The Morris Worm Pt. 2

In an attempt to halt the Morris worm’s path of destruction, a systems administrator at Harvard shut down the university router through which Andy Sudduth’s message would be sent to the internet.  The post didn’t go through until after it was too late.  In a tragic movie-twist, the fix that everybody needed was heard by no one, for precisely the reason they needed it in the first place.

Hosted By

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 10 million downloads as of Aug. 2017.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Special Guest

Dr. Eugene Spafford

Full professor in Computer Sciences and Electrical and Computer Engineering at Purdue University

Eugene Howard Spafford (born 1956), commonly known as Spaf, is an American professor of computer science at Purdue University and a leading computer security expert.

A historically significant Internet figure, he is renowned for first analyzing the Morris Worm, one of the earliest computer worms, and his role in the Usenet backbone cabal. Spafford was a member of the President's Information Technology Advisory Committee 2003-2005, has been an advisor to the National Science Foundation (NSF), and serves as an advisor to over a dozen other government agencies and major corporations.

Episode transcript:

The Morris Worm Part 2


Twas the night before finals, and all through the lab

Not a student was sleeping, not even McNabb.

Their projects were finished, completed with care

In hopes that the grades would be easy (and fair).

The students were wired with caffeine in their veins

While visions of quals nearly drove them insane.

With piles of books and a brand new highlighter,

I had just settled down for another all-nighter —

When out from our gateways arose such a clatter,

I sprang from my desk to see what was the matter;

Away to the console I flew like a flash,

And logged in as root to fend off a crash.


Hi, I’m Ran Levi–welcome back to the Malicious Life podcast.  In the last episode of Malicious Life, I left you hanging. Robert Morris–creator of the Morris worm–had unintentionally wreaked destruction on a huge portion of the world’s computer infrastructure.  In a panic, he convinced a friend from Harvard’s computer science department, Andy Sudduth, to post an anonymous message online detailing how to kill the program. But, there was a problem.


In an attempt to halt the Morris worm’s path of destruction, a systems administrator at Harvard shut down the university router through which Andy Sudduth’s message would be sent to the internet.  The post didn’t go through until after it was too late. Really though, when you think about it, even if it had, those who most needed the information wouldn’t necessarily have even noticed the message because their computers were crashing.  In a tragic movie-twist, the Morris worm fix that everybody needed was heard by no one, for precisely the reason they needed it in the first place.


Now it was up to the nerds–those university students and teachers victim to the worm–to figure out a fix for themselves.  Not only that, but scientists couldn’t even effectively cross-reference their findings across geographical distances. The worm cut their lines.


Eugene Spafford: There was some communication. There was some email attempted back and forth. But the program preferentially got to the big servers because those were the best connected and those were the ones that slow down the most. So they weren’t able to connect the email or if the administrators of those machines recognized what was going on, they took them offline.


So some email was badly delayed, didn’t work very well. The community at the time, some of us knew each other outside of online email or Usenet newsgroups which was another mechanism of communication. But we didn’t really have phone numbers or fax numbers or other ways of communicating. So that was actually one of the lessons learned that came out of the incident and led to in part the creation of the CERT CC at the Software Engineering Institute. It was that we needed other means of communication. We need other trusted sources than just the network to network.


So teams at MIT, UC Berkeley, and other schools around the country worked day and night, fueled by caffeine and snacks, dug in at their computer labs.  Methodically, they would have to go through and analyze the Morris worm code, breaking down every nook and cranny, in order to break it.


Eugene Spafford: It was an interesting experience for me to go through and look at the code. There were some things I found. I found coding errors because I went through – I found issues such as the binaries that were included were intended for Berkeley Unix and only for – what was then Sun 3 [0:23:13] [Phonetic] architectures. We had a Sun 4 [Phonetic] in the lab that hadn’t been announced yet and whoever had written this hadn’t generated binaries for that or for the digital version of Unix as I recall.


Some of the algorithms terminated incorrectly. They were off by one error, so it was sloppy programming. A search on the table of network ideas that had already been done was a linear search for a large table and this showed me as well it’s someone who hadn’t really worked with large data sets or didn’t understand. It turns out later I found out that Mr. Morris, now Dr. Morris, had done his undergraduate at Harvard where they taught introductory courses in LISP, which is a list processing language. So the idea of using a binary search or a hash kind of search was not something that –


Interviewer: That he was exposed to, yeah.


Eugene Spafford: Yeah.


By noontime on November the 4th–only a day and a half after the Morris worm first got published to the internet–it had been solved.  The MIT and UC Berkeley researchers thoroughly disassembled its code and released their data. By the following week, the majority of infected computers nationwide were restored to normalcy.


Now that we’re done with that part of the story, an aside:


Amongst all of the Morris worm’s many, many victims, there was one server which, notably, survived its onslaught.  It was from the American Telephone and Telegraph Company’s

Bell Laboratories, or, as you know it today, AT&T.  So, what made the difference? It turns out, Robert Morris had worked summers at Bell Labs.  One of the projects he’d worked on for them involved rewriting the security software which handled communication between Unix systems.  In other words, the only person in the world who beat Robert Morris’ worm…was a younger Robert Morris.


The windows displayed on my brand new Sun-3,

Gave oodles of info — some in 3-D.

When what to my burning red eyes should appear

But dozens of “nobody” jobs. Oh dear!

With a blitzkrieg invasion, so virulent and firm,

I knew in a moment, it was Morris’s Worm!

More rapid than eagles his processes came,

And they forked and exec’ed and they copied by name:

“Now Dasher! Now Dancer! Now, Prancer and Vixen!

On Comet! On Cupid! On Donner and Blitzen!

To the sites in .rhosts and host.equiv

Now, dash away! dash away! dash away all!”


The end of the Morris worm wasn’t the end of its creator’s story.  Once the program was traced back to him, Morris was promptly served with a felony count, and a court date.  He may not have realized while being arraigned by authorities, that his indictment was actually good news. It’s a well-known strategy for prosecutors, to make an example out of an individual charged with a new sort of crime–one without precedent.  The attorney in charge of prosecution–later told the Washington Post that he very well could have charged Morris a separate felony for each of the thousands of computers his worm affected. He opted towards leniency.


What would you do, if you were deciding on Robert Morris’ trial?  Would you punish him, to dissuade future hackers from pulling similar stunts?  Would you be easy, since he’s still just a loner grad student?


Even the internet community didn’t know what to do with the kid.  A Cornell Commission report categorized the general consensus by saying “Sentiment among the computer science professional community appears to favor strong disciplinary measures for perpetrators of acts of this kind. Such disciplinary measures, however, should not be so stern as to damage permanently the perpetrator’s career.”  Some called for a full pardon. Others took it all much more personally.


Eugene Spafford: Oh, I think there was – some people were outraged. I think I was to some extent in part because the network community using systems up until that point was a relatively closed, like-minded community. It wasn’t open to the public at large. There was no commercial data on it. It wasn’t classified. There wasn’t a trade secret. There wasn’t any – there was nothing like an Amazon or eBay or anything like that.


It was all research-oriented and mailing lists and exchanging code and those of us who were maintaining systems freely exchange information about how to protect systems and what to look for. So this code that had been inserted that took down systems, took advantage of flaws, was almost taken personally because it was a small community that somebody had violated the trust. Somebody had violated our systems.


[. . .]


Eugene Spafford: At the time, I was not 100 percent sure that he should have been charged with the felony version although what he had done was clearly a very bad lapse of judgment and clearly did harm, although the numbers that I think the government came up with were inflated.


When deciding on what to do with Robert Morris, those presiding in court had much of the same basis for their decision as you have now: lots of technical mumbo jumbo and some conflicting accounts of the kind of man they were dealing with.


Most people took the view that Morris was just one of those classic computer recluses, who made an error in judgment.  The Cornell jurisdiction noted that “This appears to have been an uncharacteristic act for Morris to have committed, according to those who knew him well. In the past, particularly while an undergraduate at Harvard University, Morris appears to have been more concerned about protecting against abuse of computers rather than in violating computer security.”  This, from the same report that called Morris’ worm “selfish and inconsiderate,” and “a juvenile act.” Robert Morris Sr.–luckily for his son, an authority on the matter–characterized the affair as “the work of a bored graduate student.” The Prosecutor summoned both Andrew Sudduth and Paul Graham to testify about the event and the character of their colleague.


In contrast to the relatively innocent picture some painted of Robert Morris, there was evidence to premeditation and even malice that complicated matters.  As just one example, when investigators found a backup copy of the worm in Morris’ files, they also happened upon a good deal of comments and notes he’d written about it in the process.  It turns out, Morris hoped to use his worm to create a botnet. Especially in the early days of computers, the idea of one person setting up an army of computers to follow his every command must have seemed more than a bit creepy.


At trial, Morris admitted to being the worm’s creator and apologized for his actions.  He claimed his motivation, in the end, was just to gauge the size of the internet, not inflict any damage.  To a community beset by the destruction he caused, such a statement might have fallen on deaf ears, if not for one notable quality to his program: it wasn’t malware.


The Morris worm was designed to infiltrate computers without users’ knowledge–which is definitely some kind of malicious–but it didn’t delete or corrupt any data on those machines, nor attempt to steal information.  All the wreckage it caused was simply an unintentional effect.


In creating these episodes, I’ve actually sort of broken a rule of our podcast.  Is it still a Malicious Life episode if I’m talking about a computer program that wasn’t necessarily malicious?  It’s strange to think about a worm that might not really be considered malware. All the worms in recent history–those that came after, influenced by, perhaps a result of Morris’ work–are designed with specific malintent.  His, arguably, wasn’t. In the end, that’s what saved him.


And then in a twinkling, I heard on the phone,

The complaints of the users. (Thought I was alone!)

“The load is too high!” “I can’t read my files!”

“I can’t send my mail over miles and miles!”

I unplugged the net, and was turning around,

When the worm-ridden system went down with a bound.

I fretted. I frittered. I sweated. I wept.

Then finally I core dumped the worm in /tmp.

It was smart and pervasive, a right jolly old stealth,

And I laughed, when I saw it, in spite of myself.

A look at the dump of that invasive thread

Soon gave me to know we had nothing to dread.


There was one other thing that saved Robert Morris from a severe jail sentence: regardless of what you think of him or what he did, the Morris worm provided a huge public service to the computer community forever thereon.  It was, arguably, the father to cybersecurity as it exists today. Here’s Gene Spafford again, talking about the slow rise of antivirus security in the mid-to-late 80s:


Eugene Spafford: At that time, security was really dominated by cryptography and formal proofs of correctness. Those were really the two things that were being done by and large. Applying security and particularly the whole idea of smaller systems needing security hadn’t really been looked at much out in the general world, commercial world or otherwise.


Interviewer: Why is that? Why wasn’t security considered a field that should get the respect that we have for it today?


Eugene Spafford: Well, there were a number of reasons. Part of it was then in the ’60s, ’70s and ’80s, the computing landscape was largely dominated by mainframe computing and it was only large organizations that could afford those.


So they had their own internal mechanisms, their own auditors, their own sets of concerns and really up until the late ’70s, one of the concerns was correctness. So you had EDP auditors who would actually manually do many of the same calculations the computer did to make sure the computer was doing them correctly. They didn’t trust it entirely.


Interviewer: It’s like a boring job.


Eugene Spafford: There also was very little in the way of networks that people saw in the same way. The government agencies that used computers were primarily concerned with leakage across different classification levels on a system, not on a network. They had access control because they vetted everyone who came into the buildings.


So it’s a very different environment. During the ’70s, there had been work done on security architecture, security testing. But formal proofs had shown up that testing could never find all security vulnerabilities. So the government at the time had the attitude of we can allow zero opportunity for the misbehavior of our systems. Effectively abandoned all funding in that area, all attention and focus everything on formal methods.


That didn’t result in anything immediately for security. So the environment was one where there were some gaps as we began to see more portable desk side systems and then the personal computers arrive on the scene.


The Morris worm provided a blueprint to all future malicious actors: a case study proving that even a lone hacker with the right skills and motivation could do powerful things over the internet.  The many bad apples that followed thereafter can be, at least in some way, traced back to the precedent he set.


By that same logic, though, the good guys learned just as much: that their small community was no longer some sort of utopian ideal–that as the internet was to grow and diversify, such expansion would be both great and dangerous.


Eugene Spafford: Well, I think I saw two things that came about that were different. One is that those of us who are dealing with security started forming closed, vetted lists, to exchange information and that turned out to be difficult because we didn’t really have that much contact with all of the people out on the network and knowing who you trust and who not to was a real problem.


[. . .]


Eugene Spafford: So that was a change that people were beginning to get more aware of that and I also found that some of the people in government were now beginning to get interested in this and I was actually offered research funding for some of the things that three or four years before I have been told had no academic interest, had no government interest and what I had been doing as a hobby.


Before Robert Morris, the notion of cyber defense itself was, to many, just theoretical.  The Morris worm forced computer owners to think about how to protect themselves. Evidence to the point: just one month after the Morris worm affair, the U.S. Computer Emergency Response Team, or CERT, was formed.  Anyone working in the field of cybersecurity today can trace the lineage of their profession back to November 2nd, 1988.


Eventually, someone was going to come along and teach the world a lesson in cybersecurity.  Luckily we got Robert Morris, instead of someone with more evil intent.


Ultimately, Morris was convicted.  The recommended sentence was 15 to 21 months in jail.  The judge opted for no jail time: just three years’ probation, 400 hours of community service, and a $10,000 fine.


Following the Morris worm incident, Robert Morris went on to earn a doctorate degree, and co-found two startups–Viaweb, and Y-Combinator–with his friend and late-night confidant, Paul Graham.  Today he’s a professor at MIT–yes, the same MIT he falsely published the worm from, and the same MIT that had to work two days to fix his mess-up.


It appears that all has been forgiven.


The next day was slow with no network connections,

For we wanted no more of those pes ky infections.

But in spite of the news and the noise and the clatter,

Soon all became normal, as if naught were the matter.

Then later that month while all were away,

A virus came calling and then went away.

The system then told us, when we logged in one night:

“Happy Christmas to all! (You guys aren’t so bright.)”



Special thanks to Betty Cheng, professor of engineering at Michigan State University.  Betty and her friends were studying for final exams the day Morris took down their computer science department, so they decided–as a joke–to write a little poetry to pass the time.  We’re glad that the memory of all the studying they didn’t do that week lives on today. Who says computer nerds can’t be artists too?