The Washington PostDemocracy Dies in Darkness

How a grad student trying to build the first botnet brought the Internet to its knees

Robert Morris (Photo by <a href="">Intel Free Press</a> )

On November 3, 1988, 25 years ago this Sunday, people woke up to find the Internet had changed forever. The night before, someone had released a malevolent computer program on the fledgling computer network. By morning, thousands of computers had become clogged with numerous copies of a computer "worm," a program that spread from computer to computer much like a biological infection.

It took days of effort by hundreds of systems administrators to clean up the mess, and the Internet community spent weeks analyzing what had happened and how to make sure it didn't happen again. A graduate student named Robert Morris was unmasked as the culprit behind the worm. A brilliant loner, he seemed to be motivated more by intellectual curiosity than malice. That didn't save him from becoming one of the first people prosecuted and convicted under an anti-hacking statute that Congress had passed a few years earlier.

But the most significant effect of the worm was how it permanently changed the culture of the Internet. Before Morris unleashed his worm, the Internet was like a small town where people thought little of leaving their doors unlocked. Internet security was seen as a mostly theoretical problem, and software vendors treated security flaws as a low priority.

The Morris Worm destroyed that complacency. It forced software vendors to take security flaws in their products seriously. It invigorated the field of computer security, creating a demand for such experts in both academia and industry. Today, the Internet is infested with malware that works a lot like the software Morris set out to build a quarter-century ago. And the community of Internet security professionals who fight these infections can trace the roots of their profession back to the events of November 1988.

Morris has gone on to a brilliant career as an entrepreneur, computer scientist, and investor. And the man who prosecuted him, Mark Rasch, now says that he would support pardoning him.

Wednesday: A late night phone call

Andrew Sudduth was best known as a world-class rower. In 1984, he was part of an American team that won a silver medal in that summer's Olympic games. But he was also a talented computer hacker. In the fall of 1988, he worked on the technical staff of Harvard University's Aiken Computational Laboratory.

Sudduth had gotten to know Robert Morris while Morris was an undergraduate at Harvard. Morris had graduated from Harvard and began graduate studies at Cornell University in fall 1988. Around 11 p.m. on Wednesday, Nov. 2, Sudduth was talking with Paul Graham, another Aiken Lab staffer and a friend of Morris, when Morris called. (The account that follows is drawn from Sudduth's testimony to a Cornell commission. Sudduth died in 2006, and Graham declined to be interviewed for this story.)

Graham answered the phone. After the call, Graham reportedly told Sudduth that Morris had admitted releasing a worm that was then spreading across the Internet. Half an hour later, Morris called again. This time Sudduth answered the call, and Morris suggested steps that Harvard administrators could take to protect their computers from the worm.

An increasingly panicked Morris called a third time, around 2:30 a.m. According to Sudduth, Morris "seemed preoccupied and appeared to believe that he had made a 'colossal' mistake." Morris asked Sudduth to post an anonymous message on his behalf apologizing for the incident and explaining how to update computers to immunize them against the worm's spread.

Sudduth complied with Morris's request an hour later, posting an anonymous message on the Usenet bulletin board system at 3:34 a.m., Thursday, Nov 3. "There may be a virus loose on the Internet," the message said. "Here is the gist of a message I got: I'm sorry." The message then explained how to prevent the worm from spreading further.

Unfortunately, Sudduth's message wasn't noticed until Saturday, long after it could do any good.

Thursday: Cleaning up the mess

Eugene Spafford woke up early that morning, made himself a cup of coffee and sat down at his home computer to check his e-mail. In 1988, most people had never even heard of the Internet or e-mail. But Spafford, an assistant professor of computer science at Purdue, was used to getting a steady stream of e-mails from friends and colleagues at research institutions across the country.

So when he dialed into his workstation on the Purdue campus, he was surprised to discover that he hadn't received any e-mail since he logged on the night before. He tried to log into the mail server to figure out what the problem might be, but the server was too overloaded to respond.

Spafford got dressed and drove to campus to investigate the problem. He discovered that "there were a lot of processes running in the background that shouldn't have been there" on the mail server. And he soon learned that the same mysterious malady had struck machines not only across Purdue's campus but also across the country.

The professor quickly assembled a team of about eight people, who began analyzing the worm to figure out how to stop it. By the end of the day, they had mostly finished dissecting the program to understand how it worked and had issued a recommendation on how to halt its spread.

Similar efforts were underway at other universities. Some of the first people to notice the attack were students at the University of California, Berkeley. Because they were on the West Coast, it was early Wednesday evening when the worm began attacking their systems. A group of undergraduates returned from dinner to discover that an automated program had been repeatedly trying to log into a Berkeley computer. They alerted members of the Berkeley IT staff, some of whom worked late into the night to diagnose the problem.

Coincidentally, the annual Berkeley Unix Workshop was scheduled to start on Thursday morning. The worm targeted machines running the Unix operating system, so some people skipped the formal conference proceedings and joined the worm-analysis effort. By the end of the day on Thursday, the Berkeley team also understood the program well enough to make recommendations on how to stop it.

Then they ordered calzones for dinner and hunkered down for another all-nighter, as they prepared to take the worm apart bit by bit. The Berkeley hackers wanted to understand how the worm worked so they could verify that it hadn't done any permanent damage to the computers it had already infected and that it didn't have any more nasty surprises in store for computers that hadn't been cleaned up yet. By Friday afternoon, researchers had finished dissecting the worm, and they presented their findings at a closing session of the Unix workshop.

Spafford emerged as a clearinghouse for information flowing among his own group, forensic teams at Berkeley, the Massachusetts Institute of Technology, the University of Utah and harried administrators across the country. By the end of the day, he had created a mailing list dedicated to the worm. He was also one of several people to write an in-depth analysis of the worm in the following weeks.

Friday: "We don't have a medical school"

The worm began to attract intense, and predictably clueless, media attention. For many reporters, the incident was the first time they had heard of either the Internet or malware.

"There were some mainstream outlets with National Enquirer-type headlines of invasions of hackers or whatever," Spafford says.

By Friday morning, there were so many reporters calling MIT about the worm that the school held a press conference. "The media was uniformly disappointed that the virus did nothing even remotely visual," recalled Mark Eichin and Jon Rochlis, two MIT researchers who helped to dissect the worm. "Several also seemed pained that we weren't moments away from World War III."

"I got one call from a newspaper in Southern Indiana," Spafford says. "The reporter asked me, in all earnestness, 'Do our readers need to worry about catching this virus?'"

"Gosh, I don't know," Spafford deadpanned in response. "We don't have a medical school. You ought to call the folks at Indiana University."

But the press did fill in one important piece of the puzzle. On Saturday morning, the New York Times broke the news that Robert Morris Jr., a 23-year-old computer science graduate student at Cornell, had created the worm.

Morris, reported Times reporter John Markoff, was the "brilliant" son of Robert Morris Sr., "one of the Government's most respected computer security experts." The elder Morris told Markoff that the worm was "the work of a bored graduate student."

A Cornell report would find that at Harvard, "Morris was the kind of student who was bright but bored by routine homework, and often devoted his main energies elsewhere. He apparently continued this pattern at Cornell," where he "seemed to prefer to work alone" and "spent many hours programming at the computer." His Cornell peers said Morris didn't develop many friends in the two months between his arrival on campus and the release of the worm. Of course, this combination of traits was hardly unusual among computer science graduate students.

Anatomy of a worm

A worm is a computer program that spreads from computer to computer by exploiting security vulnerabilities in target machines. Once released, it operates without human assistance or control, scanning the Internet for new hosts to infect, attacking them and then launching a new copy of the software on the new host. While experimental worms had been developed in the past, Morris's worm spread much further and faster than any previous worm.

Forensic evidence would reveal that Morris started using Cornell computers to develop the worm around Oct. 15, 1988. The worm used several attacks to spread from computer to computer. One attack exploited a common Internet service known as "finger," which was installed on most Unix machines.

Another attack took advantage of the fact that many users chose easy-to-guess passwords, such as their username spelled backwards or a common term from the dictionary. The worm obtained a computer's password file, which contained encrypted copies of every user's password. It then systematically guessed passwords using a dictionary of common words. If it discovered a user's password, it attempted to use that user's credentials to access other servers where that same user had an account.

On Oct. 20, Morris made the 300-mile trek to visit friends at Harvard, staying for two days. Upon his return, Morris added code to exploit a third security vulnerability. The code targeted a flaw in "sendmail," a ubiquitous utility that, as its name suggests, was used to send e-mail. It seems likely that Morris learned about this vulnerability during his Harvard trip. Graham, the Harvard friend Morris would call the night he released the worm, e-mailed Morris on Oct. 26 to ask, "any news on the brilliant project?"

An early version of the worm recovered from an automatic backup of Morris's Cornell files included extensive comments describing Morris's vision for the project. Those comments suggest that Morris had even more ambitious goals than he eventually achieved. Morris didn't just want to create a worm that would silently replicate itself across the Internet. He hoped to build what we would now call a botnet: a network of thousands of computers coordinating with one another and available to carry out further instructions at the direction of their master.

The worm, he wrote in comments on an early version of the worm, will need to "decide what to break into next" and will need "methods of breaking into other systems." He also wanted "some way for ME to send out commands, protected by an encoded password."

Morris wanted to avoid infecting the same machine multiple times, which could slow infected machines down and draw unwanted attention. But the most obvious way to do that — have an infected machine publicly signal its infected status to other copies of the worm — could itself aid efforts to detect and eradicate the worm. To solve this dilemma, Morris thought he would need to build a "global database" of infected computers. However, he admitted, doing that could prove "really hard."

By the time he released the worm two weeks later, he had only made small steps toward implementing these ideas. He never created a command-and-control system that would have allowed him to send instructions to infected machines. The worms did have code designed to send a homing beacon to a particular computer at Berkeley, which could have been part of a planned command-and-control system. But, thanks to a programming error, even that subroutine didn't work.

Morris did implement a mechanism designed to prevent multiple copies of the worm from running on the same computer. If two worms found themselves on the same machine, they would flip a virtual coin, and then the losing copy of the worm would commit electronic seppuku.

But Morris modified this scheme in a way that made it ineffective. One time out of seven, selected at random, the losing worm would make itself immortal rather than committing suicide. "This was probably done to defeat any attempt to put a fake worm process on the TCP port to kill existing worms," Spafford wrote in his worm postmortem. But the move also undermined the original purpose of the self-destruct scheme: preventing multiple worms from infecting the same computer. As a result, on the morning of Nov. 3 the population of worms grew exponentially until computers' resources were exhausted from running so many copies.

Morris also took numerous precautions to make it more difficult to detect and remove copies of the worm. For example, as soon as a worm infected a new machine, it would encrypt the files it used to carry out the infection and remove references to them from the file system. It would also periodically kill and respawn itself so that it wouldn't show up in lists of long-running processes.

Morris, Spafford concluded, "may have been a moderately experienced Unix programmer, but he was by no means the 'Unix wizard' many have been claiming." Creating the worm required considerable effort, and a non-trivial amount of skill. Yet Morris made a number of rookie mistakes. "The worm could have been much more virulent had the author been more experienced or less rushed in his coding," Spafford wrote.

The Internet loses its innocence

Morris's worm rocked the young Internet, which had fewer than 100,000 computers on it at the time. "It was largely a North American network," Spafford says. "The majority of people had some tie to computation for their jobs. I wouldn't say that we trusted each other, but there was more a community sense of caring for the stability and appropriate use of the computing systems."

Network administrators in 1988 took few precautions against online attacks. "There was no such thing as a firewall back then," Spafford says. "You didn't have people who were vandals or anarchists or criminals as much. There were many public servers because universities shared a lot of their data and resources."

Shock over the worm provided a boost to Spafford's field of computer security. Before the worm, "I had no funding agency or academic interest in security mechanisms or the kind of things that I was interested in doing," Spafford says. Afterward, "work began on a number of different security programs. Intrusion detection and malware detection both kind of took off."

It would be another decade before the Internet was attacked by new malware infections serious enough to again attract widespread public attention. And by then, the network had changed radically. It had millions of users, rather than thousands, and the average technical sophistication of these users was much lower.

Unlike the Morris worm, the most significant malware outbreaks of the dot-com era -- including "Melissa," "ILOVEYOU" and "SirCam" -- worked by tricking gullible users into clicking on executable files sent to them as e-mail attachments. Once activated by a user, these programs sent copies of themselves to people in the victim's Outlook address book.

But starting in 2001, the Internet saw a rash of potent malware infections that, like Morris's creation (and unlike most of the Outlook-based malware) could spread from computer to computer without human assistance. The Code Red worm exploited vulnerabilities in Microsoft's IIS Web server. Other high-profile worms included Slammer and Blaster, both of which appeared online in 2003.

In the last decade, malware authors have finally achieved something like Morris's original, unrealized vision of using a worm to create a vast network of computers operating under the control of the malware's author. Consider the Conficker worm, which first appeared online in 2008 and has infected millions of Windows computers. Despite Microsoft's best efforts to eradicate it, the worm is still active today, its spread aided by the use of old, pirated copies of Windows in the developing world.

Conficker doesn't just mindlessly copy itself across the Internet. Once it infects a computer, it opens a channel to the worm's creator and awaits further instructions. Such a network of zombie computers, known as a "botnet," has become an important part of the Internet's underground economy. Today, there are many such botnets available for rental. Unscrupulous individuals use them to send spam e-mail messages, overwhelm Web sites with traffic, or perform other nefarious tasks.

Morris stands trial

As far as we can tell, Morris has never spoken to the press about the incident that made him famous. True to form, he didn't respond to our requests for an interview. But there's a broad consensus that that he didn't have the kind of malicious intentions that many modern worm authors do. His primary motive appears to have been intellectual curiosity, not a desire for profit or destruction. Morris could have had his worm destroy files or steal secrets on the machines it infected, but it did nothing of the sort.

But this apparent lack of ill intent didn't save Morris from prosecution under the Computer Fraud and Abuse Act, which Congress passed in 1986.  The attorney who prosecuted the case, Mark Rasch, says he and his colleagues at the Department of Justice carefully considered whether to charge Morris with a felony or a misdemeanor.

"We didn't believe that Morris intended to cause harm or damage," Rasch says. In his view, Morris was "motivated mainly by curiosity and by a desire to show that he could do it."

On the other hand, the Justice Department worried that "if the government treated this as a misdemeanor, a trivial offense, that others would go out and do it," Rasch said. "You had conduct that was planned, premeditated, that was deliberate, over periods of months, that caused massive disruption and expense to a wide number of different individuals." That required a response, the government believed.

So Morris was charged with a single felony count. Rasch says Morris could have been charged with a separate felony for each of the thousands of computers the worm infected. But the lawyer and his colleagues believed that would be overkill. "I don't believe that you over-prosecute someone to send a message," Rasch says. "I don't believe in the head-on-a-stake theory of prosecution."

But others viewed even a single felony count as excessive. Spafford, for example, believes that Morris's actions warranted some punishment, but he says "the felony prosecution was probably too extreme."

There was plenty of evidence that Morris had created the worm. Backup tapes at Cornell showed that someone had used Morris's account to develop the worm in the weeks before it was released. And Rasch says he called both Sudduth and Graham to testify against their friend.

Morris didn't try to deny being the worm's author. "He came in and testified: 'I did it, and I'm sorry,'" Rasch says. When it came time for the government to cross-examine Morris, Rasch turned to one of his colleagues and quipped, "Should I prove he didn't do it or he's not sorry?"

In 1990, Morris was convicted by a jury. Sentencing guidelines recommended 15 to 21 months in prison. Instead, Judge Howard Munson sentenced Morris to serve three years of probation, to do 400 hours of community service and to pay a $10,000 fine.

Morris's lawyers tried to convince the courts that Morris's conduct didn't fall within the definition of the crime he was charged with. The CFAA made it a felony to intentionally gain unauthorized access to a "federal interest computer" and to cause damage as a result. Morris's legal team argued that the statute required the government to prove that both the access and the damage were intentional. The judge rejected that argument, holding that the government needed only to show that Morris intended to gain unauthorized access, not that he intended to cause harm. Morris's arguments were rejected by an appeals court in 1991.

Pardon Robert Morris?

By all accounts, Robert Morris has conducted himself admirably in the quarter-century since he created the worm. In 1995, Morris joined his friend Paul Graham as a co-founder of Viaweb, one of the first e-commerce startups. According to Graham, Morris "was so publicity averse after the Worm that he didn't want his name on" Viaweb's site, so he was listed under the pseudonym "John McArtyem." Viaweb was sold to Yahoo for $49 million in 1998.

Morris then returned to graduate school, earning a doctorate from Harvard in 1999. He joined the faculty of MIT, conducting research on computer networks and getting tenure in 2006. In 2005, Graham and Morris teamed up to found Y Combinator, a "startup accelerator" that has become legendary in Silicon Valley.

Morris has "never tried to gain any notoriety or credit" for his work on the worm, Spafford says. "He has not tried to make any money or work in this area. His behavior has been consistent in supporting his defense: that it was an accident and he felt badly about it. I think it's very much to his credit that that has been his behavior ever since."

Rasch agrees. "I would not object if Robert Morris was granted a pardon," he says. "I would represent him if he wanted. He was not a bad person. I don't see any reason he should have to wear this as a mark of shame for the rest of his life."