Edit WYSIWYGattachfile Attach PDF Raw View►More Actions▼More Actions

Restore topic to revision: You will be able to review the topic before saving it to a new revision

Copy text and form data to a new topic (no attachments will be copied though).
Name of copy:
You will be able to review the copied topic before saving

Rename/move topic... scans links in all public webs (recommended)
Rename/move topic... scans links in CBI_ComputerSecurity web only
Delete topic... scans links in all public webs (recommended)
Delete topic... scans links in CBI_ComputerSecurity web only

Revision Date Username Comment
1116 Apr 2015 - 15:49halky001?Clarifications to exploit details 
1010 Apr 2015 - 09:19ThomasMisa 
907 Apr 2015 - 15:06ThomasMisa 
807 Apr 2015 - 14:49ThomasMisa 
707 Apr 2015 - 13:33ThomasMisa 
607 Apr 2015 - 13:25ThomasMisa 
504 Mar 2015 - 12:11ThomasMisa 
404 Mar 2015 - 12:09ThomasMisaAttached file MorrisWorm_p17-spafford-1989.pdf

Attached file MorrisWorm_p678-spafford-1989.pdf 
318 Nov 2014 - 08:32ThomasMisa 
225 Feb 2014 - 10:04norqu036? 
earlier first

Render style:     Context:

 History: r11 < r10 < r9 < r8 < r7
[X] Hide this message.
Notice: On June 30, 2016, UMWiki service will be decommissioned. If you have information in UMWIki that needs to be preserved, you should make plans to move it before that date. Google Sites is anticipated to be the most popular and appropriate alternative for users because it offers a more modern and user-friendly interface and unlimited capacity. To learn more about the features of Google Sites and other alternatives, and to identify which one best fits your needs, see the University’s Website Solution Selection Guide. If you have concerns or would like help regarding this change and your options, please contact Technology Help at help@umn.edu
You are here: UMWiki>CBI_ComputerSecurity Web>Events>EventsMorrisWorm (16 Apr 2015, halky001)

Current Activitieslock Who is Who?lock People Programs Publications CSHW_2014 Systems Events Mechanisms

Morris Worm

The Morris worm was released onto the Internet the evening of November 2, 1988, causing serious damage to the network. The worm was developed and released by Robert T. Morris, Jr., a graduate student at Cornell University. The damage was estimated between $100,000 and $97 million, and Morris was subsequently convicted of violating the Federal Computer Fraud and Abuse Act of 1986 (externaltext), for which he received a fine of $10,000, a suspended three-year jail sentence, and 400 hours of community service.(1)

The primary damage caused by the worm was due to computing resource exhaustion. The worm was designed to check whether a target host was already infected so that duplicate copies were not created on the same host, but due to a flaw in the code many copies were created on each machine, causing a serious downgrade in performance as the worms used more and more computing resources. The worm caused secondary damage when system administrators began disconnecting their machines from the Internet in an effort to either avoid spreading the infection or to avoid the infection in the first place. Accordingly, the disconnection of so many systems disrupted research and business relying on network connections. In total, an estimated 6,000 installations had to either shut down or disconnect from the Internet. Some machines were disconnected for several days. As in the case of the SQL Slammer worm of 2003, the Morris worm did not cause as much damage as it might have if it contained code instructing it to delete or encrypt files on its hosts.(2)

The Morris worm exploited several weaknesses in the software of Sun Microsystems Sun 3 systems and VAX machines running 4 BSD versions of UNIX. The Morris worm infected these machines, and no others. The weaknesses included buffer overflows in fingerd, a debugging command in sendmail, and weaknesses in password encryption. Finger is a common utility to give network users information on other users, and fingerd is a daemon that runs as a background process. The worm established a connection to fingerd and then passed it a "specially constructed string of 536 bytes" that overran its buffer, overwriting the return address for the main routine. On a return from the main routine, control was transferred instead to code that had been written into the buffer in the previous step. The code that was actually executed (execve("/bin/sh", 0, 0)) resulted in the worm connecting to a remote shell via a TCP connection (on VAXs), beginning another round of infection, and a simple core dump on Sun machines. Sendmail, too, runs in the background as a daemon and normally has adequate security protections. However, the version of Sendmail available at the time could be configured to allow systems connecting to it to issue a DEBUG command that could run arbitrary shell commands on the Sendmail host, intended to allow administrators to monitor the state of sending mail messages. This useful and powerful feature was often left enabled by vendors and system administrators to facilitate troubleshooting of the highly complex and site-specific configuration required by Sendmail. The worm sent a DEBUG command to sendmail that permitted the worm to directly issue a set of system commands. The Morris worm also exploited weaknesses in the Unix password scheme at the time, which placed encrypted passwords of each and every user in a publicly accessible file.(3) Even though the encrypted passwords could not easily be decrypted themselves, attackers could compile and then encrypt lists of likely passwords from system dictionaries and other sources; these lists of encrypted passwords were then compared with the publicly accessible encrypted passwords until a match appears (user names were also publicly accessible in unencrypted form).(4) While all of the specific vulnerabilities exploited by the Morris Worm were quickly addressed, buffer overflows and remote command execution remain some of the most common vectors for computer security exploits, and although encrypted passwords are now hidden from public view, users, then and now, frequently choose short, simple, and easily guessed passwords.(5)

The Morris worm had a tremendous impact on the Internet community, mostly composed of academics and researchers at the time. The flaws in the Unix system that had allowed the worm to spread were fixed, and system administrators began to look for ways to boost security. The worm was released at about the same time that Clifford Stoll reported on his investigation of the "Cuckoo's Egg" hacker. The combination of events led the computing community to the conclusion that better organization was needed for dealing with malicious and non-malicious code flaws. One of the results was the formation of the Computer Emergency Response Team (CERT) at Carnegie Mellon University and other such centers that allowed system administrators to exchange information on problems and solutions.(6)


  • Eugene H. Spafford. "The internet worm program: an analysis." ACM SIGCOMM Computer Communication Review 19 no. 1 (January 1989): 17-57. externalDOI | attached
  • E. H. Spafford. "Crisis and Aftermath." Communications of the ACM 32 no. 6 (June 1989): 678-687. DOI | attached:
  • Katherine Fithen and Barbara Fraser. "CERT incident response and the Internet." Communications of the ACM 37 no. 8 (August 1994): 108-113. DOI


Supported by the National Science Foundation CNS--TC 1116862 "Building an Infrastructure for Computer Security History."


1 , 2 , 6 : Charles P. Pfleeger and Shari Lawrence Pfleeger, Security in Computing. 3rd Edition, New Jersey: Prentice Hall, 2003.

3 : Robert Morris and Ken Thompson, "Password Security: A Case History" Communications of the ACM 22 no. 11 (Nov. 1979): 594-97. The co-author is the father of the Robert T. Morris, Jr., who authored the Morris worm.

4 : E. H. Spafford. "The Internet Worm: Crisis and Aftermath." Communications of the ACM 32 no. 6 (June 1989): 678-687.

5 : Morris and Thompson [1979] compiled a list of 3200 passwords, of which 15 were a single ASCII character, 72 were two ASCII characters, 464 were three characters, and so on, with fully 86% of passwords in this sample falling into easily specified and hence guessable categories. In our own time, the most common password for several years running has been "123456" with such variants as "12345," "12345678," "123456789," and "1234" also remarkably popular, along with "password" and "qwerty".

Topic attachments
ISorted descending Attachment Action Size Date Who Comment
pdfpdf MorrisWorm_p17-spafford-1989.pdf manage 2395.4 K 04 Mar 2015 - 12:09 ThomasMisa Spaf on Morris worm 1
pdfpdf MorrisWorm_p678-spafford-1989.pdf manage 1134.9 K 04 Mar 2015 - 12:09 ThomasMisa Spaf on Morris worm 2
Edit |  WYSIWYG | attachfile Attach |  PDF |  History: r11 < r10 < r9 < r8 < r7 |  Backlinks |  Raw View | More topic actions
Topic revision: r11 - 16 Apr 2015 - 15:49:38 - halky001
Signed in as lewi0740 (NicLewis) | Sign out
UMWiki UMWiki
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding UMWiki? Send feedback