A bit of history

2 November 1988 Robert Morris younger, graduate studentof informatics faculty of Cornwall University (USA) infected a great amount of computers, connected to Internet network. This network unites machines of university centres, private companies and governmental agents, including National Aeronautics Space Administration, as well as some military scientific centres and labs.

Network worm struck 6200 machines that formed 73% computers to network, and showed that UNIX was not okay too. Amongst damaged were NASA, Los Alamos National Lab, exploratory centre VMS USA, California Technology Institute, and Wisconsin University (200 from 300 systems). Spread on networks ArpaNet, MilNet, Science Internet, NSF Net it practically removed these network from building. According to " Wall Street Journal", virus infiltrated networks in Europe and Australia, where there were also registered events of blocking the computers. Hundreds or thousands of jobs running on a UNIX system brought responses to zero. The attacked systems were UNIX systems, 4.3BSD UNIX & their variants (e.g.: SUNs). This virus was spreading very quickly over the Milnet. Within the past 4 hours, it had hit more than 10 sites across the country, both Arpanet and Milnet sites. Well over 50 sites had been hit. Most of these were " major" sites and gateways.

Morris had written a program that used a hole in SMTP Sendmail utility. This utility can send a message into another program. Apparently what the attacker did was this: he or she connected to, issued the appropriate debug command, and had a small С program compiled. This program took as an argument a host number, and copied two programs - one ending in VAX.OS and the other ending in SunOS - and tried to load and execute them. In those cases where the load and execution succeeded, the worm did two things (at least): spawned a lot of shells that did nothing but clogged the process table and burnt CPU cycles; looked in two places - the password file and the internet services file - for other sites it could connect to. It used both individual host files (which it found using the password file), and any other remote hosts it could locate which it had a chance of connecting to.

All of Vaxen and some of Suns here were infected with the virus. The virus forksrepeated copies of themselves as it tried to spread itself, and the load averages on the infected machines skyrocketed. In fact, it got to the point that some of the machines ran out of swap space andkerneltable entries, preventing loginto even see what was going on!

The virus also " cleaned" up after itself. If you reboot an infected machine (or it crashes), the /tmp directory was normally cleaned up on reboot. The other incriminating files were already deleted by the virus itself.

4 November the author of the virus - Morris - came to FBI headquarters in Washington on his own. FBI imposed a prohibition on all material relating to the Morris virus.

22 January 1989 a court of jurors acknowledged Morris guilty. If denunciatory verdict had been approved without modification, Morris would have been sentenced to 5 years of prison and 250 000 dollars of fine. However Morris' attorneyimmediately lodged a protest and directed all papers to the Circuit Court with the petition to decline the decision of court. Finally Morris was sentenced to 3 months of prisons and fine of 270 thousand dollars, but in addition Cornwall University carried a heavy loss, having excluded Morris from its members. Author then had to take part in liquidation of its own creation.