The Morris Worm — The First Large-Scale Internet Attack

At about 18:00 US Eastern time on 2 November 1988, a program was launched from a machine in MIT's AI Laboratory, prep.ai.mit.edu. Built around 99 lines of C, the program crippled an estimated 6,000 hosts — roughly 10% of the entire Internet at the time — within hours. Its author was Robert Tappan Morris, a 23-year-old computer-science graduate student at Cornell University.

This was the Morris Worm, the first large-scale worm incident in the history of the Internet.

The Attack Surface

The worm chained three known weaknesses on BSD-style UNIX systems.

• sendmail's DEBUG mode. The sendmail mail-transport daemon shipped, on many vendor installs, with a debug mode that allowed remote command execution.
• fingerd buffer overflow. The finger daemon called gets() without bounds-checking, overwriting the stack to execute arbitrary code — one of the first publicly demonstrated, practical buffer-overflow exploits.
• rsh / rexec trust. Hosts that trusted each other through .rhosts could execute commands without passwords. The worm also tried a dictionary attack with a 432-word built-in list plus candidates derived from /etc/passwd.

On successful entry, the worm sent in a small bootstrap (a "grappling hook"), then copied over the main binary — available both for VAX and Sun-3 — and ran it.

The Design Bug That Took Down the Network

Morris's intent, by all accounts, was a quiet experiment in measuring the size of the worm's spread. To prevent the worm from re-infecting hosts indefinitely, he added a check: ask the host whether a copy was already present, and exit if so. To keep researchers from neutralising the worm by lying about that check, he added an escape hatch — one in seven times, ignore the answer and infect anyway.

That fraction was far too high. Hosts ended up running dozens or hundreds of worm processes at once, exhausting CPU, memory, and the process table. Servers became unresponsive; the network effectively went down.

The US General Accounting Office later estimated total damages of between US$10 million and US$100 million.

Legal Consequences — The First CFAA Conviction

In July 1989, Morris was indicted under the Computer Fraud and Abuse Act (CFAA), passed only two years earlier — the first prosecution and the first conviction under that statute. In January 1990 a federal jury found him guilty. The sentence was three years' probation, a US$10,050 fine, and 400 hours of community service. The Second Circuit upheld the conviction in United States v. Morris, 928 F.2d 504 (2d Cir. 1991), establishing an early interpretation of the CFAA's "accessed without authorization" language that is still cited today.

Morris himself returned to academia, later co-founded the start-up Viaweb (acquired by Yahoo! for roughly US$49 million in 1998 to become Yahoo! Store), became a professor at MIT, and went on to co-found Y Combinator with Paul Graham.

The Birth of CERT/CC

Within days of the incident, in November 1988, DARPA tasked Carnegie Mellon University's Software Engineering Institute with standing up the CERT Coordination Center (CERT/CC) — a public clearinghouse that could collect and disseminate information across organisations during incidents of this kind. CERT/CC would go on to seed much of the modern security ecosystem: vulnerability advisories, the CVE numbering scheme (later operated by MITRE), and the constellation of national CSIRTs that exists today.

Without the Morris Worm, the profession we now call "incident response" would not look quite the way it does.

What It Left Behind

Technically, the worm delivered several lessons at once: (1) buffer overflows are real, practical attack vectors; (2) "debug" features should never ship enabled by default; (3) dictionary attacks against weak passwords must be defended against; (4) self-replicating code escapes its author's intent.

Socially, it shifted the Internet — irreversibly — from a network of cooperating researchers to an infrastructure in which malice also circulates. Before November 1988, almost none of the concepts that make up the contemporary security industry — firewalls, intrusion detection, security audit, CVE, the SOC — were considered necessary. After 2 November 1988, they were.

Any honest history of cybersecurity opens its first chapter on that night.