How did the Morris Worm Work?
The Morris Worm, also known as the Great Worm, was one of the first major computer worms to make a significant impact on the internet. It was released in November 1988 by Robert Tappan Morris, a Cornell University graduate student. The Morris Worm exploited several security vulnerabilities in Unix systems and became a catalyst for the development of cybersecurity as a field. In this article, we will delve into the inner workings of the Morris Worm and understand how it managed to spread so rapidly across the internet.
The Morris Worm was designed to exploit a combination of four different types of vulnerabilities in Unix systems. These vulnerabilities included:
1. The fingerd daemon: This daemon was used to display information about users on a system. The Morris Worm exploited a buffer overflow vulnerability in fingerd to execute arbitrary code on the affected system.
2. The sendmail mailer: The Morris Worm exploited a buffer overflow vulnerability in sendmail, a widely used mail transfer agent, to execute arbitrary code on the affected system.
3. The rsh and rlogin services: These services were used for remote login to Unix systems. The Morris Worm exploited a vulnerability in these services to gain unauthorized access to systems.
4. The fingerd daemon on certain systems: The Morris Worm exploited a buffer overflow vulnerability in fingerd on certain systems to execute arbitrary code.
Once the worm exploited one of these vulnerabilities, it would create a backdoor on the affected system, allowing it to send out copies of itself to other machines. The worm used a variety of techniques to spread, including:
1. Scanning the internet for vulnerable systems: The Morris Worm used a simple network scanning technique to identify vulnerable systems. It would send out packets to IP addresses and look for responses indicating that a system was running a vulnerable service.
2. Exploiting the identified vulnerabilities: Once a vulnerable system was identified, the Morris Worm would exploit the appropriate vulnerability to gain access to the system.
3. Spreading to other systems: After gaining access to a system, the Morris Worm would create a backdoor and send out copies of itself to other systems, using the same scanning and exploitation techniques.
The Morris Worm was also capable of propagating through email. It would send emails to users’ contacts, tricking them into executing the worm, which would then spread to other systems.
The Morris Worm caused widespread damage, infecting an estimated 60,000 machines within a few days. It disrupted email services, caused network congestion, and led to the development of better security measures to protect against such threats. The incident highlighted the need for robust cybersecurity practices and led to the establishment of the field of cybersecurity as we know it today.
