The Morris worm was the first computer worm to spread across the internet, released on November 2 1988 by Robert Tappan Morris, a Cornell graduate student. It exploited weaknesses in Unix programs and weak passwords, infected roughly 6,000 machines, and produced the first conviction under the Computer Fraud and Abuse Act.
Who created the Morris worm?
Robert Tappan Morris was a 23-year-old graduate student in computer science at Cornell when he wrote the program that now bears his name. He launched it not from Cornell but from a machine at MIT, a small bit of misdirection meant to obscure where it had come from. His father, also named Robert Morris, was a cryptographer at the National Security Agency, which gave the whole episode an irresistible irony the press never tired of mentioning.
By most accounts, including Morris’s own legal defense, the worm was not meant to cause damage. The stated intent was closer to a census: a program that would crawl the early internet and gauge its size by quietly copying itself from machine to machine. The problem was not the idea. The problem was a bug in how the program decided whether to keep copying.
How did the Morris worm spread?
The worm propagated by chaining together several known weaknesses in Unix systems of the era. It was less a single clever exploit than a toolkit that tried whatever worked.
- sendmail — It abused a debug mode left enabled in the widely deployed mail transfer program, which allowed it to execute commands on a remote machine.
- fingerd — It triggered a buffer overflow in the
fingerdaemon, one of the earliest high-profile uses of that technique in the wild. - rsh / rexec — It used trusted-host relationships and remote execution to hop between machines that already trusted one another.
- Weak passwords — It carried a small dictionary and tried guessing user passwords, exploiting the reality that people picked predictable ones then exactly as they do now.
This was an internet still measured in tens of thousands of hosts, long before the explosion documented in our internet history timeline and decades before the question of how many websites there are had any meaning at all. There was no web yet; the first website was still years away. The network was a trusting place, and the worm took full advantage of that trust.
Why was the Morris worm so devastating?
The damage came from a single design decision about reinfection. Morris anticipated that system administrators might try to immunize their machines by running a fake copy of the worm, so he built in a check: before installing itself, the worm asked whether a copy was already running.
Had he stopped there, the worm would have been mostly harmless. But he worried that decoy processes would let the worm be neutralized too easily, so he added a rule that roughly one time in seven, the worm would install a fresh copy regardless of whether one was already present.
That one-in-seven gamble was catastrophic. On busy machines the worm reinfected itself over and over, stacking copies until processors were saturated and systems ground to a halt. What was meant to be a quiet survey became a self-amplifying denial-of-service attack. Machines were not destroyed, but they became unusable, and administrators across the country spent days disconnecting from the network and scrubbing their systems.
How many computers did the Morris worm infect?
The figure usually cited is around 6,000 machines, often described as roughly 10 percent of the internet at the time. Both numbers should be read as estimates rather than precise counts; nobody was taking a clean census while the network was on fire, and the 6,000 figure itself traces back to contemporary reporting rather than a definitive log.
| Detail | Value |
|---|---|
| Date released | November 2 1988 |
| Author | Robert Tappan Morris |
| Launched from | MIT (Morris was at Cornell) |
| Machines infected | ~6,000 (estimates vary) |
| Share of internet | roughly 10% |
| Reinfection odds | about 1 in 7 |
Cleanup cost estimates from the period ranged wildly, from tens of thousands of dollars to the high hundreds of thousands, and any single dollar figure deserves skepticism. What is not in dispute is that the worm reached an enormous fraction of a network that, until that morning, had assumed nobody would do such a thing.
What were the consequences of the Morris worm?
The fallout reshaped how the early internet thought about security.
The first CFAA conviction
Morris was prosecuted under the Computer Fraud and Abuse Act of 1986 and became the first person convicted under that law. He was sentenced in 1990 to three years of probation, several hundred hours of community service, and a fine in the low thousands of dollars. He did not serve prison time, but the conviction stood as a precedent for decades of computer-crime law that followed.
The creation of CERT
In the worm’s immediate aftermath, DARPA funded the Computer Emergency Response Team (CERT) at Carnegie Mellon University. CERT became the model for coordinated vulnerability response, the institutional answer to a problem the network had just discovered it had. It is hard to overstate how much the modern practice of disclosing and patching vulnerabilities descends from that November scramble.
A surprising second act
Morris’s story did not end with the conviction. He went on to earn his doctorate, became a tenured professor at MIT, and in 2005 co-founded the startup accelerator Y Combinator alongside Paul Graham. The graduate student who briefly broke the internet became one of the people who helped fund a generation of companies built on it.
Where is the Morris worm now?
The original source code, written to a floppy disk, is held in the collection of the Computer History Museum in Mountain View. It is a small, almost mundane artifact for something that did so much, a physical reminder that early internet history sits on shelves the way letters and photographs do. The same instinct that preserves the first photo on the internet preserves a disk full of code that once brought thousands of machines to their knees.
If the worm taught one durable lesson, it is that scale plus a small logical error equals disaster, a principle that holds whether you are propagating across Unix hosts or just clicking a single button to build your own version of the early internet. The early network was built on trust, and the Morris worm was the moment that trust met its limits.
Frequently Asked Questions
Was the Morris worm a virus or a worm?
It was a worm. The distinction matters: a virus attaches itself to existing files and needs a host program to spread, while a worm is self-contained and propagates on its own across a network. The Morris worm copied itself between machines without human action, which is what made it spread so fast.
Did Robert Morris go to prison?
No. He was convicted under the Computer Fraud and Abuse Act in 1990 but received three years of probation, community service, and a fine rather than a custodial sentence. The conviction was historically significant as the first under that law.
How did the Morris worm finally get stopped?
There was no single off switch. Administrators across the network disconnected affected machines, shared patches, and rebuilt systems over several days. A team at Berkeley and others reverse-engineered the worm to understand its behavior, which informed the cleanup.
Was the Morris worm intended to cause damage?
By Morris’s account and his legal defense, no. The program was meant to measure the size of the internet, but a reinfection rule that reinstalled copies roughly one time in seven turned it into a resource-exhausting attack that crippled the machines it reached.
What is the connection between the Morris worm and CERT?
CERT, the Computer Emergency Response Team at Carnegie Mellon, was created directly in response to the worm. DARPA funded it to coordinate the kind of vulnerability response that had been improvised, chaotically, during the worm’s spread.