Morris worm computer virus. Morris worm: what it is, how it appeared, reviews of those infected

Hamsters celebrated the anniversary of one rather unpleasant event - the Morris worm turned 20 years old, reports.

Assessing the consequences of the first major attack on the Web, it should be noted that the Morris worm served as a dire warning to the Internet engineering community. He clearly demonstrated the serious dangers of software bugs and turned network security issues into an important area of ​​research and practical development.

“A really big event has happened,” said Eric Allman. In 1981, as a student at the University of California at Berkeley, Allman developed sendmail, a open source, who managed email Internet. He currently holds the post of scientific director of Sendmail, which sells commercial versions of this program.

“The Internet was then very small and was considered a kind of interest club,” Allman explained. - After the attack carried out by Morris, it became clear that a certain part of the visitors may not come to this "club" with the best intentions. We realized that we urgently need to think about security.”

Despite the clear mechanism of action of the worm and the tremendous noise that arose around it, some argue that at that time it was not immediately appreciated.

"The most interesting lesson that the Morris worm taught us was how short-lived and insignificant the findings were," said Columbia University professor Steve Bellovin, who worked at Bell Labs in 1988 to build the first firewall. -- People were able to see the threat posed by flaws software, but after that no one paid serious attention to network security issues. This continued until the mid-90s, subsequently giving rise to a lot of additional difficulties.

This historic worm was written by Cornell University student Robert Tappan Morris, who was accused of computer fraud as a result of the incident. Today, Morris is a respected adjunct professor at the Massachusetts Institute of Technology.

Launched at approximately 6:00 pm on November 2, 1988, the worm blocked approximately 10% of systems connected to the Internet. In total, more than 60,000 computers were connected via the Internet at that time.

The Morris worm was a self-propagating program that exploited known weaknesses in a number of popular utilities, including sendmail, which was responsible for routing email, and Finger, which allowed you to find out which users in this moment initiated a web session.

The Morris worm was able to infiltrate systems running various flavors of Unix. Rapidly moving across the Web, the worm spread its new copies, repeatedly infecting computers, resulting in failures in the operation of many systems.

“At first we had no idea where the threat could come from,” Allman recalled. - It was quite clear that this was done on purpose, but we could not figure out who and why did this. Panic set in, which was understandable, despite the unfortunate nature of the circumstance.”

Attack for a long time blocked the normal Internet work, forcing a number of organizations, including the Pentagon, to close their Internet gateways in order to avoid further infection.

“People disconnected from the Internet because they were afraid of possible negative consequences,” Allman said. - However, disconnection from the Network disrupted the operation of the most important communication channels. That is why it took a long time to restore the status quo.”

At the time that the Morris worm was on its way, commercial Internet traffic and Web sites did not yet exist. The victims were limited to government research departments, universities and a number of companies that used the Web to transfer files and exchange e-mail. Nevertheless, news about the attack appeared in leading publications, in particular in The New York Times.

"The Morris worm was the reason that many people first heard about the existence of the Internet," Bellovin said. - For most, the Web was associated with a new, strange and outlandish world ... and suddenly it turned out that just one intruder could put an end to this world. I repeat, no one, with the exception of narrow specialists in computer topics, knew practically nothing about the Internet.

For some, the appearance of the Morris worm was a career turning point. Eugene Spafford at this time worked as a senior lecturer at Purdue University. Today, Spafford is Executive Director of the Center for Education and Research in information support and Security at Purdue University. He is a recognized international authority on Internet security.

"I've been told that applied computer security research has no future," Spafford said. - And after the appearance of the Morris worm, many people suddenly realized that computer systems had gone beyond the mainframe environment, where everything was kept under control, and now we need a completely different security model. It is necessary to offer more advanced engineering solutions.”

Previously, researchers were developing only "useful" worms, thanks to which automatic installation software updates, but no one has ever launched a destructive program uncontrollably into the Network.

The Morris worm was the forerunner of other notable attacks, including the Melissa, Code Red and Slammer worms, all of which targeted systems running Microsoft software. Recently, worms have become less common than viruses and emails, the text of which contains links to malicious sites.

"Actually, worms are much rarer than viruses today," Allman said. “And for the average user, phishing is the biggest threat.”

“In recent years, we have not seen large-scale attacks of worms, and there are several reasons for this,” Bellovin explained. "An important role here was played by the widespread use of network address translation technology and personal firewalls, which make it difficult for modern worms to penetrate in the way that the Morris worm did."

The Morris worm anticipated distributed denial-of-service attacks, which are used by attackers to overload and lose systems from the Internet.

“Such a large-scale and single-stage infection has never been recorded before,” Spafford said. - In fact, it was the first denial of service attack that attracted the attention of people associated with computing. In addition, this was the first event that affected the platforms of several manufacturers at once. Sun and BSD Unix systems were attacked at the same time, which is a rarity. As a rule, only one platform is the target of attacks.”

Spafford compared the spread of the Morris worm to today's botnets - networks that connect a large number of infected computers, using them to send spam or organize distributed DoS attacks.

“Software turns systems into zombies, and those slowly spreading worms fill the ranks of botnets,” Spafford explained. - These systems do not cause a denial of service, but slowly seep further, automatically forwarding their code to other machines. Botnets already control literally millions of machines: according to some estimates, their number reaches 100 million.”

The Morris worm immediately cut off a fairly large segment of the Internet. His appearance was a very notable event. In contrast, today's attacks on the Internet are directed against individual systems, and their authors try to remain unnoticed. If earlier curious students hacked into systems to increase their own self-esteem, then modern viruses are more and more criminal in nature, masking their presence in every possible way.

“Today, attacks on the Internet are aimed at making a profit, and shutting down certain segments of the Web does not bring any profit,” Bellovin explained. "Initiating new attacks, sophisticated attackers are very cautious."

The Morris worm, although it caused much less damage compared to its followers, remained in the memory of the computer community for a long time.

"The Morris worm actually marked the beginning of the official development of computer security," Allman said. - Prior to this, very few specialists dealt with security issues, besides, they were mainly interested in the topic of encryption. The concept of computer security was not really singled out as a separate area of ​​research until after the appearance of the famous worm.”

This worm was named morris worm by the name of its author (a graduate student of the faculty Computing Cornell University Robert T. Morris). The hackers also called him the "great worm".

The epidemic affected about six thousand ARPANET nodes. In from all over the country were invited the best specialists on computer security of that time to neutralize the consequences of the malicious action of the virus. Analysis of the disassembled code of the program did not reveal any logic bombs or any destructive functions.

Worm action

The worm, contrary to the creator's calculations, literally flooded the entire ARPANET network traffic.

Morris himself well concealed the code of the program, and hardly anyone could prove his involvement. However, his father, a computer expert for the National Security Agency, felt that it was better for his son to confess everything.

At trial, Robert Morris faced up to five years in prison and a fine of $250,000, however, taking into account extenuating circumstances, the court sentenced him to three years of probation, $10,000 in fines and 400 hours of community service.

The epidemic has shown how dangerous it is to trust computer networks implicitly. Subsequently, new tougher computer security standards were developed regarding the security of program code, the administration of network nodes, and the choice of secure passwords.

Links


Wikimedia Foundation. 2010 .

See what "Morris Worm" is in other dictionaries:

    This term has other meanings, see Worms (meanings). Network worm variety malware self-propagating through local and global computer networks. Contents 1 History 2 Mechanisms ... ... Wikipedia

    A network worm is a type of self-replicating computer programs propagating in local and global computer networks. Unlike computer viruses the worm is independent program. Contents 1 History 2 Mechanisms ... Wikipedia

    A network worm is a kind of self-replicating computer programs that spread in local and global computer networks. Unlike computer viruses, a worm is an independent program. Contents 1 History 2 Mechanisms ... Wikipedia

    Floppy disk with source code Morris worm, stored in the Museum of Science in Boston November 2, 1988 recorded the first case of the appearance and "victorious" procession of a network worm that paralyzed the work of six thousand Internet nodes in the United States. Later in the media, this ... ... Wikipedia

    A computer virus is a type of computer program, the distinguishing feature of which is the ability to reproduce (self-replicate). In addition to this, viruses can damage or completely destroy all files and data ... ... Wikipedia

    A computer virus is a type of computer program, the distinguishing feature of which is the ability to reproduce (self-replicate). In addition to this, viruses can damage or completely destroy all files and data ... ... Wikipedia

    A computer virus is a type of computer program, the distinguishing feature of which is the ability to reproduce (self-replicate). In addition to this, viruses can damage or completely destroy all files and data ... ... Wikipedia

    Contents 1 The first self-replicating programs 2 The first viruses 2.1 ELK CLONER ... Wikipedia

The floppy disk containing the source code for the Morris worm is in the Boston Museum of Science. Photo: Intel Free Press

You can watch a video on YouTube about how they talked about the worm on TV news. And we will talk a little about the technical side of things.

So Cornell University student Robert Tappan Morris decided, he says, to estimate the size of the Internet. He approached this thoroughly - he wrote a complex program that can independently spread over the Web and prevent attempts to stop it. It's easy to see that this functionality clearly falls under . The Morris worm did not cause any harm to the system, but a bug in the program caused many computers to run the worm dozens of times, which overloaded the server, making it essentially inoperable. Sounds like DDoS, doesn't it?

How did the worm spread over the Internet? Nothing has changed in the past 25 years - vulnerabilities were exploited for this. In the case of the Morris worm, three. First, the vulnerabilities in the implementation of Finger and Sendmail on popular UNIX systems of the time made it possible to run on remote computer arbitrary code. Secondly, if these options did not pass, the worm tried to connect to the rsh console remote administration. True, this requires a password, but the worm picked it up. It is quite impressive that a large percentage of successfully guessed passwords was achieved with a dictionary of only 400 words, plus a few obvious options, such as a password that matches the username or made up of the same letters in reverse order. Even today, few think about the need, and even 25 years ago, even system administrators did not really care about this.

The worm was not programmed for malicious actions, but due to a bug it overloaded computers with work.

Having penetrated the computer, the worm changed the name of its process, deleted temporary files, and took a number of other measures to prevent its detection, in particular, it encrypted its data in memory. When launched on a new computer, the worm checked to see if the computer was already infected. When two copies were found on the computer, they "played dice", and one self-destructed. Whether because of a mistake by Morris, or to insure against the creation of a simple "vaccine" based on this effect, in one case out of seven new copy stopped playing "survival" and continued to work under any conditions. It was this decision that led to the DDoS effect, the 1/7 ratio turned out to be too high, and many computers were re-infected dozens of times.

Despite the fact that the very concept of a network worm turned out to be completely new for system administrators and working groups of programmers and administrators at MIT and Berkeley had to be hastily created to deal with the threat, in just two days the "loopholes" through which the worm penetrated the system were identified and blocked , and the infection code was completely disassembled. In general, the worm was finished. Despite this, according to various estimates, from 100,000 to 10 million dollars were spent to eliminate the consequences of infection.

Interestingly, the secrecy measures taken by Morris could have helped him remain anonymous. But the father, also Robert Morris, stepped in. Operating room co-author UNIX systems and director of research National Center computer security at the NSA convinced his son to confess everything. The court, held in 1991, took into account this fact and issued Morris a rather lenient sentence: 3 years probation, a fine of 10 thousand dollars and 400 hours of community service. The lesson, by the way, went to Morris Jr.'s benefit - he became a highly respected member of the computer community. His successes include creating one of the first Internet commerce platforms Viaweb (later sold to Yahoo! and renamed the Yahoo Store), creating a startup farm Y Combinator, working on new programming languages ​​and a professorship at MIT.

That's what they called the first one. network virus, which caused a real epidemic. It was written by Robert Morris, then a 22-year-old graduate student at Cornell University. The Morris Worm is also called the Great Worm. He was the first, he was indicative. That is why the floppy disk with the source code of this virus is stored under glass in the Museum of Science in Boston.

Morris, being a graduate student at that moment, apparently decided to conduct a small experiment. At that time, in 1988, when the Internet as such did not exist, the World Wide Web was represented by the Arpanet network. Arpanet, the prototype of the Internet, was created by the US government and was used primarily by the military and scientists. Where did this student get into the network, which was used by a very small and privileged percentage of the population? Apparently, as always, by pull. The gifted child's father was a National Security Agency computer expert.

So, this same student launched the fruits of his experiments into this network - the Morris worm. Although he was not a Morris worm at the time, fame came a few days later. What have you been doing this virus? You can answer this question from two perspectives: on behalf of the author and on behalf of the rest of the digital world.

Morris worm from the side of the author of the virus

Robert Morris created a worm that, using previously known bugs in the security system of various systems, copied the body of its virus to new computers. It just had to be distributed to computers connected to the Arpanet network. Before infecting, he had to check for the presence of this virus on the computer, and infect only if it was not there. If the virus was already on the computer, then the virus was overwritten only at some frequency, which was quite large. That is, even if the body of the virus is already on the computer, it can overwrite it in some case. The virus also used the selection of passwords from the alphabet, which contained only 481 (!) options.

Morris worm by the public

The public will describe the virus in exactly the same way as Robert Morris. The only difference is that the frequency with which the Morris worm overwrote itself was very, very small. Later, Robert will say that this happened by chance and due to his mistake the frequency turned out to be very small.

What did the Morris worm do?

"Thanks" to the small frequency of rewriting the virus, the virus spread very quickly on the network. The Morris worm overwrote itself with every sound, and the number of processes in the computer grew rapidly. The more copies of the virus, the faster virus spread - approximately as a geometric progression. In this way, this experiment, which was just supposed to test its performance, simply scored all computing power infected computers and the network itself. Once Robert Morris realized his mistake, he tried through a friend to anonymously describe and offer protection against the virus. As they say, ironically, or to be more precise, thanks to his own virus, his letter simply did not reach the addressee, since the entire network simply stood still. If you want to know from your own experience what it is like to score RAM your computer.

Morris Worm: Results

Given all the extenuating circumstances, Morris was not seriously punished: a suspended sentence, a fine and community service.

But what good has the Morris worm given us? First, the worm showed that Unix systems are also vulnerable to . Second, Morris exploited well-known problems in system security. And this is a good push to ensure that all patches come out on time and all computers should update the software on time. That is why it is dangerous to use Thirdly, Morris used the alphabet with only 481 (!) Password options. Why so few? Because at that time, there were no recommendations on the complexity and length of the password, or in other words. The bulk used the most common passwords, or their names. And for such purposes, with half a thousand options are suitable.

So be careful. Install on time Latest updates and use only complex passwords.

Morris Worm or Great Worm- one of the first network worms in the world to spread in the wild. It was registered in 1988, that is, back in the ARPANET era.

ARPANET included a relatively small number of computers, and the defeat of more than 6,000 node machines caused significant damage.

The Morris worm was named after its creator, Robert Morris, a graduate student at Cornell University. Initially, the worm was created to explore the network, but due to a logical error in the code, the performance of computers dropped dramatically, up to failure.

To penetrate the attacked computer, the program used the password guessing method. In the late 80s, the attitude to computer security was much simpler and a dictionary of only 400 passwords made it possible to successfully attack a fairly large number of machines.

Another method of penetrating the attacked computer was to use in errors system programs, which made it possible to infect a remote machine without guessing passwords.

Since the program was created as a scientific experiment, there was no malicious load in the program code. However, in order to protect against deletion and creation of counterfeit copies system administrator, the program created copies of itself. Due to a logical error, the program created copies of itself too often, which led to the crash of infected computers.

It is believed that in the program code there was no data pointing to the creator. However, at the insistence of his father, an NSA expert, Robert Morris voluntarily surrendered to the authorities.

Internet