DEV Community

Cover image for HE WANTED TO MEASURE THE INTERNET, BUT ENDED UP BREAKING IT AND MAKING HISTORY
Alex P
Alex P

Posted on • Originally published at yoursec.substack.com

HE WANTED TO MEASURE THE INTERNET, BUT ENDED UP BREAKING IT AND MAKING HISTORY

#errors #security

HE WROTE A SCRIPT OUT OF PURE CURIOSITY. BUT HE ENDED UP CRASHING 10% OF THE WORLD'S INTERNET, CAUSING MILLIONS OF DOLLARS IN DAMAGE, AND BECOMING THE FIRST PERSON EVER CONVICTED OF COMPUTER FRAUD

Robert Tappan Morris, a student at Cornell University, didn’t want to be an evil hacker. He just wanted to see how big the internet was. However, because of one tiny mistake in his code, his harmless experiment turned into an unstoppable digital disaster

THE STORY OF THE “GREAT WORM”

It was 1988. The internet (then called ARPANET) was a small, closed club for universities, research centers, and the military. It was built on trust - nobody expected an attack from their own colleagues

On November 2, 1988, 23-year-old Robert Morris launched a program to count all the computers connected to the internet. The program (later called the “Morris Worm”) spread by using known weaknesses in network tools like sendmail and fingerd, as well as weak passwords

The idea was smart: the worm enters a server, checks if it is already infected, and if not, it copies itself and looks for new targets. It didn’t delete files or steal data. It was supposed to be completely harmless

But Morris thought of a problem: what if smart system admins set up a fake signal that says “I’m already infected” to protect their servers? To get around this, Morris added a rule: 1 out of every 7 times, the worm should ignore the server’s answer and infect it anyway

This was the fatal mistake!

A 1-in-7 chance (about 14%) was way too high. The worm started infecting the same computers over and over again. Each new copy created more processes, eating up all the memory and CPU power. Thousands of servers simply froze and crashed. Out of the 60,000 computers on the internet at the time, about 6,000 went down

In a panic, Morris tried to send an anonymous message explaining how to stop the worm. But the internet was so clogged that the message never arrived. Finally, following the advice of his father (who happened to be a top cybersecurity expert at the NSA), Robert turned himself in. The damage was estimated to be between $100,000 and $10,000,000. Morris got a light sentence: 3 years of probation, 400 hours of community service, and a $10,050 fine

LESSONS LEARNED BY THE TECH INDUSTRY

  1. Trust is a bad security plan. The Morris Worm proved that the internet was no longer a safe place. Systems had to be built assuming the network is hostile
  2. The birth of CERT. Right after the attack, the government funded the first Computer Emergency Response Team (CERT) to coordinate responses to future cyber attacks
  3. The danger of exponential growth. Even harmless code can become a weapon if a bug causes an endless loop or uncontrolled copying
  4. Security by default. The worm used a flaw in sendmail because the program was shipped with a “debug” mode left on. This taught developers a hard lesson about turning off testing features before releasing software

Today, Robert Morris is a respected professor at MIT and a co-founder of the famous startup accelerator, Y Combinator

THE SOURCE CODE AND THE FAMOUS BUG

The original code was reverse-engineered back in 1988. Today, you can find its source code in historical archives on GitHub

PSEUDOCODE OF THE FATAL ERROR

The whole disaster happened because the creator was too paranoid and misunderstood probability. In simple terms, the worm’s logic looked like this:

import random

# This logic runs INSIDE the new worm process AFTER it has successfully
# infected, compiled, and started itself on the target server

def logic_inside_new_worm_process():
    # STEP 1: The infection has ALREADY happened
    # The server has already spent CPU/RAM to receive and launch this process

    # The worm checks if another copy is already running on this machine
    # (usually by trying to connect to a specific local socket/port)
    already_infected = check_for_other_copies_locally()

    if already_infected:
        # THE FATAL BUG:
        # Morris was paranoid that system administrators would "fake" an
        # infection by running a dummy process to trick the worm into leaving

        # To bypass this, he added a 1-in-7 chance to IGNORE the result:
        if random.randint(1, 7) == 1:
            # "I don't believe this is a real worm!"
            # The worm ignores the existing process and stays alive anyway
            stay_alive_and_continue_spreading()
        else:
            # Even if the 1-in-7 chance didn't hit, the worm didn't quit yet
            # It would "talk" to the other process and flip a coin (50/50 chance)
            # to decide which one of them should terminate
            if random.choice([True, False]):
                terminate_self()
            else:
                stay_alive_and_continue_spreading()
    else:
        # No other copy found; the machine is "fresh"
        stay_alive_and_continue_spreading()
Enter fullscreen mode Exit fullscreen mode

THE RESULT:
Because the worm was constantly re-attacking the same servers, the 1-in-7 "stay alive" chance was hit repeatedly. Machines ended up with dozens of copies running simultaneously, eventually crashing the system (Denial of Service)

TIMELINE OF EVENTS

  • November 2, 1988: Deploys the worm from MIT. The ARPANET infection begins
  • November 3, 1988: Crashes around 6,000 computers, causing massive slowdowns. Experts at UC Berkeley and Purdue rush to reverse-engineer the code
  • November 1988: DARPA responds to the crisis by funding the first CERT
  • July 26, 1989: A federal grand jury indicts Morris
  • January 1990: Morris is found guilty

Top comments (0)