Security Historical

Morris Worm 1988: The First Internet Worm Crashes 6,000 Machines and Forces the Creation of CERT

Wikipedia
Morris Worm 1988: The First Internet Worm Crashes 6,000 Machines and Forces the Creation of CERT

What happened

On 2 November 1988, a Cornell University graduate student named Robert Tappan Morris released a self-replicating program onto the ARPANET. Within hours it had infected and crashed an estimated 6,000 Unix machines — roughly 10% of the entire internet at the time — by exploiting vulnerabilities in sendmail, fingerd, and rsh/rexec. The worm did not intentionally destroy data, but its rapid replication consumed so many CPU cycles that infected machines became unusable. Morris became the first person convicted under the Computer Fraud and Abuse Act. The incident directly led to the creation of CERT/CC, the world's first coordinated cybersecurity response organisation.[1]

What went wrong

The worm exploited three separate Unix vulnerabilities: a debug backdoor in sendmail that allowed remote command execution; a buffer overflow in the fingerd daemon; and the trusted host mechanism in rsh/rexec that allowed remote execution without authentication if the host was listed as trusted. Any one of these would have been serious; together they gave the worm multiple infection vectors. The internet community had no coordinated mechanism to share information about the attack or distribute patches — administrators were calling each other on the phone. Morris later claimed the worm was an experiment to measure the size of the internet and was never intended to cause harm; the replication bug that made it overwhelm machines was a mistake.[1]

Lesson learned

The Morris Worm proved that a single person with 99 lines of C code could take down 10% of the internet in hours. It established the template for every worm that followed: multiple exploits, self-replication, exponential spread. More importantly, it demonstrated that the internet had no immune system — no coordinated mechanism to respond to network-wide threats. CERT/CC, founded six weeks after the worm, was the first attempt to build one. The vulnerability classes it exploited — buffer overflows, trusted host authentication, debug backdoors — remain in production systems today.

Est. value burned ~$100M Estimated $100M in productivity loss and recovery costs (1988). Robert Morris was fined $10,050, sentenced to 400 hours community service, and given three years probation. He later co-founded Viaweb (acquired by Yahoo for $49M) and is now a professor at MIT.
Morris Worminternet wormARPANETCERTRobert MorrisUnixsendmailfingerdbuffer overflow

Sources

  1. [1]
    Wikipedia Wikipedia
    Morris Worm 1988: The First Internet Worm Crashes 6,000 Machines and Forces the Creation of CERT Wayback Machine snapshot

External links can go dark — pages move, paywalls appear, domains expire. Every source above includes a Wayback Machine snapshot link as a fallback. All citations are best-effort research; if a source contradicts our summary, the primary source takes precedence.

More in Security