The Morris Worm Is Released, Knocking Out an Estimated 10% of the Internet
A Cornell graduate student's self-replicating program, released from MIT's network on a November night in 1988, spread far faster and further than its own author reportedly intended.
At approximately 8:30 PM on November 2, 1988, a self-replicating program was released onto the internet from a computer at MIT — within 24 hours, an estimated 6,000 of the roughly 60,000 machines then connected to the entire internet had been affected.
Who released it and why
Robert Tappan Morris, a graduate student at Cornell University, wrote and released what became known as the Morris Worm — released from MIT’s network rather than Cornell’s, reportedly in an attempt to obscure its point of origin. According to Morris’s own later account, the program was intended as an experiment to gauge the size of the internet, not as a deliberate attack, though a bug in its replication logic caused it to infect the same machines repeatedly, compounding its impact far beyond whatever Morris had actually planned.
What it actually did to infected systems
The worm exploited vulnerabilities in fingerd, sendmail, and weak rsh/rexec trust configurations to spread between VAX and Sun systems running BSD-derived Unix — its repeated, unintended re-infection of already-compromised machines caused those systems to slow to a crawl under the compounding load, rather than any deliberate destructive payload.
The legal outcome
Morris was prosecuted and convicted under the Computer Fraud and Abuse Act of 1986 — the first felony conviction secured under that law, establishing significant early legal precedent for treating unauthorized, disruptive computer intrusion as serious federal crime.
The institutional response
The incident directly led to the creation of the CERT Coordination Center at Carnegie Mellon University, funded by DARPA specifically because the Morris Worm had exposed the absence of any coordinated body for responding to internet-scale security incidents.
Sources: