Vmyths.com


Hoaxes, myths,
urban legends

Columnists

Newsletter
signup

Addictive
Update
Model

False
Authority
Syndrome

About us

Computer
security
humor

Truth about computer security hysteria
Truth About Computer Security Hysteria

Morris Internet worm

CATEGORY: Misconceptions about genuine threats

Robert T. Morris III, the son of a chief computer scientist at the U.S. National Security Agency, decided one day to take advantage of bugs in the software which controls the Internet (which the Defense Department uses heavily). These tiny bugs let Morris send a worm throughout the network. Among other things, the "Internet worm" sent copies of itself to other computers — and clogged the entire network in a matter of hours due to bugs in the worm module itself.

The press called it a "virus," like it called the 1987 "Christmas worm" a virus, because it spread to other computers. Yet Morris's work didn't infect any computers (a subtle point indeed). A few notes:

  1. Reporters finally started calling it a worm a year after the fact — only because lawyers on both sides of the case constantly referred to it as a worm.
  2. The worm operated only on Sun-3 & VAX computers which employ the UNIX operating system and which were specifically linked to the Internet at the time of the attack.
  3. It cost way less than $98 million to clean up the attack. An official Cornell University report claims John McAfee, the man behind this wild estimate, "was probably serving [him]self" in an effort to drum up business. People familiar with the case estimated the final figure at slightly under $1 million. (See below for more details.)
  4. Yes, Morris could easily have added some infection code to make it both a worm and a virus if he'd had the urge.
  5. Internet gurus long ago fixed the bugs Morris exploited in the attack.
  6. Morris went on trial for launching the worm and received a federal conviction under the Computer Fraud and Abuse Act. The Supreme Court refused to hear his case, so the conviction stands.
The following excerpt comes from the book "Approaching Zero" by Paul Mungo & Brian Gloth. It further explains John McAfee's publicity stunt:
The [Morris worm] received worldwide press coverage, and the extent of the damage was magnified along the way. One of the first estimates — from John McAfee, the personable chairman of [the controversial Computer Virus Industry Association] — was that cleaning up the networks and fixing the system's flaws would cost $96 million. Other estimates ran as high as $186 million. These figures were widely repeated, and it wasn't until later that cooler heads began to assess the damage realistically. The initial estimate that about 6,200 machines, some 10 percent of the computers on Internet, had been infected was revised to roughly 2,000, and the cleanup cost has now been calculated at about $1 million, a figure that is based on the assumed value of "downtime," the estimated loss of income while a computer is idle. The actual restitutional cost has been assessed as $150,000; McAfee's exaggerated estimate of $96 million was dismissed.

Last updated: 2001/1/18