The Morris Worm: When the Internet Realized It Was Vulnerable

It’s late 1988, and for those of us in the small, trusted community of ARPANET and early Internet researchers, the last few days have been a wake-up call. Robert Tappan Morris, a graduate student at Cornell, released a program that he says was intended only to gauge the size of the network. But a logic error in its replication code turned it into a digital plague.

How It Happened

The worm was incredibly clever—and frighteningly efficient. It didn't just target one vulnerability; it used a multi-pronged attack:

1. A hole in the sendmail debug mode.
2. A buffer overflow in the fingerd daemon.
3. Exploiting weak passwords via rsh and rexec.
4. Trust relationships between machines.

/* The fingerd exploit was a classic buffer overflow */
char buffer[512];
gets(buffer); /* NEVER use gets()! It doesn't check bounds. */

Because of that gets() call, the worm could overwrite the stack and execute its own code. It’s a trick many of us knew in theory, but seeing it weaponized across the entire network is something else entirely.

The Fallout

Because the worm didn't check properly if a machine was already infected (or rather, it would re-infect a machine one out of seven times regardless), it quickly clogged systems with multiple copies of itself. Machines became so busy trying to replicate the worm that they couldn't do anything else.

We spent the weekend at the lab, disconnecting our machines and manually cleaning out the infected processes. It’s been a frantic effort of coordination via phone and the few remaining working email links.

The New Reality

The era of the "gentleman’s agreement" on the network is over. We can no longer assume that every machine on the net is friendly. I expect we'll see the creation of dedicated response teams (like a "Computer Emergency Response Team") and a much greater focus on auditing our core utilities. The Internet just lost its innocence.