A cute worm on a keyboard

The Morris Worm

What is a worm ?

A Virus is a malware with the aims of propagating itself and attacking its host. A Worm is a type of virus with the abilities to spread and replicate itself through a network without the need of user interaction. The ability for the process to elevate its privileges is often a key element for its replication.

On the evening of November 2nd 1988, Robert Tappan Morris, a-23-year old Harvard graduate and student at Cornell University, released his "Christmas Tree Worm" (better known as the "Morris Worm") from a hacked computer of the MIT. It was the first major network Worm, which caused over 6000 computers to crash and millions in estimated damages.

A fascinating piece of code which created new IT fields and changed how we see network security.

How did the Worm spread?

While not being the first Worm ever developed, it was a surprisingly elaborated program at the time. Some of the malwares techniques it introduced are still widely used today.

The Worm took advantage of multiple flaws in some UNIX systems as attack vectors:

  • It was able to exploit the finger daemon program with a Buffer Overflow attack.
  • It could use the debug mode of the sendmail program for code execution.
  • The Worm did read DES encrypted passwords of local users in a publicly-readable system file, then ran a dictionary attack to find the passwords using common words. Once successful, it could use remote access or the trusted logins UNIX feature to gain control of other hosts on the network.

The replication mechanism

The Worm consisted of two parts: a main program, and a bootstrap program.

The main program, once installed on a machine, would first collect information on other computers in the network by reading configuration files or by running network utilities. It would then attempt to use the flaws described above to launch its bootstrap program on the remote machines, acting as a "server" from this point.

The bootstrap program was 99 lines of C code, which would be compiled on the target. When invoked it would then listen for a connection on a random port and wait to receive copies of the main files (this approach is called a portable C grappling hook). The Worm was targeting UNIX systems, but this part could run on other machines, making them victims too.

Before enabling transfer, the remote program was waiting for a "magic" number sent by the server. The "magic" number feature was like a one-time challenge-password, used to identify the connection. If the bootstrap program did not receive the correct number, or if a failure happened during the file transfer, it would immediately disconnect, delete its files and kill itself. This approach was probably an attempt to prevent spoofed server to collect the worm binary files.

There were only 3 binary files sent by the main program, but surprisingly the source code was programmed for up to 20.

The password cracking mechanism

By reading the file /etc/passwd, the Worm could access user information under the form "account:abcedfghijklm:100:5:User, Name:/usr/account:/bin/sh"

After trying the obvious case of no password defined, the first attempt was to try the following potential passwords: account, accountaccount, User, Name, user, name, and tnuocca (a significant amount of user accounts were compromised using this simple technique). If the attempt was unsuccessful, it would then try using a dictionary of 432 words, combined together in a random order, and then with upper and lower cases combinations.

All these tries were done by comparing generated DES hashes, which made the attack invisible to the host. Still, some parts were not algorithmically optimized, probably due to the fact that Robert Morris did study Lisp programming language at Harvard, hence he was used to linear search but hadn't experienced binary or hash searches on large datasets.

The bug

To avoid being detected, the Worm would fork itself on a regular basis and kill its parent. By doing this, the Worm appeared to keep changing its process identifier and no single process accumulated excessive amounts of cpu time, it's also a workaround to avoid a system decrease in scheduling priority. The whole process would also restart every 12 hours, with a flush of all entry lists.

None of the previous techniques were perfect, but they proved being efficient. The problem came from the fact that the Worm was able to reinfect the same machine. If a Worm process noticed it wasn't the only one running on the machine, it would then kill itself but only after a significant effort had been done in the password cracking process. This delay caused many processes to run in parallel and could already cause performance issues on heavily loaded machines.

But another feature was even more problematic. Trying to avoid the fact that an IT engineer could run a "fake" Worm process to make the "real" ones kill themselves, Robert Morris implemented the fact that one out of seven worms would randomly become "immortal", stop looking for other ones and run indefinitely. This ratio of around 14% proved being way too high on networks with many machines. They would quickly become overloaded and their resources or services inaccessible. Servers and computer crashed, emails couldn't be exchanged, and no one had any idea of what was happening.

This is how the Morris Worm went out of control. Its attack vectors were efficient, and its propagation rate was far too high. Even if involuntary, it was the first recorded Distributed Denial of Service attack (DDoS).

More than 6000 UNIX machines were infected and rendered useless in only few days, including Harvard, Princeton, Stanford, NASA and military systems.

The consequences

The Computer Fraud and Abuse Act, which criminalized many forms of computer hacks and attacks, was passed by the United States Congress only few years earlier in 1986.

Robert Morris was tried and sentenced to three years of probation, ordered to pay a $10,000 fine and to perform 400 hours of community service.

He claimed the program was an attempt to measure the size of the Internet. The Worm arguably didn't contain malicious code, but some people think Robert Morris was in fact trying to create a botnet (12 years before the first recorded one).

It had an ever-changing effect on the perception of security and reliability of the Internet, as it wasn't considered a moral or legal obligation for computer users to install security fix prior to that. Applying strong security measures became considered crucial from this point, and using your hacking skills to show your knowledge became legally wrong.

Robert Morris became later a successful computer scientist and entrepreneur. He is a professor at MIT since 2006 and was elected to the National Academy of Engineering in 2019.

Consult the original source code of the Worm to find more about the "magic" number, the 1/7 "immortal" rule or its other parts.

© 2020 Data Cloud Consulting Pte. Ltd. Singapore. All rights reserved.