Exploited known vulnerabilities in sendmail, fingerd (buffer overflow), and rsh/rexec. A bug in the worm's self-propagation logic caused re-infection of already-infected machines, creating crippling load the author claimed was unintended.
Robert Tappan Morris became the first person convicted under the Computer Fraud and Abuse Act. Fined $10,000. The incident is credited with exposing fundamental internet vulnerabilities and accelerating the creation of CERT/CC. Morris is now a professor at MIT.
The Incident
On November 2, 1988, Robert Tappan Morris — a 23-year-old Cornell University graduate student — released a self-replicating program onto the internet. Within hours, approximately 6,000 Unix machines were infected. This represented roughly 10% of the entire internet at the time.
The Root Cause
The worm exploited three known vulnerabilities: a debug mode in sendmail that allowed remote command execution, a buffer overflow in fingerd, and trust relationships in rsh/rexec that allowed propagation to connected systems. All three vulnerabilities were known before the worm was released.
The devastating impact was partially unintended. Morris included a mechanism to prevent re-infection: the worm would check if a copy was already running and, in most cases, skip that machine. But he set the re-infection rate to 1 in 7 — meaning every seventh check would re-infect regardless. This was intended to prevent administrators from creating dummy processes to immunize their machines. In practice, it caused exponential re-infection that consumed all available CPU and memory, effectively creating a denial-of-service attack.
The Aftermath
Morris was the first person convicted under the Computer Fraud and Abuse Act of 1986. He was sentenced to three years of probation, 400 hours of community service, and fined $10,000. The incident directly led to the creation of CERT/CC (Computer Emergency Response Team) at Carnegie Mellon University — the first coordinated vulnerability response organization.
The worm's source code was preserved on a floppy disk now held at the Boston Museum of Science. Morris went on to become a professor of computer science at MIT and co-founded Y Combinator.
Why It Matters
The Morris Worm demonstrated that connected systems amplify failures exponentially. A buffer overflow in a single service — combined with network connectivity — turned a local vulnerability into a global incident. The same pattern would repeat with Code Red, Slammer, Conficker, WannaCry, and every other worm for the next 35 years. The vulnerabilities changed. The amplification mechanism didn't.