The What, Why, and How of the 1988 Internet Worm

There may be a virus loose on the internet.
Andy Sudduth of Harvard, 34 minutes after midnight, Nov. 3, 1988

The above may be the computer understatement of the year. As of the time that Sudduth posted his message, the internet was coming apart. VAX and Sun machines across the country were being overloaded by invisible tasks, preventing users from being able to use the machines effectively, if at all, and eventually forcing system administrators to cut off many of their machines from the internet entirely in an attempt to cut off the source of infection. The culprit of all this chaos is a small (99 line, not including object files) program written by Robert Tappan Morris who was, at the time, a 23 year old doctoral student at Cornell University. This code, or this type of code, has since been given then name, worm.

There has been a great deal of discussion as to whether or not the name "worm" is appropriate. Many still refer to the program which paralyzed the internet in late 1988 as a virus. However, there is a major difference between the average viral program, and the program in question, and for this reason, we will use the term "worm" to describe programs of the type in question, capitalizing when describing the specific Internet Worm launched in November of 1988.

The primary difference between worms and other illicit computer programs (often referred to as viruses) is the method of operation the programs use in order to reproduce and spread. When a standard computer virus enters a computer (almost always via an infected disk) it alters a system file, or some other convenient file which is likely to be used sometime in the near future. The alteration to this file usually is the addition of commands that will activate the virus wherever it is on the computer. The virus will then perform its nefarious deeds. The first major distinction here, at least in comparison with worms, is that, until the user (inadvertently) activates the virus, the virus is dormant on the computer. Moreover, until the altered file is called, the virus is unable to do any activity. The second distinction here is that a virus needs to be carried from one computer to another via shared diskettes. If the owner of a computer is careful to use only disks that they know are safe, the chance of viral infection is virtually nil.

A worm, on the other hand, is far more powerful. When a worm gains access to a computer (usually by breaking into it over the internet) it launches a program which searches for other internet locations, infecting them if it can. At no time does the worm need user assistance (accidental or not) in order to operate its programming. Moreover, the worm travels over the internet, so all machines attached to an infected machine are at risk of attack. Considering the connectivity of the internet on the whole, this includes a huge number computers whose only defense is the sealing of the security gaps which the worm uses to enter. Secondly, worms can spread with no assistance (as opposed to viruses which must literally be carried from one machine to another). Once the worm discovers an internet connection, all that it must do is download a copy of itself to that location, and continue running as normal.

Now it has been 7 years since the Worm was defeated, but it is still worth looking at what happened, both in terms of how the program operated, and as to what conditions allowed it to do what it did. With that in mind, there are a number of subtopics of interest.

Written by Charles Schmidt and Tom Darby

If you have any questions or comments, feel free to send e-mail to:

alm_schmidtc@carleton.edu, or alm_darbyt@carleton.edu

Notice: The Morris Internet Worm is now available for download in .zip format! If you wish to create a mirror site of The Morris Internet Worm, please request permission first by e-mailing Tom Darby with your name, occupation, reason for creating mirror site, and proposed URL for mirror site. Educators: This material is free for educational use. The authors have made a great effort to ensure that the information contained in this site is accurate and up to date; however, we're human, and there may be errors in this site. Should you find an error, please e-mail Tom Darby with the details of the error.
Revised 8/98