Saturday, January 19, 2008
The Birth of Incident Response: The Story of the First Internet Worm
Robert Tappan Morris was the first person convicted by a jury under the Computer Fraud and Abuse Act of 1986. The story of the worm he created and what happened to him after it was released is a tale of mistakes, infamy, and ultimately the financial and professional success of its author. Morris was a 23-year-old graduate student at Cornell University in 1988 when he wrote the first Internet worm in 99 lines of C code. According to him, his worm was an experiment to gain access to as many machines as possible. Morris designed the worm to detect the existence of other copies of itself on infected machines and not reinfect those machines. Although he didn t appear to create the worm to be malicious by destroying files or damaging systems, according to comments in his source code he did design it to break-in to systems and steal passwords. Morris worm worked by exploiting holes in the debug mode of the Unix sendmail program and in the finger daemon fingerd . On November 2, 1988, Morris released his worm from MIT to disguise the fact that the author was a Cornell student. Unfortunately for Morris, his worm had a bug and the part that was supposed to not reinfect machines that already harbored the worm didnâ™t work. So systems quickly became infested with dozens of copies of the worm, each trying to break into accounts and replicate more worms. With no free processor cycles, infected systems soon crashed or became completely unresponsive. Rebooting infected systems didnâ™t help. Killing the worm processes by hand was futile because they just kept multiplying. The only solution was to disconnect the systems from the Internet and try to figure out how the worm worked. Programmers at the University of Berkeley, MIT, and Purdue were actively disassembling copies of the worm. Meanwhile, once he realized the worm was out of control, Morris enlisted the help of a friend at Harvard to stop the contagion. Within a day, the Berkeley and Purdue teams had developed and distributed procedures to slow down the spread of the worm. Also, Morris and his friend sent an anonymous message from Harvard describing how to kill the worm and patch vulnerable systems. Of course, few were able to get the information from either the universities or Morris because they were disconnected from the Internet. Eventually the word got out and the systems came back online. Within a few days things were mostly back to normal. It is estimated that the Morris worm infected more than 6,000 computers, which in 1988 represented one-tenth of the Internet. Although none of the infected systems were actually damaged and no data was lost, the costs in system downtime and man-hours were estimated at $15 million. Victims of the worm included computers at NASA, some military facilities, several major universities, and medical research facilities. Writing a buggy worm and releasing it was Morris second mistake. His first mistake was talking about his worm for months before he released it. The police found him without much effort, especially after he was named in the New York Times as the author. The fact that his worm had gained unauthorized access to computers of federal interest sealed his fate, and in 1990 he was convicted of violating the Computer Fraud and Abuse Act (Title 18). He was sentenced to three years probation, 400 hours of community service, a fine of $10,500, and the costs of his supervision. Ironically, Morris father, Robert Morris Sr., was a computer security expert with the National Security Agency at the time. As a direct result of the Morris worm, the CERT Coordination Center (CERT/CC) was established by the Defense Advanced Research Projects Agency (DARPA) in November 1988 to prevent and respond to such incidents in the future . The CERT/CC is now a major reporting center for Internet security problems. After the incident, Morris was suspended from Cornell for acting irresponsibly according to a university board of inquiry. Later, Morris would obtain his Ph.D. from Harvard University for his work on modeling and controlling networks with large numbers of competing connections. In 1995, Morris co-founded a startup called Viaweb with fellow Harvard Ph.D. Paul Graham. Viaweb was a web-based program that allowed users to build stores online. Interestingly, they wrote their code primarily in Lisp, an artificial intelligence language most commonly used at universities. Viaweb was a success, and in 1998, ten years after Morris released his infamous worm, Viaweb was bought by Yahoo! for $49 million. You can still see the application Morris and Graham developed in action as Yahoo! Shopping. Robert Morris is currently an assistant professor at MIT (apparently they forgave him for launching his worm from their network) and a member of their Laboratory of Computer Science in the Parallel and Distributed Operating Systems group. He teaches a course on Operating System Engineering and has published numerous papers on advanced concepts in computer networking. _____________________________________________________ Marc R. Menninger is a Certified Information Systems Security Professional (CISSP) and is the founder and site administrator for the OpenCSOProject, a knowledge base for security professionals. To download security policies, articles and presentations, click here: Security Officer Forums .