The first Internet worm (1988)

This case study describes the events that occured when the first Internet worm was released in 1988. Although this happened many years ago, there are still important lessons to be learned from this and the response to it by the community.

The 1988 Internet Worm was the first major worldwide computer security incident where malware (software that is malicious) propagated throughout the internet. This worm infected Unix servers, taking advantage of different types of vulnerability in installed code such as Sendmail and finger. The lessons from that incident are still valid and, surprisingly perhaps, the vulnerabilities identified that allowed the worm to cause such problems are still present in some modern software.

The perpetrator of the 1988 Internet worm (Robert Morris, a graduate student at Cornell University) meant no harm but was experimenting with what was possible. He is now a respected computer science researcher. Security authorities no longer accept such an excuse so you should not attempt any such security 'experiments'.

Use of this case study in teaching

I use this case study in conjunction with Chapter 14, which covers security engineering. It is generally useful for illustrating vulnerabilities in systems and how these can be exploited by attackers. It also illustrates an effective way to respond to such attacks.

Supporting documents

The incident was documented in a paper in Communications of the ACM, 'The Internet Worm: Crisis and Aftermath'. by Gene Spafford. (Comm ACM, 32 (6), June 1989 - accessible to ACM Digital Library members).

Overview of the Internet Worm

My Powerpoint presentation giving an overview of the security incident.

Incident analysis

This is a detailed analysis of the 1988 Internet Worm incident by researchers at MIT. It was the basis for a published paper on the incident in Communications of the ACM in July 1989.

The Internet archive of the message first reporting the incident Messages generated as system managers discussed how to handle the worm

The Code Red Worm

A more recent major security incident occurred in 2001 when the 'Code Red' worm struck a large number of Internet servers. This exploited a similar vulnerability (no array bound checking in C resulting in buffer overflow) to that exploited by the original worm. This is a link to the description of the problem in Communciations of the ACM.