An illustration of a long red worm running through three different computer screens.

The ‘Morris Worm’: A Notorious Chapter of the Internet’s Infancy

Stories You May Like

Look Back: How Two Cornellians Cracked the ‘Small World’ Problem

From Corks to Corey to the Cosmos: The Hill’s Most ‘Legendary’ Courses

With Cornell’s ‘Solar Noon’ Clock, Bill Nye ’77 Aims to Leave a Legacy

In an experiment gone awry, 35 years ago a grad student in computer science inadvertently crashed 10% of online machines

By Lindsay Lennon

In today’s vast online landscape, a celebrity or influencer can only hope to metaphorically “break the Internet.” But 35 years ago this month, a Cornell grad student did just that.

On November 2, 1988—a year before the invention of the World Wide Web—just 60,000 computers in fewer than 20 countries were connected to the Internet, a then-novel and exclusive network used by universities, research centers, and government bodies.

A computer disk in a clear display case in a museum with an explanatory sign reading "The Morris Internet worm source code"
A disk containing the 99-line "Morris Worm" source code used to be on display at the Computer History Museum. (Wikimedia Commons)

Suddenly, over the course of a chaotic 24 hours, about 6,000 of those Internet-connected machines screeched to a dramatic halt. In an experiment gone haywire, a “worm” had been unleashed on the fledgling network—launching what’s now considered the first major cyberattack in U.S. history.

(A worm—unlike a virus—can replicate and spread on its own, without human intervention.)

“The worm did not damage or destroy files, but it still packed a punch,” says an FBI case study of the event, noting that Harvard, Stanford, Johns Hopkins, and NASA were among the victims. “Vital military and university functions slowed to a crawl. Emails were delayed for days.”

While the worm was initially thought to have spread from a computer at MIT, an FBI investigation revealed that Robert Tappan Morris, then a grad student in computer science (CS) on the Hill, was the mastermind—and that the worm had originated from his Cornell machine.

According to the FBI, the worm sought out computers running a particular version of the UNIX operating system and spread rapidly by exploiting security flaws known by Morris and other skilled programmers.

Vital military and university functions slowed to a crawl. Emails were delayed for days.

The FBI

Fred Schneider ’75, a longtime CS professor on the Hill and a leading expert in cybersecurity, was a new faculty member when the incident (which would become known as the “Morris Worm”) occurred.

“Although there had been papers written about the possibility of doing this, nobody had put it into practice,” Schneider recalls. “People probably didn’t believe that our systems were such a monoculture that so many would fall for the same kind of attack—but they did.”

As a result, the FBI notes, some institutions scrapped and replaced their systems, while others went offline for up to a week. Damages were difficult to calculate, but were then estimated as high as several million dollars.

Stories You May Like

Look Back: How Two Cornellians Cracked the ‘Small World’ Problem

From Corks to Corey to the Cosmos: The Hill’s Most ‘Legendary’ Courses

Morris became the first person to be criminally convicted under the Computer Fraud and Abuse Act, passed by Congress two years prior to the worm attack.

While he was spared prison time, he was sentenced to three years’ probation, 400 hours of community service, and more than $10,000 in fines.

The worm incident was so pivotal that, in its November 5, 1988 coverage, the New York Times used the term “the Internet” in print for the first time—describing it as “systems linked through an international group of computer communications networks.”

A portrait of Fred B. Schneider from Cornell University wearing a brown sweater and blue collared shirt underneath.
Fred Schneider ’75. (Lindsay France / Cornell University)

In the article, experts expressed fear that the attack would encourage copycats—as well as dismay over the computing community’s nonchalant sharing of code that was bound to wreak havoc if it fell into the wrong hands.

As the 1995 book Cyberpunk: Outlaws and Hackers on the Computer Frontier observes: “By releasing a program that crippled several thousand computers in a matter of hours, [Morris] permanently altered the course of his life and confirmed everyone’s worst fears about what hackers could do. The event marked a turning point: the private world of computer networks was suddenly of concern to the general public.”

Morris, whose father was a top cybersecurity expert with the NSA and Bell Labs, reportedly felt deep remorse about the worm, telling investigators and fellow scientists he didn’t mean for it to spread as it did.

(In fact, as the FBI case study notes, Morris “asked one friend to relay an anonymous message across the Internet on his behalf, with a brief apology and guidance for removing the program. Ironically, few received the message in time because the network had been so damaged by the worm.”)

He permanently altered the course of his life and confirmed everyone’s worst fears about what hackers could do.

Cyberpunk: Outlaws and Hackers on the Computer Frontier, 1995

The worm incident occurred just two months after Morris arrived on the Hill, ultimately leading to his expulsion. The decision didn’t come without debate, notes Schneider, since he was clearly a gifted programmer with major potential.

An undergrad alum of Harvard, Morris (who didn’t respond to emails requesting an interview for this story) eventually returned to his alma mater for his PhD, according to his faculty profile at MIT, where he has taught since the mid-2000s.

In 1995, he and two colleagues created Viaweb, an e-commerce platform largely regarded as the very first web application. Three years later, Yahoo! acquired it for nearly $50 million.

Top: Illustration by Caitlin Cook / Cornell University.

Published November 16, 2023

Comments

  1. Tim Lynch, Class of 1990
    29 Nov, 2023

    One of the friends I shared an apartment with that semester, while a communications major, did tons of work with Cornell Computing Services, and in fact stayed in Ithaca to work for them for several years after graduation. He walked into the apartment after the news broke about this worm, grumbled loudly, and said something along the lines of, “It had to be a f***ing Cornellian…”

    Reply
  2. Kenneth Fields, Class of 1967
    5 Dec, 2023

    At the time this occurred I was working at the Software Engineering Institute at Carnegie Mellon University, a DARPA funded computer software research and development center (on the administrative side, not a technical position.) What today is the “Internet” was then still a government funded network primarily of universities and government organizations. The technical staff at the SEI was heavily involved in responding to the worm and very quickly led to the the Department of Defense creating the first Computer Emergency Response Team (“CERT”) specifically to deal with such incidents in the future. Today such teams are common to deal with internet hacks.

    Reply
  3. Louis W Miller, Class of 1957
    29 Oct, 2024

    At the time, I was at the RAND Corporation in Santa Monica, which had a DEC 20 on the network. Jim Guyton, our systems person was up at 3:00 AM and saw the worm coming. Because of Jim, RAND was not affected.

    Reply

Leave a Comment

Once your comment is approved, your email address will not be published. Required fields are marked *

Other stories You may like