says. Worms are deployed via automated command-and-control infrastructures today, and attempt to remain more stealthy for cyberspying purposes, for instance. “The goal there is to be stealthy, not make a name, and extract data,” for instance, Maiffret says.
But worms are not the most popular form of malware for most attackers, mainly because it’s difficult to remain stealthy if the goal is to spread quietly to a specific target without triggering any alarms. Stuxnet, meanwhile, was used to reach an airgapped environment in such a way that would spread in a worm-like manner. “You can’t sit there at the computer and do a targeted attack of an airgapped network. You need something automated that can find its way” in by propagating itself in a controlled way, Maiffret says.
But even the highly sophisticated Stuxnet worm was eventually found out when it landed outside its target zone. “You don’t want it to end up detected somewhere or on a researcher’s site where it can be reverse-engineered,” he says. “Worm-like characteristics are for automatically spreading, but how do you control it? Look how we’ve seen plenty of mistakes [with targeted worms].”
Then there are the fast-moving, destructive worms like the one that hit Saudi Aramco. It snuck in, but then loudly wiped data from some 30,000-plus Windows machines. “That is definitely a different animal. We’ve seen old viruses back in the day that at a specific date messed up the BIOS so the system would not boot,” Maiffret says. “It was weird that they were using some stealth and also characteristics that are frankly similar to things we have seen more than 10 years ago.”
Next Page: Another ‘Morris Moment?’