Author of Computer 'Virus' Is Son Of N.S.A. Expert on Data Security

Author of Computer 'Virus' Is Son Of N.S.A. Expert on Data Security

By John Markoff
The New York Times

November 5, 1988

The ''virus'' program that has plagued many of the nation's computer networks since Wednesday night was created by a computer science student who is the son of one of the Government's most respected computer security experts.

The program writer, Robert T. Morris Jr., a 23-year-old graduate student at Cornell University whom friends describe as ''brilliant,'' devised the set of computer instructions as an experiment, three sources with detailed knowledge of the case have told The New York Times.

The program was intended to live innocently and undetected in the Arpanet, the Department of Defense computer network in which it was first introduced, and secretly and slowly make copies that would move from computer to computer. But a design error caused it instead to replicate madly out of control, ultimately jamming more than 6,000 computers nationwide in this country's most serious computer ''virus'' attack.

The dent's program jammed the computers of corporate research centers including the Rand Corporation and SRI International, universities like the University of California at Berkeley and the Massachusetts Institute of Technology as well as military research centers and bases all over the United States.

Meeting with the Authorities

The virus's creator could not be reached for comment yesterday. The sources said the student flew to Washington yesterday and is planning to hire a lawyer and meet with officials of the Defense Communications Agency, in charge of the Arpanet network.

Friends of the student said he did not intend to cause damage. They said he created the virus as an intellectual challenge to explore the security of computer systems.

His father, Robert T. Morris Sr., has written widely on the security of the Unix operating system, the computer master program that was the target of the son's virus program. He is now chief scientist at the National Computer Security Center in Bethesda, Md., the arm of the National Security Agency devoted to protecting computers against outside attack. He is most widely known for writing a program to decipher symbols, or ''passwords,'' that give users access to computers and their data.

'Very Well Trained'

The elder Mr. Morris, in a telephone interview yesterday, called the virus ''the work of a bored graduate student.''

Speaking in the presence of officials and lawyers of the National Security Agency, he would not discuss the case in detail. He said his son was ''for his age very well trained in computer science: he studied it in college and held various summer jobs at various places.''

The sources said the 56-year-old Mr. Morris had no prior knowledge of the virus attack.

Mr. Morris said he believed that the virus might ultimately have a positive effect. ''It has raised the public awareness to a considerable degree,'' he said. ''It is likely to make people more careful and more attentive to vulnerabilities in the future.''

Managers at hundreds of research and military facilities around the country yesterday continued efforts to cleanse their systems, while computer scientists studied the virulent program in an effort to prevent a recurrence. Several computer sites were spared from the virus because system managers had rewritten security programs in light of at least three separate security flaws in computers running the Unix operating system. Most of the loopholes have only recently been discovered.

One site that escaped infection was the American Telephone and Telegraph Company's Bell Laboratories. Computer scientists there said the program with the principal flaw was rewritten about a year ago.

Exploitation of Flaws

The student's virus, actually a group of small programs, entered systems by exploiting the flaws, said Clifford Stoll, a computer security expert at Harvard University. Once it entered a given computer it was designed to hide itself in the computer's memory then systematically search for ways to enter other computers linked through communications networks.

Computer viruses are the computer equivalent of biological viruses, replicating largely on their own and spreading from computer to computer, consuming computer processing power and storage space or potentially destroying stored information.

The virus was detected in part because a design error led it to create many copies rather than a single copy on each machine it attacked. Computer researchers said the copies were like echoes bouncing back and forth off the walls of canyons.

Computer experts who were assessing the harm yesterday said there seemed to be no damage other than the thousands of hours that computer scientists and programmers were spending removing the program from their systems.

'Classic Hack That Went Wrong'

The program eventually affected as many as 6,000 computers, or 10 percent of the systems linked through an international group of computer communications networks, the Internet.

''This sounds like a classic hack that went wrong,'' said Mark Seiden, a computer scientist who is an expert on the Unix operating system.

Computer scientists said the younger Mr. Morris has worked in recent summers at the AT&T's Bell Labs. One of his projects there included rewriting the communications security software for part of an informal network connecting most computers that run the Unix operating system, which AT&T developed.

The scientists also said that in August the student's father submitted the abstract of a paper on Unix computer security to a computer science conference to be held later that month in Portland, Ore., but withdrew the paper several days later, apparently at the request of his employer, the National Computer Security Center.

Computer scientists who are disassembling the student's virus program to better understand how it worked said they were impressed with its power and cleverness.

''We found it to be sophisticated, and he did a good job of obscuring information in the program,'' said Peter Yee, a computer researcher at the Experimental Computer Laboratory at the University of California at Berkeley. He was one of the first programmers to detect the virus, through special monitoring equipment at his laboratory. #47,000 Characters of Information Mr. Yee said he had spent two sleepless nights taking the program apart to understand it. He said it consisted of 47,000 characters of information. The virus infiltrates the computer by taking advantage of a flaw in a message-sending program to circumvent system security. It then hides in memory while it creates a program that tells the computer being attacked to import several other programs from the attacking computer. The new programs then help break into a specially encrypted password file and use the passwords to infiltrate other computers.

Computer security experts generally minimized the damage done by the virus. They said the attack would serve as a useful lesson that not enough attention was being paid to computer security. They noted, however, that with minor modifications the virus could have transformed itself from a nuisance into a deadly and destructive scourge that could have widely destroyed data.

''I've been trying to tell people that something like this could happen for five years,'' said Fred Cohen, a computer scientist at Cincinnati University. ''Maybe they're going to start to lose their sense of innocence.''

Concern on Mimicry

Many computer researchers were concerned that the virus attack might encourage more sophisticated attacks.

''Someone is likely to get ideas from this and mimic this virus,'' said Bruce Cole, a researcher in the computer science department at the University of Wisconsin. ''Everybody is paranoid about security now.''

Around the country at hundreds of sites that were struck with the virus, system managers said operations were beginning to return to normal yesterday afternoon.

When the virus first struck about 9 P.M. Wednesday, many computer sites did not at first identify the problem as a virus. Several universities said they believed they had become the target of pranksters. At Princeton and the University of Wisconsin programmers spent the night battling what they thought was an internal problem.

They could have been fooled, computer experts said, because the virus masqueraded as a legitimate user and then infected other systems by exploiting a legitimate user's mail privileges.

By Thursday morning word had begun to spread widely that the program was a virus, and system managers began to unhook their computers from the network.

At Carnegie-Mellon University in Pittsburgh 80 out of 100 computers tied to the Arpanet were affected. At the University of Wisconsin 200 of 300 were.

To rid computers of the virus, system managers first disconnected their machines from the network they were linked to, turned them off and then restarted them, making sure to delete the programs that the virus created. Then new protective programs were added to seal the loopholes the virus used to enter their machines.

'Everything Is Messed Up'

Some sites reported yesterday that they were still struggling with the virus. At the University of Illinois at Champaign-Urbana, officials said they thought Thursday night that they had closed the loophole the virus exploited but found that it exploited other security flaw and came back. The virus was still causing confusion there yesterday afternoon.

''We can't tell what it is doing,'' said David K. Raila, a researcher at the university.

''The computing community at large has been pretty casual about passing around codes sometimes with deliberate trap doors in,'' said H. Douglas McIlroy, a computer scientist at Bell Labs. ''These trap doors have been sitting there waiting to be exploited.''

GRAPHIC: photo of Col Thomas M. Herrick and Raymond S. Colladay (NYT/Michael Geissinger) (pg. 7)