This worm was named morris worm by the name of its author (Robert T. Morris, a graduate student in the Department of Computer Science, Cornell University). The hackers called him "the great worm."
The epidemic affected about 6,000 ARPANET nodes. The best computer security specialists of that time were invited from all over the country to neutralize the consequences of the malicious action of the virus. Analysis of the disassembled program code did not reveal any logic bombs or any destructive functions.
Worm action
The worm, contrary to its creator's calculations, literally flooded all ARPANET network traffic.
Morris himself was a good conspirator of the program code, and hardly anyone could prove his involvement. However, his father, a computer expert at the National Security Agency, felt that it was better for his son to confess everything.
At the trial, Robert Morris faced up to five years in prison and a fine of $ 250,000, however, taking into account mitigating circumstances, the court sentenced him to three years probation, $ 10,000 in fines and 400 hours of community service.
The epidemic has shown how dangerous it is to unconditionally trust computer networks. Subsequently, new toughened standards of computer security were developed concerning the security of program code, administration of network nodes and the choice of secure passwords.
Links
Wikimedia Foundation. 2010.
See what "Morris Worm" is in other dictionaries:
This term has other meanings, see Worms (disambiguation). A network worm is a type of malicious program that independently spreads through local and global computer networks. Contents 1 History 2 Mechanisms ... ... Wikipedia
A network worm is a type of self-replicating computer programs that spread in local and global computer networks. Unlike computer viruses, a worm is an independent program. Contents 1 History 2 Mechanisms ... Wikipedia
A network worm is a type of self-replicating computer programs that spread in local and global computer networks. Unlike computer viruses, a worm is an independent program. Contents 1 History 2 Mechanisms ... Wikipedia
A floppy disk with the source code of the Morris worm, stored in the Museum of Science in Boston On November 2, 1988, the first case of the appearance and "victorious" procession of a network worm was recorded, which paralyzed the work of six thousand Internet nodes in the United States. Later in the media this ... ... Wikipedia
A computer virus is a type of computer program, a distinctive feature of which is the ability to reproduce (self-replication). In addition, viruses can damage or completely destroy all files and data, ... ... Wikipedia
A computer virus is a type of computer program, a distinctive feature of which is the ability to reproduce (self-replication). In addition, viruses can damage or completely destroy all files and data, ... ... Wikipedia
A computer virus is a type of computer program, a distinctive feature of which is the ability to reproduce (self-replication). In addition, viruses can damage or completely destroy all files and data, ... ... Wikipedia
Contents 1 The first self-replicating programs 2 The first viruses 2.1 ELK CLONER… Wikipedia
A diskette containing the source code of the Morris worm is kept in the Boston Science Museum. Photo: Intel Free press
You can watch the video on YouTube about how they talked about the worm on the TV news. And we will tell you a little about the technical side of the matter.
So Cornell University student Robert Tappan Morris decided, he said, to estimate the size of the Internet. He approached this thoroughly - he wrote a complex program that is capable of independently spreading over the Web and preventing attempts to stop it. It's easy to see that this functionality clearly falls under. The Morris worm did not cause any damage to the system, but a bug in the program caused many computers to launch the worm dozens of times, overloading the server, effectively rendering it unusable. Sounds like DDoS, doesn't it?
How did the worm spread over the Internet? Nothing has changed in the past 25 years - vulnerabilities have been used for this. In the case of the Morris worm, three. First, vulnerabilities in the Finger and Sendmail implementations in popular UNIX systems of the time allowed arbitrary code to run on a remote computer. Second, if these options failed, the worm tried to connect to rsh, the remote administration console. True, this requires a password, but the worm picked it up. It is quite impressive that a large percentage of successfully guessing passwords were achieved with a dictionary of just 400 words, plus a few obvious choices, such as a password that matches a username or is composed of the same letters in reverse order. Few think about the need today, and even 25 years ago, even system administrators did not really care about it.
The worm was not programmed for malicious actions, but due to an error it overloaded computers with work.
Having penetrated the computer, the worm changed the name of its process, deleted temporary files, and took a number of other measures to prevent its detection, in particular, it encrypted its data in memory. Launching on a new computer, the worm checked if the computer was already infected. When two copies were found on the computer, they played dice, and one self-destructed. Either because of Morris's mistake, or to hedge against the creation of a simple "vaccine" based on this effect, in one case out of seven the new copy stopped playing "survival" and continued to work under any conditions. It was this decision that led to the DDoS effect, the 1/7 ratio was too high, and many computers were reinfected dozens of times.
Despite the fact that the very concept of a network worm turned out to be completely new for system administrators and to deal with the threat it was necessary to hastily create working groups of programmers and administrators at MIT and Berkeley, literally in two days the "loopholes" through which the worm entered the system were identified and blocked. , and the infection code was completely disassembled. In general, the worm was over. Despite this, according to various estimates, from 100 thousand to 10 million dollars were spent on eliminating the consequences of the infection.
Interestingly, the conspiracy measures taken by Morris could help him remain anonymous. But my father, also Robert Morris, stepped in. The co-author of the UNIX operating system and director of research at the NSA's National Center for Computer Security convinced his son to confess everything. The court, which took place in 1991, took this fact into account and gave Morris a rather lenient sentence: 3 years probation, a fine of 10 thousand dollars and 400 hours of community service. The lesson, incidentally, went to the benefit of Morris Jr. - he became a highly respected member of the computer community. His successes include the creation of one of the first e-commerce platforms Viaweb (later sold to Yahoo! and renamed the Yahoo Store), the creation of the Y Combinator startup farm, work on new programming languages, and a professorship at MIT.
In 1988, the first massive network worm was created by Robert Morris Jr. The 60,000-byte program was designed to defeat UNIX Berkeley 4.3 operating systems. The virus was originally designed as harmless and was intended only to secretly penetrate the computing systems connected by the ARPANET network, and remain undetected there. The virus program included components that allowed to reveal passwords in the infected system, which, in turn, allowed the program to disguise itself as the task of legal users of the system, in fact, replicating and sending copies. The virus did not remain hidden and completely safe, as the author intended, due to minor mistakes made during the development, which led to the rapid uncontrolled self-propagation of the virus.
According to the most conservative estimates, the Morris worm incident cost more than 8 million hours of lost access and over a million hours of direct loss of recovery time. The total cost of these costs is estimated at $ 96 million (this amount, also, not entirely justified, includes the costs of improving the operating system). The damage would be much greater if the virus was originally created for destructive purposes.
The Morris worm has infected over 6,200 computers. As a result of a virus attack, most networks went out of order for up to five days. Computers that performed switching functions, acted as file servers, or performed other network support functions also failed.
On May 4, 1990, a jury found Morris guilty. He was sentenced to a suspended sentence of two years, 400 hours of community service and a $ 10,000 fine.
DATACRIME and AIDS
In 1989, the DATACRIME viruses became widespread, destroying the file system from October 12, and until that date simply multiplied. This series of computer viruses began to spread in the Netherlands, the USA and Japan in early 1989, and by September it had infected about 100,000 PCs in the Netherlands alone (which was about 10% of the total in the country). Even IBM has responded to this threat by releasing its VIRSCAN detector, which allows you to search the file system for strings (signatures) characteristic of a particular virus. The set of signatures could be supplemented and changed by the user.
In 1989, the first AIDS Trojan horse appeared. The virus made all information on the hard drive inaccessible and displayed only one message on the screen: "Send a check for $ 189 to such and such an address." The author of the program was arrested at the time the check was cashed and convicted of extortion.
The first virus was also created to counteract anti-virus software - The Dark Avenger. It infected new files while the antivirus program scanned the computer's hard drive.
America was shocked when on November 2, 1988, almost all computers that had access to the Internet (in America), at about eight o'clock in the morning, as they say, "froze." At first it was attributed to power system failures. But then, when an epidemic caused by the Morris worm happened, it became clear that the terminals were attacked by a program that was unknown at that time, containing a code that could not be decrypted by the available means. Not surprising! At that time, computers connected to the Internet numbered only tens of thousands (approximately 65,000 terminals) and were mostly represented in government or local government circles.
Morris Worm Virus: What Is It?
The type itself was the first of its kind. It was he who became the ancestor of all other programs of this type, which today differ quite strongly from the progenitor.
Robert Morris created his "worm" without even knowing how popular he would gain and what harm he could do to the economy. In general, it is believed that it was, as they say now, a purely sports interest. But in fact, the introduction into the then global network of APRANET, to which, by the way, both government and military organizations were connected, caused such a shock from which America could not recover for a long time. According to preliminary estimates, the Morris Worm computer virus caused damage of about 96.5 million US dollars (and this is only the amount known from official sources). The amount above is the official one. And what is not taken into account, probably, is not subject to disclosure.
The creator of the computer virus "Morris Worm" Robert Morris: some facts from the biography
The question immediately arises as to who this genius-programmer was, who managed to paralyze the computer system of the North American continent for several days.
The same respected resource, Wikipedia, indicates that at one time Robert was a graduate student at Cornell University, RT Morris (coincidence or coincidence?), In the Department of Computer Science.
The history of the creation and appearance of the virus
It is believed that the virus did not initially contain any threat. Fred Cohen studied The Morris Worm based on his findings about malicious code and found an interesting feature in it. It turned out that this is not malware at all.
The Morris worm (although it is now considered a Pentagon-sponsored virus) was originally created as a vulnerability testing tool for intranet-based systems (unsurprisingly, APRANET users were the first to suffer).
How a virus affects a computer system
Robert Morris himself (the creator of the virus) in every possible way denies the consequences inflicted by his "brainchild" on the United States, claiming that the distribution over the network was provoked by an error in the code of the program itself. Considering that he received his education at the university, especially at the Faculty of Informatics, it is difficult to agree with this.
So, the so-called "Morris worm" was originally focused on intercepting communications between large organizations (including government and military). The essence of the impact was to replace the original text of the letter, which was then sent on the APRANET network, with the removal of headers and endings in the Sendmail debug mode or when the network fingerd service buffer overflowed. The first part in the new letter contained code compiled on a remote terminal, and the third consisted of the same binary code, but adapted for different computer systems.
In addition, a specialized tool was used that made it possible to brute-force logins and passwords using remote access to execute programs (rexec), as well as calling a remote interpreter (rsh), which at the command level used the so-called "trust mechanism" (now it is more associated with certificates).
Propagation speed
As it turns out, the creator of the virus was not at all stupid. He immediately realized that the longer the code, the longer the virus takes to penetrate the system. That is why the well-known "Morris Worm" contains the minimum binary (but compiled) combination.
Due to this, the same boom took place, which is now accepted at the level of state intelligence services for some reason to be silent, although the threat of self-copying spread almost exponentially (each copy of the virus was able to create from two or more of its own analogues).
Damage
Nobody, however, thinks about how much damage can be done to the same security system. The problem here, rather, is what the Morris Worm computer virus itself is. The fact is that initially, when it penetrated the user terminal, the virus had to determine whether a copy of it was contained in the system. If there was one, the virus would leave the car alone. Otherwise, it infiltrated the system and created its own clone at all levels of use and management. This applied to the entire operating system as a whole, and installed user programs, and applications or applets.
The official figure cited by the US Department of approximately $ 96-98 million in damage is clearly an underestimate. If you look only at the first three days, it was already about 94.6 million). Over the next days, the amount did not grow so much, but ordinary users suffered (the official press and the US Department are silent about this). Of course, at that time the number of computers connected to the global web was about 65 thousand in the United States alone, but almost every fourth terminal was affected.
Effects
It is not hard to guess that the essence of the impact is to completely deprive the system of working capacity at the level of resource consumption. For the most part, this applies to network connections.
In the simplest case, a virus creates its own copies and initiates the launch of processes masquerading as system services (now even those launched as an administrator in the list of processes in the "Task Manager"). And it is not always possible to remove threats from this particular list. Therefore, when terminating the processes associated with the system and the user, you need to proceed with extreme caution.
What about Morris?
The Morris Worm and its creator are doing pretty well at the moment. The virus itself was successfully isolated by the efforts of the same anti-virus laboratories, since they have the source code on which the applet is written.
Morris announced the release of the Lips-based Arc language in 2008, and in 2010 he was nominated and awarded the Weiser Award.
By the way, another interesting fact is that the public prosecutor Mark Rush admitted that the virus disabled many computers by forced shutdown, but still did not intentionally damage the data of users of any level, since it was originally not a destructive program, but an attempt checking the possibility of interference with the internal structure of existing systems. Compared to the fact that initially the attacker (who voluntarily surrendered to the authorities) was threatened with imprisonment for up to five years and a $ 250,000 fine, he got off with three years probation, a $ 10,000 fine and 400 hours of community service. As many lawyers of that (by the way, and present) time considered, this is nonsense.
Several results
Of course, today there is no point in fearing such a threat that the Morris Virus posed in the early days of computer technology.
But here's what's interesting. Most of the Windows operating systems are believed to be affected by malicious codes. And then it suddenly turns out that the virus body was originally developed for UNIX systems. What does this mean? Yes, only that the owners of Linux and Mac OS, which are fundamentally based on the UNIX platform, it is time to prepare means of protection (although it is believed that viruses on these operating systems do not affect at all, in the sense that they were not written). Here many users of "poppies" and "Linuxoids" are deeply mistaken.
As it turns out, even on mobile platforms running iOS, some threats (including the Morris Worm) have begun to manifest their activity. First it is advertising, then - unnecessary software, then ... - system crash. Then you involuntarily and think. But at the origin of all this was some graduate student who made a mistake in his own tester program, which led to the emergence of what is now commonly called computer worms. And they, as you know, and the principles of influencing systems are somewhat different.
In a sense, such viruses become spyware, which not only load the system, but in addition to everything they steal passwords to access sites, logins, PIN-codes of credit or debit cards, and God knows what, what an ordinary user can about do not even guess. In general, the impact of this virus and others like it at this stage in the development of computer technologies is fraught with rather serious consequences, despite even the most modern methods of protection. And it is in relation to computer worms that you should be as vigilant as possible.
Here is such an entertaining and extraordinary story that will not be forgotten for a long time. An interesting and safe time on the Internet - without data theft, system overloading and any spies like the "Morris worm"!
Only a few days later, experts managed to identify the source of the problem. It would be the world's first kind of computer worm to celebrate its 25th anniversary on Saturday.
As it turned out, the creator of the worm is not at all Soviet cyber criminal... It turned out to be a 23-year-old student who made several important coding mistakes. His name Robert Tappan Morris... An aspiring genius launched something that he could not control, which attracted a lot of attention.
"In the early morning of November 3rd - really early - I tried to log in to check my email, but I failed."says Gene Spafford, professor of computer science at Purdue University and one of the few experts who approached analyzing and dismantling a worm within hours of its launch. " Then I logged into the system to determine what was wrong with the server and in doing so I found problems with the software".
The problems that occurred were, of course, the consequences of the invasion. morris worm... Its unrestrained self-reproduction led to the collapse of the computer system. It all happened quickly. The virus has infiltrated computers in laboratories, schools and government offices across the country.
In response to the emergency, Spaf promptly created two separate mailing lists: one local (for administrators and educators) and another called the Phage List for those dealing with hacking information. The Phage List became a vital resource through which Internet users could understand the worm, stay updated on the latest news, and discuss broader security issues.
One day a message came from an anonymous source. The message said "I'm sorry." It also listed ways to prevent further spread of the worm. The source was a friend of Morris at Harvard University named Andy Sudduth, through whom he decided to turn himself " hacker».
Internet in 1988
"The Internet was very free at the time. Security was not a major concern."says Mikko Hypponen, chief scientist at the Finnish antivirus company F-Secure.
In 1988, the total number of computers connected to the Internet ranged from 65,000 to 70,000. Although the Internet was about 15 years old at the time, it was used primarily by academics, the military, and government.
"I will not say that we trusted everyone, but in general, no one has played dirty tricks and did no harm", - says Spaf. "We lived in an area where there were a lot of people, but you could leave your doors open without fear of arsonists".
Administrators believed that the flaws in security practices were largely in line with the nature of the Internet community at that point in time. Morris's work quickly took advantage of this vulnerability.
Computer worm
The economic losses caused by the worm effect varied depending on the location and depth of infection. The University of California, Berkeley estimates that it took 20 days of work to clear the facility of the virus. During the hearing against Morris, the judge read that: " The estimated cost of antivirus work on each installation ranges from $ 200 to over $ 53,000. "
By some estimates, the total cost of damage from the Morris worm was between $ 250,000 and $ 96 million.
"All people knew at the time that computers were shutting down (shutting down) "says Mark Rasch, federal prosecutor in the trial against Morris in the United States. " A certain degree of panic and confusion has arisen due to the nature of how the worm spreads".
Despite the fact that virus was complex, pervasive and highly destructive, it was not programmed to destroy or remove anything, and it did not. All of its destructive power is associated with its rapid self-reproduction. Due to the mistake of the creator, he copied himself and the faster he did it, the slower and more complicated the network worked, the machine hung. Less than 90 minutes after infection, the worm rendered the infected system unusable.
"The software was written for distribution. I don't think he intended to cause damage. It was most likely accidental or unintentional, " says Spafford.
According to most, Morris did not expect the worm to replicate and spread as quickly. Due to a coding error, the virus infected computers much faster and more publicly than it was most likely intended. It looks like Morris made a "colossal" mistake.
Image: Flickr, Intel Free Press
The Defense Ministry suspected the Russians in the attack.
"In truth, reactions to this attack ranged from mild annoyance to speculation about the end of the world."Rush says. " There were also those who thought that this was a prelude to world war, believed that this was an attempt on the part of the Soviet Union to start a cyber war and launch nuclear weapons".
Virus Writer Motivation
If the worm was not targeted to damage or steal, what prompted Morris? Some believe he wanted to draw attention to security flaws. This is also the opinion of Spafford.
"But the shortcomings that were in this, he could have noted in other ways.", he says. "I would never buy into the idea that you have to burn a building down to show that it is flammable.".
According to Rasch, the Justice Department at the time had no more consensual motive than "because it can be done".
"It was driven in part by curiosity and perhaps a certain amount of arrogance," says Spaf, who admits that you can never be sure of a motive. " He has been silent about all of this for the past 25 years. By the way, he began to live his life and made a very good career. ".
Morris eventually confessed to creating the worm. His trial was the first federal computer crime case.
Court
Morris was found guilty of computer fraud and abuse. He was sentenced to 400 hours of community service, fined $ 10,050 and given a suspended sentence of three years. Many, including Spafford, felt that his felony was condemned too harshly.
"I never agreed that it was a crime. I think the definition of 'misconduct' would be much more appropriate.", he says. " A lot of it was unintentional".
The debate over whether it was a criminal offense or an administrative offense was severe. Morris began his testimony by saying: "I did it and I'm sorry".
The atrocity, Rush says, clearly fell under the crime clause. But the general consensus on all sides was that Morris was not a criminal. He was the one who committed the crime.
Result
A year later, Spafford secured a presidential pardon for Morris. The latter’s behavior and the changing nature of computer crime have convinced many that Morris’s crime was not all that serious.
