November 2, 1988
At 6:00 PM EST, a self-replicating program was released from a machine at MIT — a deliberate misdirection, since its author, Robert Tappan Morris, was a first-year graduate student at Cornell. Within hours, thousands of Unix workstations across the United States were unresponsive. NASA, DARPA, universities, and military research labs were affected. It was the first large-scale internet worm ever deployed.
The internet in 1988 connected roughly 60,000 machines. The Morris Worm infected an estimated 6,000 of them — about 10% of the total. Recovery took days.
Four Exploit Vectors
The worm carried four separate attack methods and used whichever succeeded first:
1. sendmail DEBUG
The sendmail mail transfer agent shipped with a DEBUG command enabled, intended for testing. The worm used it to mail a shell command directly to the target, which sendmail then executed as root. A configuration intended for development had been left on in production systems.
2. fingerd Buffer Overflow
The fingerd daemon used gets() — a C function that reads input
into a fixed-size buffer with no length check. The worm sent a carefully
crafted 536-byte input to overflow the buffer, overwrite the return address
on the stack, and redirect execution to shellcode embedded in the payload.
This is now the textbook example of a stack buffer overflow.
/* fingerd vulnerability — simplified */
void handle_request(int fd) {
char buffer[512];
gets(buffer); /* no bounds check: writes past end of buffer */
/* return address overwritten; execution redirected to worm's shellcode */
}3. rsh and .rhosts Trust
The r-commands (rsh, rlogin) allowed passwordless
login between hosts listed in a user's .rhosts file. Once the
worm had a foothold on one machine, it scanned the user's known hosts and
attempted to spread laterally without credentials.
4. Password Cracking
The worm carried a list of 432 common passwords and attempted to crack
local accounts by hashing guesses against the system's /etc/passwd
file. Successfully cracked accounts were used as pivot points to spread
further via rsh trust relationships.
The Replication Bug
Morris built in a supposed safeguard: if the worm encountered a machine already running a copy of itself, it would ask the existing process if it should exit. To prevent a defender from faking this response, he coded the worm to ignore the answer and run anyway — with a 1-in-7 probability. The logic was meant to allow rare reinfection to counter countermeasures.
In practice, the 1-in-7 rate meant that on active networks, machines quickly accumulated dozens of worm processes. The load caused systems to grind to a halt. The outage was not the intended effect — it was a miscalculation in the replication logic.
The Aftermath
Robert Morris was indicted under the Computer Fraud and Abuse Act — the first criminal prosecution under the CFAA. He was convicted in 1990 and sentenced to three years of probation, 400 hours of community service, and a $10,050 fine. No jail time.
The US government's response included the establishment of CERT — the Computer Emergency Response Team — at Carnegie Mellon University, funded by DARPA. It was the first institution dedicated to coordinating responses to computer security incidents.
“The security community owes a debt to the Morris Worm — not because of what it did, but because of what it forced us to build.”
Robert Morris later co-founded Viaweb (acquired by Yahoo in 1998 to become Yahoo Store) and went on to co-found Y Combinator. The floppy disk containing the original Morris Worm code is preserved in the Computer History Museum in Mountain View, California.