{"id":2531,"date":"2013-11-04T13:51:32","date_gmt":"2013-11-04T18:51:32","guid":{"rendered":"http:\/\/me-en.kaspersky.com\/blog\/?p=2531"},"modified":"2020-02-26T18:57:58","modified_gmt":"2020-02-26T14:57:58","slug":"morris-worm-turns-25","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/morris-worm-turns-25\/2531\/","title":{"rendered":"Morris Worm Turns 25"},"content":{"rendered":"<p>This weekend we had a memorable date. It marked 25 years since the publication of the first computer malware that was widespread enough to be featured in the news. The famous Morris Worm, written by a Cornell University student, infected about 10% of Internet-connected computers up to date. To be more specific, it infected about 6 out of every 60 thousand computers, which might sound ludicrously small today, but this \u201cprehistoric\u201d case is actually very important because it combined <a href=\"https:\/\/threatpost.com\/google-project-shield-to-protect-sensitive-sites-from-ddos-attacks\" target=\"_blank\" rel=\"noopener nofollow\">DDoS<\/a>, <a href=\"https:\/\/www.kaspersky.com\/blog\/exploit\/\" target=\"_blank\" rel=\"noopener nofollow\">exploits<\/a>, <a href=\"https:\/\/eugene.kaspersky.com\/2011\/11\/16\/rooting-out-rootkits\/\" target=\"_blank\" rel=\"noopener\">stealth technologies<\/a>, password bruteforcing and other techniques that are widely used in modern malware now. Moreover, it ended with the first <a href=\"https:\/\/www.kaspersky.com\/blog\/october-top-cybercriminal-prosecutions-of-the-month\/\" target=\"_blank\" rel=\"noopener nofollow\">conviction<\/a> in the US under the 1986 Computer Fraud and Abuse Act.<\/p>\n<div id=\"attachment_3066\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2013\/11\/05110934\/morris-1.jpeg\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-3066\" class=\"size-full wp-image-3066  \" alt=\"morris\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2013\/11\/05110934\/morris-1.jpeg\" width=\"640\" height=\"420\"><\/a><p id=\"caption-attachment-3066\" class=\"wp-caption-text\">Photo Credit: Intel Free Press<br>The floppy disk with the source code of the Morris worm is now kept in the Boston Museum of Science<\/p><\/div>\n<p style=\"text-align: left;\">The floppy disk with the source code of the Morris worm is now kept in the Boston Museum of Science<\/p>\n<p style=\"text-align: left;\">Thanks to Youtube, we can watch how TV told this story back in 1986\u2026<\/p>\n<span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe class=\"youtube-player\" type=\"text\/html\" width=\"640\" height=\"390\" src=\"https:\/\/www.youtube.com\/embed\/G2i_6j55bS0?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent\" frameborder=\"0\" allowfullscreen=\"true\"><\/iframe><\/span>\n<p>\u2026And now we can tell this story from a security standpoint.<\/p>\n<p>A student at Cornell University called Robert Tappan Morris decided \u201cto gauge the size of the Internet.\u201d To accomplish this task, he wrote a quite complicated program, which was able to replicate itself over the network and prevent third-party attempts to stop it. This functionality matches with the <a href=\"https:\/\/www.kaspersky.com\/blog\/a-malware-classification\/\" target=\"_blank\" rel=\"noopener nofollow\">definition of Computer Worm<\/a> exactly, thus its name. Morris Worm wasn\u2019t developed to cause any harm, however, a programming mistake led to multiple infections of a single computer, causing the server to become overloaded and non-responsive. Sounds like DDoS, doesn\u2019t it?<\/p>\n<p>To spread itself over the Internet, the worm used the same technology as its modern great-grandchildren, by exploiting vulnerabilities. In the case of Morris worm, there were three different vulnerabilities exploited. The implementation of Finger and Sendmail bugs in the popular Unix-based systems allowed remote code execution. If the tactic was not successful, Worm tried to utilize rsh (remote shell) typically used for remote administration. Login and password are required to use rsh, so Morris Worm brutforced them. An impressively high success rate was achieved using only a small dictionary of 400 words, plus some obvious options like having passwords identical to usernames or consisting of the same letters in reverse order. It\u2019s still not obvious to many people today that <a href=\"https:\/\/www.kaspersky.com\/blog\/21st-century-passwords\/\" target=\"_blank\" rel=\"noopener nofollow\">strong passwords are essential<\/a>, so 25 years ago even system administrators were unaware of this.<\/p>\n<p>Upon successful computer penetration, the worm changed its process name, deleted temporary files and took some other measures to prevent its revelation, e.g. encrypting its data in memory. On of the first actions upon launch was to check and see if the computer was already infected. When other copy was discovered, two copies \u201crolled a dice\u201d to decide which one should self-destruct. Maybe it was Morris\u2019 mistake, or maybe it was a measure to counteract easy \u201cvaccination,\u201d nevertheless one of seven copies eventually stopped playing \u201csurvival game\u201d and continued its operation regardless of other copies. It was this decision that led to the DDoS effect. Coefficient of 1\/7 turned out to be excessively high and many computers became infected dozens times.<\/p>\n<p>Despite not being ready for worm, both technically and conceptually, system administrators over the USA acted quickly. Two working groups were established in MIT and UC Berkley and it took only two days to find and fix vulnerabilities utilized by worm and disassembled worm itself. In general, it was the end of the worm. However, the cost of infection removal was estimated to be between $100 thousand to $10 million.<\/p>\n<p>Quite interestingly, Morris\u2019 effort to remain anonymous was successful. The person who changed that was actually his father, Robert Morris, UNIX OS co-author and chief scientist at NSA\u2019s National Computer Security Center. He convinced his son to confess. The court took this in account, and the sentence for Morris junior was a soft 3 years of probation, $10 thousand fine and 400 hours of community service. This lesson turned to be useful for Morris. He became a respected member of the computer society. Among his achievements are the creation of one of the first e-commerce platforms, Viaweb (later sold to Yahoo and rebranded as Yahoo Store), the creation of the startup fund Y Combinator, the participation in the development of new programming languages and he earned a PDH at MIT.<\/p>\n<p>\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This weekend we had a memorable date. It marked 25 years since the publication of the first computer malware that was widespread enough to be featured in the news. The<\/p>\n","protected":false},"author":32,"featured_media":2532,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1486],"tags":[36,471],"class_list":{"0":"post-2531","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-malware-2","9":"tag-worm"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/morris-worm-turns-25\/2531\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/morris-worm-turns-25\/2642\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/morris-worm-turns-25\/2828\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/morris-worm-turns-25\/2641\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/morris-worm-turns-25\/3065\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/morris-worm-turns-25\/1950\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/morris-worm-turns-25\/3065\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/morris-worm-turns-25\/3065\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/malware-2\/","name":"malware"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/2531","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/32"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=2531"}],"version-history":[{"count":2,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/2531\/revisions"}],"predecessor-version":[{"id":15653,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/2531\/revisions\/15653"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/2532"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=2531"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=2531"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=2531"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}