One worm could disable the Internet

If someone were to release a worm today equivalent to the one Robert Tappan Morris Jr. unleashed on the Internet on Nov. 2, 1988, it could potentially bring about a global social and financial crisis.

The Morris worm crashed between 10 and 20 per cent of the 60,000 to 80,000 computers hooked up to the Internet. Today, an attack that disabled just 10 per cent of the hosts on the Internet would afflict more than five million machines, notes Mark Zajicek, an operations support liaison at the Computer Emergency Response Team (CERT) Coordination Center in Pittsburgh.

Even more devastating would be a worm that attacked routers, as opposed to hosts and computers, said Ira Winkler, a security expert and president of the Internet Security Advisors Group in Severna Park, Md. Each router that crashed could take 100,000 users down with it. A worm that affected those could take down the whole Internet, Winkler said.

Moreover, whereas the Morris worm interrupted communication among a relatively small group of university computer users, researchers and scientists, a denial of service of the same scale today would bring business to a standstill and disrupt the professional and personal lives of countless numbers of people. And though the 1988 outage lasted two days, a serious outage today could take much longer to repair, according to security experts.

“You didn’t have corporations relying on the ‘net for day-to-day business operations then the way you do now,” Zajicek said. “If Web sites and e-commerce sites weren’t available, there would be measurable financial effects.”

But a major difference in the Internet today compared with the Internet in 1988 that could offer a layer of protection is the diversity of hosts, operating systems and applications, which helps minimize the rapid spread of a worm, Zajicek said.

The 1998 worm took advantage of several bugs Morris had found in source code, including unpatched holes in the sendmail and finger programs. It replicated itself at a rate much faster than even Morris himself reportedly anticipated, according to an account in Cyberpunk: Outlaws and Hackers on the Computer Frontier, by John Markoff and Katie Hafner.

Markoff, a reporter for The New York Times, played a key role in uncovering Morris’ identity. When the worm began crashing computers across the country, Morris got scared. The next day he called The Times and eventually started a dialogue with Markoff, using only the name Paul.

In one conversation, however, he accidentally referred to himself by his Internet log-on name, rtm. Using this inadvertent clue, Markoff, with the help of a colleague, discovered Morris’ name, according to Cyberpunk.

Morris never publicly stated his motivation for unleashing the worm, which constituted the first major denial-of-service attack on the Internet. He was 24 and already viewed as an expert in Unix, the operating system he exploited to create and disseminate the worm.

Friends and Foes

Morris’ friends and family maintained that he hadn’t intended the widespread harm caused by the worm. Since the worm was benign, in the sense that it wasn’t programmed to destroy data, he attracted other supporters in the Internet community.

But his actions also inspired a significant number of detractors. The government prosecuted him, and he was found guilty in his 1990 trial and sentenced to three years’ probation, a US$10,000 fine and 400 hours of community service.

The worm, and Morris’ prosecution and conviction, caught the world’s attention. Within two weeks of the attack, the Department of Defense contacted Carnegie Mellon University’s Software Engineering Institute (SEI) about creating a central organization that could respond to similar crises in the future and facilitate solutions.

The result was the formation of CERT, a job that fell into the lap of Rick Pethia, now director of the network systems survivability program at SEI (CERT is part of that program). Pethia says the need for an organization like CERT pre-existed the Morris worm.

Winkler agrees. The attack was a catalyst, although not a good catalyst, for spurring more research into the vulnerabilities on the Internet.