MORRIS: Earth's First Computer Worm

(metal ball rolling) (metal ball rolling) (metal ball dings) - [Jak] Things are not as they should be. (computer dings) (text rumbles) (text rumbles) (text rumbles) (electronic music) The internet was recently created, and it's primarily used for communication between large corporations, government agencies, and universities. But here, all operations have crawled to a halt.

Fueled by junk food and a fascination with cyberspace, these students are 15 hours deep into a cybersword fight with a new enemy who's unleashed a worm. But unbeknownst to them, the person they're fighting doesn't even know he's in a battle. In fact, he's sleeping right now, (computer beeps) deep in a dream while the mere 99 lines of code he wrote months before is spreading havoc across the entire (computer beeps) global (computer beeps) internet.

Morrisworm. (dramatic music) - [Electronic Voice] You are watching DisrupTV. (crash) (people shouting) (object falling) (loud crash) - Ohhhh.

- [Voiceover] A sock. A PO box. A socket.

- Bopit! (crash) - [Voiceover] A socket is like a PO box that a computer can use to receive data from a server. When the worm first enters a computer, it chisels a hole into the motherboard and establishes its own post office socket, which it will use to start the infection.

First, it searches the computer for the finger protocol. This is a directory that houses early internet usernames and contact information, kind of like a social network. Usually this runs as a background process in the machine, also known as a buffer, but to hijack the information from this buffer, the worm sends a get call to the finger over and over and over, until eventually (computer dings) the buffer is overrun, (computer speaks indistinctly) which causes the check stations to fail, leaving a wide open road.

It then attempts to establish a connection to these newly uncovered users, and if successful, it will move on to stage two. If not, it will attempt to use sendmail, an early email program. This program operates on a number of modes.

When switched from the default deliver mode to the daemon mode, (computer beeps) it will constantly listen on a TCP port. It's listening for good vibrations. (guitar music) Things like a sender, an address, and a get well soon message to your grandmother.

(guitar music fades into buzzing) But do you hear that? (buzzing) (clicking) Instead of good vibrations, Morris is sending a debug command to the program. Now normally sendmail would reject this command, but being a new system built in the 1980s, many site admins have left the option on, giving our worm full access to the mailing services.

(mysterious music) It uses these new tools to send the following command package, AKA the vector program to the contacts. (mysterious music speeding up) It then waits up to two minutes for a response from the shell, after which it will. .

. Now established that the vector program has been received and the worm is running. (moped engine thrumming) - [Electronic Voice] Global controls will have to be imposed and a world governing body will be created.

- [Voiceover] It then proceeds to send three more packages to the socket created earlier. The first is a SUN 3 binary version of the worm, a VAX version and the source code. This gives it two chances that one of the recipients are running either the SUN 3 version or the VAX version.

After receiving confirmation that the files are running correctly, the original worm eliminates itself and the new one repeats the process. This differs from a virus in that a virus needs to trick the recipient into running it through social engineering or just plain misdirection. A worm, on the other hand, can spread without tricking a human.

It spreads by itself. NASA unplugs. Cornell unplugs.

News organizations, while simultaneously reporting on the worm are grinded to a halt. (phone rings) He receives an anonymous call. The voice on the other line says, - [Voice On Phone] "Listen, I know who did it.

It's RTM. " - [Voiceover] Now he won't say exactly who RTM is. He just wants to know how much trouble that person may or may not be in.

As soon as the call ends, this journalist knows exactly where to look. He opens up finger and searches through the database for an RTM and much to his surprise, a three worded name surfaces. - [Electronic Voice] You are watching DisrupTV.

(relaxed music) (drums playing) (man sighs) (foreign language) - Good day, friends, neighbors, and opponents. - He's a hacker, but a kind of a gray hat hacker. (foreign language) - [Woman] Sir?

- [Voiceover] The man sitting in the corner (drums playing energetically) - [Woman] Sir? - [Voiceover] is watching. - [Woman] Sir?

(heavy drums) - I would say from the get-go, I don't feel that I'm the opponent of anybody in this crowd. You may feel differently, (heavy drums continue) and I respect your right to do so. (keyboard typing) (DisrupTV jingle) (relaxed music) - [Voiceover] Across the country at Berkeley, sleep-deprived faculty and students, after 12 straight hours of work, finally crack the puzzle.

Keith Bostic, a programming architect specializing in Unix releases patches one and two. The first two patches fix sendmail so that it won't accept the debug command and compile with the worm. (computer beeps) 24 hours later comes patch three.

This changes finger so that it doesn't accept the gets call. Instead, it only accepts fgets, which the worm doesn't know how to utter. The patches work and throughout the university and surrounding networks, their ships stabilize.

But since the worm has attacked the main lines of fast communication, the storm is still raging for the rest of the world. By now, an estimated 6,000 computers are infected, which at the time makes up - [Electronic Voice] 10% - [Voiceover] of the entire internet. Another call, (phone rings) this time from the NSA.

The journalist says, - [Voice On Phone] "Hey, I think I know who did it. It's- - [Whispering Voice] Redacted. - [Voiceover] The guy on the other line says, "Yeah, that's my son.

" (electronic sounds) (orchestral music) Robert Tappan Morris, alongside his father, chief scientist of the NSA's computer security center are plastered throughout the national spotlight. At first, the 23 year old denies he is the author. He says the entire event is a very unfortunate situation, but eventually he admits to writing the bug, but with no malicious intent.

Says he only wanted to create something that can measure just how large the internet is. And his plan would have worked. His worm could have gone by unnoticed as a simple background process had it not been for one simple line in the 99 lines of code that would wreak havoc.

(computer beeps) (orchestral music continues) This is a flag. It's used to tell the worm that yes, I have already been infected. Morris could have programmed the worm to simply move on, infect the next guy.

It's not worth infecting twice, right? But if he did that, it would be far too easy for a system admin to simply put up a false flag and trick the worm into not infecting the machine. Instead, Robert programs the worm to disregard this flag 1 in 7 times.

This way, he thought the worm will still infect the machine, but not check it so much that it will overload the PC. He was wrong. Had he picked a higher number, say 1 in 700 times, the worm would still be small enough that it would do its originally intended job as an internet measuring stick, but the 1 in 7 process meant it would simply try to infect over and over, overloading a computer system, forcing it to a halt, (orchestral music phrase repeating) (engine thrumming) and consequently every machine on the internet.

(engine stops) (upbeat music) By January 22nd, he's the first person in US history to be indicted under the newly defined Computer Fraud and Abuse Act. - [Reporter] Morris's defense includes that he intended only a low grade prank. What he touched off instead was a rampant epidemic last November that infected the national defense network of computers, among others.

- [Voiceover] He receives three years of probation, a $10,000 fine and 400 hours of community service at a location far from any computer. ♪ We're breakin' rocks in the hot sun ♪ ♪ I fought the law and the law won ♪ ♪ I fought the law and the law won ♪ (guitar music continues) - Right, so when I was like in ninth grade, I was sitting with the boys, you know, in the cafeteria, and we got to a really interesting conversation topic. We were surrounded by maybe like 100 people or so in the cafeteria, and we started talking about just how little we know about them, how crazy their life stories could potentially be and just how much life story there was in that entire room.

And I thought of something pretty crazy. How much computer space would everyone's life stories on earth occupy? Think about that for a second.

Just imagine that amount of information. It's also kind of crazy to think that even the people you don't know, like those who basically act as NPC's in your life still have that massive life story in the back of their head just like you. It's pretty obvious when you think about it, but then again, you don't often think about that.

Just wanted to share this 'cause I think it's a really cool thought. (eerie music) - [Electronic Voice] I was disrupted. Boo doop boop bap be deep boop.