Morris Worm

November 2nd marked the 35th anniversary of the Morris Worm, developed by Cornell University graduate student Robert Tappan Morris. The Morris Worm launched on November 2, 1988, and caught the nascent internet (which had only existed in its current form since January 1, 1983) by surprise. It was one of the first malware to be spread widely on the internet and cause a significant and noticeable impact. The attack even generated significant press coverage.

Notably, although the Morris Worm caused massive damage and disruption, it did not do so by deleting or corrupting files on computer systems. Rather, it simply rendered computer systems unusable by consuming all computing and network resources. When programs run on a computer, they share the processor, memory, and ancillary components such as the network communications subsystem. The Morris worm used up so many resources that other programs could not get the resources they needed to function. This is what is called a “denial of service” attack.

When Robert Morris released the worm onto the internet, he intended it to be stealthy. He even remotely launched the program from an MIT computer to hide the fact that he was operating from Cornell. The worm itself was meant to spread without detection.

Worms are self-replicating, autonomous programs. Unlike viruses, which infect existing programs and will not do anything until the infected program is running, worms are standalone programs that spread automatically from one computer to another. However, there was a bug in the Morris Worm program instructions which caused it to replicate itself at a much faster rate than what was intended1. Within 24 hours of releasing the worm, it had already infected about 10% of all computers connected to the internet2.

Worse, the Morris Worm would reinfect computers that were already infected. This meant that there was an ever-growing number of Morris Worms running on a computer. Each copy of the worm used up resources. Due to its very fast replication rate and the limited resources of computers at the time, it quickly incapacitated the computers that it infected.

In terms of extent, the Morris Worm affected systems at universities such as Harvard, Princeton, Stanford, and Johns Hopkins. It even attacked NASA systems and military systems. Estimates of the damage started at $100,000 and soared into the millions.2

When Robert Morris realized the impact the worm was having he tried to provide guidance about how to kill the worm and stop it from spreading. Ironically, however, only a few people received his message because Morris’s own worm was interfering with his ability to transmit the message and for people to read it. To remediate the crisis, people were disconnecting devices from the internet and even wiping their systems completely.2

In the aftermath of the Morris Worm, Robert Morris became the first individual to be tried under the new Computer Fraud and Abuse Act of 1986, 18 U.S.C. Section 1030(a)(5)(A). He was tried, convicted, and sentenced to three years of probation, 400 hours of community service, a fine of $10,050, and the costs of his supervision.3

One of the things that this attack highlighted was the importance of computer security and the real-world damage that such attacks had the potential to cause. It has been described as “The day computer security turned real.”4 Sadly, the amount of damage that can be done has only gotten worse. Morris probably did not intend harm when he released the worm named after him (at the very least, he could have created a worm that did significantly more damage). In the present day, however, attacks on the Internet are more advanced and more intentional, especially those used by nation-state actors and cyber criminals for nefarious purposes such as spying, espionage, theft, damage, and so on. No deaths were attributed to the Morris Worm but contemporary hospitals have attributed patient deaths to ransomware attacks that have crippled their systems.

Mirai Botnet

One example of modern, intentionally malicious malware is Mirai. It is not always described as a worm, but it fits the definition of one. The Mirai malware first surfaced on August 1, 2016, when it started from a single bulletproof hosting service. It then grew very quickly by doubling its size every 76 minutes in the early hours. In a single day, it had infected over 65,000 IoT devices and by its second day, Mirai already accounted for half of all Internet telnet scans observed by the collective set of honeypots of a group of researchers. It reached its peak in November 2016 with over 600,000 infected IoT devices.5

The term “IoT” means “Internet of Things” and refers to devices like cameras and refrigerators that are connected to the Internet. In 2016, IoT devices had become common and mainstream, with millions of such devices connected to the Internet. The problem with IoT devices of 2016 is that many of these mass-manufactured, mass-deployed devices had common vulnerabilities and weak default passwords. Mirai was able to spread so rapidly because these systems were so easy to crack.6

Mirai was designed with a malicious purpose: to create a “botnet.” A botnet is a network of malware-infected devices that work together to carry out the commands of the botmaster given to each infected device. That is each device, once infected, “phones home” to the botmaster, which is some kind of system under the control of a malicious actor. The bad actor can then control the infected devices from the central system, which is sometimes called a “command and control” (C&C) system. Each infected device is sometimes called a “zombie.”

Mirai turned the hundreds of thousands of zombie IoT devices into a massive botnet. The Mirai Botnet was then used in several distributed denial of service attacks (DDOS attacks).5 A common approach for a DDOS attack is to have many devices try to communicate with a single target all at once. The goal is to generate so much network traffic destined for the victim’s computer system that it is overloaded and cannot provide service to legitimate clients. The Mirai Botnet generated massive amounts of network traffic using the hundreds of thousands of zombie systems it controlled5 7.

Initially, the Mirai botnet was used to attack Minecraft servers. A Minecraft server operator/owner could hire the botnet to knock out the service of a competitor. The players could then be lured over to the other server. Mirai’s operators also used it as a blackmail system, requiring Minecraft servers to pay for DDOS “protection.”8

One of the major attacks of Mirai was its attack against DYN, which is a DNS provider. This prevented users from accessing multiple major companies’ websites. Websites such as Amazon, Github, HBO, Netflix, Reddit, and Twitter were made unavailable.5 Another major attack by a variant of Mirai was when it caused a massive outage of Deutsche Telekom by attacking and infecting 900,000 routers. This was possible because of its replication module and also by making use of a router exploit.9

On September 20, 2016, Mirai was also used to attack the blog of noted security researcher Brian Krebs. The website, known as “Krebs on Security”, received, at its peak, 620Gbit/s in traffic5. For reference, this is approximately one average-sized, blu-ray-quality movie per second in data. Ten days later, on September 30, 2016, the source code for Mirai was publicly released. This caused a rise in copycats who would make use of the available source code, create their variants, and cause their own attacks.5

Brian Krebs, incidentally, would have the last laugh. Through his investigative research, he identified Paras Jha as one of the principal authors of Mirai based on a forensic analysis of Mirai’s code and other code written by Jha. On December 13, 2017, Jha, along with a few co-conspirators, pleaded guilty to crimes related to the Mirai botnet.10

Comparing The Morris Worm and Mirai

The Mirai malware is similar in many ways to the Morris Worm that preceded it by nearly 30 years. Both spread from one system to another through replication and infection, quickly growing in terms of the number of infected devices. The Morris Worm was able to infect about 10% of the devices connected to the internet in only 24 hours. Mirai was able to compromise 65,000 IoT devices in the same time period. 65,000 devices are not even close to 10% of the modern Internet but are significantly more devices in absolute terms.

Another point of similarity between these is that this rapid growth was possible for both cases because the devices that they targeted had key vulnerabilities and security flaws. For the Morris Worm, the entire Internet was largely unsecured and full of vulnerable devices that could be exploited. Mirai, on the other hand, made use of the poor security configurations and security vulnerabilities of IoT devices. IoT devices are usually restricted in terms of their computing capabilities and power supply and for this reason, their designers tend to ignore good security practices in preference of efficient operation. Inadvertently, IoT manufacturers had created, for one class of devices at least, weak security conditions similar to those of the Internet when the Morris Worm was released. Mirai was happy to take advantage of that.

The type of attack of both malware is also similar, at least conceptually. Both programs caused denial-of-service attacks that prevented legitimate parties from using computing resources. However, the Morris Worm’s denial of service was caused by overloading individual machines. Mirai, on the other hand, created a botnet that could be carefully controlled and managed to launch a coordinated DDOS attack on specific websites.

But perhaps the most significant difference is that the Morris Worm was not designed to be destructive (or, at least, not as destructive as it could have been). Mirai, however, was carefully engineered to perform its destructive operations. The Morris Worm, in many ways, was an unintentional warning about the necessity of securing the Internet. Mirai is the reminder of what happens when we do not.