On Nov. 3, 1988, thousands of computer systems administrators arrived at work to find whole labs of catatonic computers. Turning the machines off and then on didn’t help. Perhaps 10 percent of the computers on the Internet had been infected with a self-replicating virus, or worm; the network was crippled. Computer scientists at the time weren’t surprised, knowing the vulnerabilities of the Internet. And if it happened again today, many experts wouldn’t be surprised.
IT MUST HAVE FELT like H.G. Wells’ “War of the Worlds.” The Associated Press compared the worm to AIDS, suggesting it would put an end to the Information Age.
How big was the story? Even though the Dukakis-Bush election was just days away, most newspapers, including the New York Times, found room on Page One for stories about “the largest assault ever on America’s computers.”
The fiasco eventually was traced to a 23-year-old Cornell graduate student, Robert Tappan Morris, who enjoyed a brief infamy. Morris, who could not be reached for this story, was sentenced to three years probation. However, he’s been more than forgiven by the Internet community — a start-up he founded, Viaweb Inc., was bought by Yahoo! Inc. earlier this year for $49 million.
ONLY 60,000 CONNECTIONS
At the time, there were 60,000 hosts connected to the Internet, and estimates say some 5 to 10 percent of those were crippled by the virus, or worm. The worm was “benign,” in that it didn’t delete files or compromise secure documents, but it did cost days of computing time at universities and research centers.
Cost estimates are fuzzy, but here’s one example of its impact — at the University of Colorado alone, some 1,000 hours of staff time was spent cleaning up some 200 infected computers.
Still, the worm’s legacy wasn’t the damage it did. It was the damage it might have done, had Morris been malicious. The worm exposed the Internet’s fragility. And since most of the nation hadn’t heard of the Internet or e-mail before, the episode served as a rude introduction.
WHAT’S A WORM?
Most newspapers identified the incident of Nov. 2 and 3 as a computer virus attack, but programmers distinguish between a worm and a virus. A virus must attach itself to a program, and requires a file transfer (like the insertion of a floppy disk) to propagate. A worm can run — and spread — by itself.
We’re no more secure a decade laterThe e-mail anguish over “The Worm”
John Shoch, a general partner at Asset Management, invented the worm concept at the famed Xerox Palo Alto Research Center about 10 years earlier. His worm was designed as a benevolent tool, made to shuttle through computers on a network looking for idle computing time. Processor-taxed machines could then “borrow” space from idle machines. Shoch wasn’t surprised when another worm played a more nefarious role.
“Oh, we had fantasies about them getting loose and out of control,” he said. “It had happened to us.”
WHAT HAPPENED
At about 6 p.m. ET on Wednesday, Nov. 2, Morris released what’s now called The Internet Worm (or Morris Worm) onto the Net from an MIT computer lab. Accounts vary, but most agree Morris was hoping his worm would be unnoticed as it harmlessly, quietly penetrated computers around the country.
He had coded the program to copy itself again and again as a means to propel itself around the Internet.
But it was only supposed to end up on each computer once — the program was designed to check for a copy of itself and shut down if there already was a copy running on that machine. But a programmer’s error made that check fail, so multiple copies ended up on the same machine, and the number grew more quickly than Morris had ever imagined.
Infected computers collapsed within minutes under the demands of hundreds of versions of the Worm, all demanding processor time.
In this way, the Worm spread around the Internet — but only to VAX computers made by Digital Equipment Corp. and Sun Microsystems Sun 3 systems. Other systems were not affected.
That evening, workers in labs around the country began noticing a painful slowdown in their systems. Keith Bostic, now an operating systems programmer in Denver, was working in the Berkeley computer science department when the worm hit.
In the following example, taken from “A Tour of the Worm,” by Donn Seely, one can see the effects of the worm infection. The example is representative of infections all across the country. All the following events occurred on the evening of Nov. 2, 1988.6 PM At about this time the Worm is launched.8:49 PM The Worm infects a VAX 8600 at the University of Utah (cs.utah.edu)9:09 PM The Worm initiates the first of its attacks to infect other computers from the infected VAX9:21 PM The load average on the system reaches 5. (Load average is a measure of how hard the computer system is working. At 9:30, the load average of the VAX was usually 1. Any load average higher than 5 causes delays in data processing.)9:41 PM The load average reaches 710:01 PM The load average reaches 1610:06 PM At this point there are so many worms infecting the system that no new processes can be started. No users can use the system anymore.10:20 PM The system administrator kills off the worms10:41 PM The system is reinfected, and the load average reaches 2710:49 PM The system administrator shuts down the system. The system is subsequently restarted11:21 PM Reinfestation causes the load average to reach 37.
In short, in under 90 minutes from the time of infection, the Worm had made the infected system unusable.
Reprinted with permission from “The What, Why and How of the 1988 Internet Worm”
“Basically all the machines were clogged up. It was obvious something was wrong,” Bostic said. “The Worm was quickly detected, it was easy to watch what it did.... But we didn’t understand it at this point.”
Bostic was part of a multi-university effort to beat back the Worm. Solutions were offered quickly from Berkeley, MIT and Purdue. Computer science professors generally enjoyed the mental exercise, and many were a little surprised at the flood of media attention that followed.
“It was exciting, it was fun. We were all 15 years old at the time,” said Bostic. “For us it was a challenge.… It wasn’t a big deal, but that’s really unfair. Maybe for the guys on Three-Mile Island it wasn’t a big deal, but for the rest of the world — that’s a very frightening and scary thing.”
By 5 a.m. Thursday, Berkeley had issued a patch that would stop the spread of the Worm. By 9 a.m., full software patches were made available. But ironically, system administrators, who had discovered early on that the Worm was spread via e-mail, had cut off their machines from e-mail, which barred them from hearing about the fixes.
Order was mostly restored by Friday, and while there were system administrators cursing the Worm’s author for the inconvenience, there was no tangible damage. Estimates vary, but it’s agreed generally that between 5 and 10 percent of the computers on the Net were rendered useless by the Worm.
HOW IT WORKED
The Morris Worm exploited some well-known flaws in the Unix operating system. One example: The mail program Sendmail, then used by most Internet servers, had a programming convenience that allowed remote users to issue a “debug” command. The command opened up a program dialogue that effectively gave the Worm the ability to execute commands on a new machine.
To get past log-in screens, Morris relied on user laziness. His worm found lists of users, then went password hunting. First, it looked for users who’d picked passwords that were the same as their username. Then it tried user names against a list of 432 commonly used passwords. Some schools acknowledged half their accounts were cracked using this method, said Eugene Spafford, professor of computer science at Purdue.
COULD IT HAPPEN TODAY?
Spafford spent the evening of Nov. 3 “decompiling” the Worm in an attempt to understand how it worked. Today, a decade later, all the factors that made the Worm sucessful are still in place, he says.
“Poor passwords? You bet, people are still setting them,” he said. In fact, several computer experts complained that plenty of system administrators don’t change default passwords when setting up servers. “People set up firewalls, then trust all machines within the firewall. People are used to the idea of self-replicating code. They’re downloading Java applets and Active-X applets all the time.
“If anything, I think the environment might be more supportive of such problems, though it’s more likely it would be spotted and analyzed more quickly.”
Among the more tangible fallout from the episode was CERT, the Computer Emergency Response Team, funded by the Defense Department. Spokesman Terry McGillen says an incident like the Worm could happen again at any time.
“There’s no reason why it can’t,” he said, though he doubted it would work like a Worm. A so-called denial-of-service attack, in which a Web site becomes bogged down with multiple requests for information, is much more likely. “Some countries don’t even have laws against sending malicious code across the Net.”
CERT gets 30 to 35 calls per day from Web site administrators who say an intruder has attempted to hack their system. And McGillen said that while 70 percent to 80 percent of those calls are related to known security flaws, about 20 percent are unexpected and not preventable.
“The Internet was designed as an open system. The basic structure of the Net was to be open. So intruders can perform sophisticated attacks,” he said.
Meanwhile, software makers continue to emphasize speed and ease of use over security in software design — just as car makers once prioritized speed and style over safety. That changed when consumers demanded safer cars.
“People want software that is fast and easy to use — you rarely here them say they want a product that’s secure,” he said. “When there were lots of tragic accidents, then car design changed.”
WHO’S AFRAID?
But consumers still don’t view safety as a big issue, and there hasn’t been a computer security issue in the last 10 years that could rival the Worm’s publicity.
In the end, the Internet Worm was no more frightening than Wells’ “War of the Worlds.” And Shoch, the father of the Worm concept, says consumers with home PCs shouldn’t get carried away worrying about the threat of a worm.
“It’s much more likely that your house is going to burn down and your floppy disk will melt,” he said.
Bostic, though, believes the Worm couldn’t happen again, and thinks security is so much more sophisticated today that viruses are relegated to the status of annoyance.
“Every day, people figure out a denial of service. I can cause a denial of service on a standard PC — I could do that on your phone, too. I could just keep hitting redial,” he said. “It’s annoying, but not a big deal. In general most computer security problems are like that now.”
But CERT’s manager of operations, Kathy Fithen, said the number of novice, naive users who connect to the Internet every day means it’s literally impossible to educate everyone about the need to change passwords and install software patches promptly. So she offers this ominous reminder:
“Once people connect that computer to the Internet, the entire Internet has connected to that computer.”
And who knows what might happen.