The Grad Student Worm That Took Down the Early Internet
In November 1988, Robert Morris released a program that was supposed to quietly count computers. Within hours, it had infected 6,000 of them.
On the night of November 2, 1988, Robert Tappan Morris, a Cornell graduate student, released a self-replicating program onto the ARPANET. It exploited holes in sendmail, fingerd, and weak rsh passwords. By morning, about 10 percent of the 60,000 machines on the network — roughly 6,000 hosts — were either infected or falling over.
Morris's design had a specific bug. To avoid reinfecting a host he'd already hit, the worm asked each target whether it was already running the worm. To stop sysadmins from spoofing 'yes' to immunize themselves, Morris added a rule: reinfect anyway, one out of every seven times. That turned out to be far too aggressive. Machines filled with copies and ground to a halt.
Universities yanked network cables to stop the spread. The fix, posted on Usenet within 48 hours, was a set of patches and a recompiled sendmail. Workstations came back online slowly. Purdue's analysis estimated cleanup cost at around $100,000 per site.
Morris was the first person charged under the 1986 Computer Fraud and Abuse Act. He got three years of probation, 400 hours of community service, and a $10,050 fine. He later co-founded Viaweb, sold it to Yahoo for about $49 million in 1998, and became a tenured professor at MIT.
DARPA spun up the CERT Coordination Center at Carnegie Mellon within three weeks. Coordinated vulnerability response as an institution starts there.
Make Recess yours.
Sign in to save the ones you loved, never see the same thing twice, and tell us what you want more of.