alt Hacker NewsThis week in 1988, Robert Morris unleashed his eponymous worm
Comments
I followed his course 6.5840 on distributed systems (https://pdos.csail.mit.edu/6.824/, YouTube videos at https://youtube.com/playlist?list=PLrw6a1wE39_tb2fErI4-WkMbs...) and completed the labs. One day, out of curiosity, I looked up his name. Then I realized what a legend he is.
Great course by the way.
I assume you all know that Robert Morris is one of the YC (and Viaweb) cofounders? [1] Together with Paul Graham, Jessica Livingston, and Trevor Blackwell.
A good account is With Microscope and Tweezers: The Worm from MIT's Perspective [1], published in CACM a few months after the event. Notice it was the worm.
I was an intern at IBM in '88 and they shut-down the (iirc) two internet getaways to their corporate network (vnet) while people figured out what was going on. News moved slowly back then, and the idea of self-replicating software was unusual. Although IBM had had its own replicator the previous year [2].
[1] https://www.cs.columbia.edu/~gskc/security/rochlis89microsco...
When i worked at Convex, there was an unnatural mania that fingerd be disabled and all sendmail patches be applied as quickly as possible. When I asked why, the answer started with "well... a couple of years ago there was this guy from the east coast who worked here for a year..."
The 10% number is completely made up. According to Paul Graham, "I was there when this statistic was cooked up, and this was the recipe: someone guessed that there were about 60,000 computers attached to the Internet, and that the worm might have infected ten percent of them."
That was one scary exciting day (source: was running machines at MIT at the time)
I'm pretty sure Paul Graham was directly involved in this story (not in any bad, culpable way, but enough that, were a film to be made about it, a well-known actor would be cast for his part).
From the Wikipedia article:
Clifford Stoll, author of The Cuckoo's Egg, wrote that "Rumors have it that [Morris] worked with a friend or two at Harvard's computing department (Harvard student Paul Graham sent him mail asking for 'Any news on the brilliant project')".
Has pg commented on this?
The term "worm" came from the 1975 (sci-fi) novel The Shockwave Rider:
I was a student part-time administrator/systems programmer at the Purdue Engineering Computer Network at the time. Our OS installs had enough local mods (and we had enough non-VAX, non-Sun architectures) that we were immune to some of the worm's modalities, but the sendmail debug mode exploit at least still caused a lot of consternation.
I expected some info on its functioning. The goal was to gauge the size of the Internet, how? Why did it fail? I guess Wikipedia for the rescue.
Morris’s program wasn’t meant to be malicious, but it accidentally became a turning point in cybersecurity history. Much of what we now know as security research, red teaming, and even the “gray hat” culture can be traced back to that moment.
Oh, those memories!
He was sentenced to pay $10,050, today he would not get away that easily I guess...
Another thing I didn't know (citing Wikipedia):
"In 1995, Morris cofounded Viaweb with Paul Graham, a start-up company that made software for building online stores. It would go on to be sold to Yahoo for $49 million[14], which renamed the software Yahoo! Store. "
and (same source):
"He is a longtime friend and collaborator of Paul Graham. Along with cofounding two companies with him, Graham dedicated his book ANSI Common Lisp to Morris and named the programming language that generates the online stores' web pages RTML (Robert T. Morris Language) in his honor."
The IETF’s review has an amazing title “The Helminthiasis of the Internet”
>However, the pioneering Morris worm malware wasn’t made with malice, says an FBI retrospective on the “programming error.” It was designed to gauge the size of the Internet, resulting in a classic case of unintended consequences.
had RTM actually RTM the world might be a bit different than it is today.
I remember this event as one of the few times that the Internet made the mainstream news in the eighties. After the fact talked with some network people at Michigan and Michigan State and it was not a very good day for them. They also wanted jail time for him which did not happen.
The Morris worm is certainly the more historically important one but AFAIK nothing has ever beaten SQL Slammer (2003) for sheer sleekness and propagation speed: 376 bytes, sent as UDP packets to randomly generated IP addresses as fast as the network interface could pump them out. Infected all susceptible hosts on the entire Internet within 10 minutes. Thankfully, that was only MSSQL servers and, being that sleek, it had no persistence mechanism. So turning the machine off and on again removed the infection completely.
This Week in 1988 rather.
Thankfully the security holes in C that have allowed Morris worm to exist, have been taken care by WG14 since then.
I find it funny that:
1) He released it from MIT to avoid suspicion.
2) After he was convicted, he went from Cornell to Harvard to complete his Ph.D.
3) He became an assistant professor at MIT after that.
He had to be really spectacular/have crazy connections to still be able to finish his training at a top program and get a job at the institution he tried to frame.
The worm was unleashed November 2, 1988. I was born exactly 7 days later. Coincidence? Yeah, probably.
Wikipedia says the Morris worm went out on 1998 Nov 2. No idea why they would publish the article on 2025 Nov 4 with that title.
I remember that the Boston Museum of Science used to have a floppy disk on display with the Morris worm on it.
Would be cool to see the source code. Is that saved anywhere other than that floppy in the museum?
It's a little shocking to me that there haven't been more things like this.
While we're much more conscientious and better at security than we were way back then, things are certainly not totally secure.
The best answer I have is the same as what a bio professor told me once about designer plagues: it hasn't happened because nobody's done it. The capability is out there, and the vulnerability is out there.
(Someone will chime in about COVID lab leak theories, but even if that's true that's not what I mean. If that happened it was the worst industrial accident in history, not an intentional designer plague.)
This one is before my time, but I remember the blaster worm very clearly.
> the internet in 1988
60k computers ( mostly at institutions ) in 20 countries
Funnily enough, just a few weeks before that, REM released their eponymous album. Perhaps Morris was inspired by that?
PG has said that he made up the 10% figure. It was a guess, but it was not correct.
I was logged into brillig.umd.edu (University of Maryland's Vax 8600) that night, frustrated that my emacs kept getting paged out, rhythmically typing ^A ^E ^A ^E to wiggle the cursor around to keep it paged in while I thought.
I ps aux'ed and saw a hell of a lot of sendmail demons running, but didn't realize till the next morning that we were actively under attack, being repeatedly but unsuccessfully finger daemon gets(3) buffer overflowed, and repeatedly and successfully sendmail daemon DEBUG'ed.
RTM's big mistake was not checking to see if a machine was already infected before re-infecting it and recursing, otherwise nobody would have noticed and he would have owned the entire internet.
What's funny is that UMD was on MILNET via NSA's "secret" IMP 57 at Fort Mead, so RTM's worm was attacking us through his daddy's own MILNET PSN (Packet Switching Node)!
https://news.ycombinator.com/item?id=18376750
>At the University of Maryland, our network access was through the NSA's "secret" MILNET IMP 57 at Fort Mead. It was pretty obvious that UMD got their network access via NSA, because mimsy.umd.edu had a similar "*.57" IP address as dockmaster, tycho and coins.
>[...] Once I told the guy who answered, "Hi, this is the University of Maryland. Our connection to the NSA IMP seems to be down." He barked back: "You can't say that on the telephone! Are you calling on a blue phone?" (I can't remember the exact color, except that it wasn't red: that I would have remembered). I said, "You can't say NSA??! This is a green phone, but there's a black phone in the other room that I could call you back on, but then I couldn't see the hardware." And he said "No, I mean a voice secure line!" I replied, "You do know that this is a university, don't you? We only have black and green phones."
>[...more stuff about the rumored "Explosive Bolts" that could separate ARPANET and MILNET from Erik Fair and Milo Medin...]
More from Jordan Hubbard about his infamous "rwall" incident, when he accidentally sent an rwall message to almost every Unix host on the internet. I received it and sent him a cheerful reply within minutes, which he said was nicer than most of the 743 replies he got. Also: Milo Medin's description of Dennis Perry's reaction (head of DARPA/IPTO) to getting his Interleaf windows scribbled on ("absolutely livid"), Mark Crispin's flame about security, Jordan's response, and Dennis Perry himself replying to Jordan.
https://news.ycombinator.com/item?id=31822138
From: Dennis G. Perry <[email protected]>
Date: Apr 6, 1987, 3:19 PM
Jordan, you are right in your assumptions that people will get annoyed
that what happened was allowed to happen.
By the way, I am the program manager of the Arpanet in the Information
Science and Technology Office of DARPA, located in Roslin (Arlington), not
the Pentagon. [...]
https://news.ycombinator.com/item?id=29250313
DonHopkins on Nov 17, 2021 | parent | context | favorite | on: .plan
Yeah, 4.2 BSD fingerd was calling "gets" to read the name of who you were fingering into a small fixed size buffer on the stack.
https://man7.org/linux/man-pages/man3/gets.3.html
Chris Torek had hacked our version of fingerd (running on mimsy.umd.edu and its other Vax friends brillig, tove, and gyre) to implement logging, and while he was doing that, he noticed the fixed size buffer, and thoughtfully increased the size of the buffer a bit. Still a fixed size buffer using gets, but at least it was a big enough buffer to mitigate the attack, although the worm got in via sendmail anyway. And we had a nice log of all the attempted fingerd attacks!
The sendmail attack simply sent the "DEBUG" command to sendmail, which, being enabled by default, let you right in to where you could escape to a shell.
Immediately after the attack, "some random guy on the internet" suggested mitigating the sendmail DEBUG attack by editing your sendmail binary (Emacs hackers can do that easily of course, but vi losers had to suck eggs!), searching for the string "DEBUG", and replacing the "D" with a null character, thus disabling the "DEBUG" command.
But unfortunately that cute little hack didn't actually disable the "DEBUG" command: it just renamed the "DEBUG" command to the "" command! Which stopped the Morris worm on purpose, but not me by accident:
I found that out the day after the worm hit, when I routinely needed to check some bouncing email addresses on a mailing list I ran, so I went "telnet sun.com 80" and hit return a couple times like I usually do to clear out the telnet protocol negotiation characters, before sending an "EXPN" command. And the response to the "EXPN" command was a whole flurry of debugging information, since the second newline I sent activated debug mode by entering a blank line!
So I sent a friendly email to [email protected] reporting the enormous security hole they had introduced by patching the other enormous security hole.
You'd think that the Long Haired Dope Smoking Unix Wizards running the email system at sun.com wouldn't just apply random security patches from "some random guy on the internet" without thinking about the implications, but they did!
https://www.ee.torontomu.ca/~elf/hack/internet-worm.html
>The Sendmail Attack:
>In the sendmail attack, the worm opens a TCP connection to another machine's sendmail (the SMTP port), invokes debug mode, and sends a RCPT TO that requests its data be piped through a shell. That data, a shell script (first-stage bootstrap) creates a temporary second-stage bootstrap file called x$$,l1.c (where '$$' is the current process ID). This is a small (40-line) C program.
>The first-stage bootstrap compiles this program with the local cc and executes it with arguments giving the Internet hostid/socket/password of where it just came from. The second-stage bootstrap (the compiled C program) sucks over two object files, x$$,vax.o and x$$,sun3.ofrom the attacking host. It has an array for 20 file names (presumably for 20 different machines), but only two (vax and sun) were compiled in to this code. It then figures out whether it's running under BSD or SunOS and links the appropriate file against the C library to produce an executable program called /usr/tmp/sh - so it looks like the Bourne shell to anyone who looked there.
>The Fingerd Attack:
>In the fingerd attack, it tries to infiltrate systems via a bug in fingerd, the finger daemon. Apparently this is where most of its success was (not in sendmail, as was originally reported). When fingerd is connected to, it reads its arguments from a pipe, but doesn't limit how much it reads. If it reads more than the internal 512-byte buffer allowed, it writes past the end of its stack. After the stack is a command to be executed ("/usr/ucb/finger") that actually does the work. On a VAX, the worm knew how much further from the stack it had to clobber to get to this command, which it replaced with the command "/bin/sh" (the Bourne shell). So instead of the finger command being executed, a shell was started with no arguments. Since this is run in the context of the finger daemon, stdin and stdout are connected to the network socket, and all the files were sucked over just like the shell that sendmail provided.
[dead]
[dead]
I remember that
Hypothetically if the m$ cloud ecosystem got completely oblibetated (including backups) would customers switch? Or is the lockin as complete as it is with the operating system customers?
I might have 10% of the internet from 1988 on my Apple Watch.
I used to keep a vt100 at the head of my bed, roll over and check on things a few times at night. 3am and everything is screwed. can't really log in anyplace, or start any jobs. The bus doesn't run until 5:30, so I just get dressed and walk across the bridge the to lab. Visitors center isn't open, so I just sneak through the exit by the guardhouse. They're civilian contractors, they either don't see me, or recognize me and don't care.
Since it's all locked up, I just reboot the big vax single user - that takes about 10 minutes so I also start on a couple of the suns. You have to realize that everything including desktops runs sendmail in this era, and when some of these machines come up they are ok for a sec and then sendmail starts really eating into the cpu.
I'm pretty bleary eyed but I walk around restarting everything single and taking sendmail out of the rcs. The TMC applications engineer comes in around 7 and gets me a cup of coffee. He manages to get someone to pick up in Cambridge and they tell him that's happening everywhere.