The 1988 Internet Worm
Case studies
Insulin pump
Internet worm
Ariane 5
Airbus FCS
London Ambulance
SE 8 Web


The 1988 Internet Worm was the first major worldwide computer security incident where malware (software that is malicious) propagated throughout the internet. This worm infected Unix servers, taking advantage of different types of vulnerability in installed code such as Sendmail and finger. The lessons from that incident are still valid and, surprisingly perhaps, the vulnerabilities identified that allowed the worm to cause such problems are still present in some modern software.

The perpetrator of the 1988 Internet worm (Robert Morris, a graduate student at Cornell University) meant no harm but was experimenting with what was possible. He is now a respected computer science researcher. Security authorities no longer accept such an excuse so you should not attempt any such security 'experiments'.

Use in teaching

I supplement the book chapters on critical systems with discussions on other topics, including security. This case study shows how worms can propagate by taking advantage of security vulnerabilities and how availability and security are closely related topics.

Related chapters

Chapter 3: Dependability
Chapter 9: Dependable systems specification

Supporting documents

The incident was documented in a paper in Communications of the ACM, 'The Internet Worm: Crisis and Aftermath'. by Gene Spafford. (Comm ACM, 32 (6), June 1989 - accessible to ACM Digital Library members).

Overview of the Internet Worm

My Powerpoint presentation giving an overview of the security incident. Download the PDF from here.

Incident analysis

This is a detailed analysis of the 1988 Internet Worm incident by researchers at MIT. It was the basis for a published paper on the incident in Communications of the ACM in July 1989.

The Internet archive of the message first reporting the incident

Messages generated as system managers discussed how to handle the worm

A more recent major security incident occurred in 2001 when the 'Code Red' worm struck a large number of Internet servers. This exploited a similar vulnerability (no array bound checking in C resulting in buffer overflow) to that exploited by the original worm. This is a link to the description of the problem in Communciations of the ACM.

The Code Red Worm