Spreading a Virus: How Computer Science Was Caught Off Guard By One Young Hacker

Spreading a Virus: How Computer Science Was Caught Off Guard By One Young Hacker

Outbreak Spread Nationally, Caused No Lasting Harm But Much Embarrassment

Finding a Worm in the Mail

A Wall Street Journal News Roundup

November 7, 1988

The surprise attack began between 9 and 10 Wednesday night. Among the first targets were Berkeley, Calif., and Cambridge, Mass., two of the nation's premier science and research centers. At 10:34 p.m., the invader struck Princeton University.

Before midnight, it had targeted the National Aeronautics and Space Administration Ames Research Center in California's Silicon Valley, as well as the University of Pittsburgh and the Los Alamos National Laboratory in New Mexico. At 12:31 Thursday morning, it hit Johns Hopkins University in Baltimore, and at 1:15 a.m., the University of Michigan in Ann Arbor.

At 2:28 a.m., a besieged Berkeley scientist -- like a front-line soldier engulfed by the enemy -- sent a bulletin around the nation: "We are currently under attack. . . . "

Thus began one of the most harrowing days of the computer age.

The invader was a computer virus. Like some relentless, demonic automaton, it coursed through networks -- high-speed communications lines -- linking key university and government computers from coast to coast. Once inside, it multiplied, devouring the space that computers use to store information and slowing them to a halt.

At first, no one suspected -- or even imagined -- the scope of the event, thinking instead that it was a local hacker's mischief. So ingenious and complex was the virus that some computer scientists didn't immediately realize what they were up against. It initially fooled many trying to neutralize it. They would devise a solution, only to find the virus spreading again.

Scientists in their labs when the virus struck called reinforcements for help. Others, learning of the attack while using home computers hooked up to their work computers, raced to the office in the middle of the night and feverishly worked in solitude. While everything was largely under control within 24 hours, scientists still can't be sure that the virus is purged.

In the end, the virus apparently didn't cause permanent damage to the 6,000 computers it attacked. Instead of wiping out data -- which computer viruses are capable of doing -- this invader was fairly benign; it merely used up empty storage space. In computer jargon, it is now being called a "worm" because it was a self-contained program that entered via a communications network but didn't seek to destroy data.

The virus nevertheless has stunned -- and frightened -- the computer world. Almost all the business done today depends on computers. They direct telephone calls, handle bank transactions, control airline traffic, run manufacturing plants, guide the nation's defense systems. If computers can be sabotaged so easily, so swiftly, experts wonder, how vulnerable is the system to high-tech terrorists? The virus is expected to prompt a full-scale review of computer security in government, corporations and universities. A post-mortem conference already is planned in Washington this week.

The perpetrator still hasn't been officially named, but friends of his identify him as Robert T. Morris Jr., 23 years old, a Cornell University graduate student in computer science whose father, Robert Morris Sr., is a federal government expert on computer security. Mr. Morris, first identified as the hacker by the New York Times, has told friends he didn't intend to make the virus so virulent; a small mistake in the coding made it spread far faster than he had expected.

Some of the details of last week's virus outbreak have yet to be disclosed. But a look at how the virus spread -- and the anxious efforts to control it -- shows just how menacing such attacks have become.

At about 10 p.m. Wednesday, Pascal Chesnais, a researcher working late at MIT's Media Laboratory in Cambridge, noticed something odd. Computer programs he was running had slowed to a crawl. Two or three colleagues noticed the same thing.

At first, they figured a legitimate program had gone out of control because of some internal error. "We thought it was just a runaway program," he recalls. "So we killed all the processes, started over, and the problem seemed to go away." Unconcerned, they soon went out for ice cream.

Across the continent, at 10:15 EST, the experimental computing facility at the University of California at Berkeley was hit. Security software that monitors incoming electronic mail traffic-messages dispatched via computers on high-speed communications lines -- sent alerts "that it was receiving unusual commands," recalls Peter Yee, a scientist at the center.

Because of this early warning, Berkeley was able to contain the virus faster than others did. It shut off communications to most computers, and established a "trap" to capture and study the unknown code that was causing the problem.

Researchers at Bellcore, the Livingston, N.J., joint research laboratory for the regional Bell holding companies, discovered the virus at about 10:30. They, too, were able to contain it by quickly shutting down computers. It hit about the same time at NASA's Ames Research Center in Silicon Valley. At midnight Eastern time, Ames cut off all communications with outside researchers, thus stranding 52,000 computer users.

At that point, few were aware of the multisite attack. The virus was, in fact, remarkably clever. It traveled via electronic mail on an unclassified research and defense network called Internet -- which includes smaller networks known as Arpanet, Milnet and NSFnet -- that is used by institutions to share data. The process was something like an automated chain letter. When the virus entered a computer, it used data stored within that computer to establish links with other computers in the network. Thus, it spread very quickly in many directions.

Not all computers were targeted, just those that were on the network and that used a certain version of the Unix master control software. The virus took advantage of at least two loopholes in the software to sneak in. The first was a debugging device in the program that was designed to make it easier to detect errors in the electronic mail program when installed; a flaw in the debugger opened the system to viruses.

Not really needed after installation, the debugger still wasn't deleted from most computers -- even though users had been warned that the debugger made them vulnerable to viruses. A similar loophole in another communications program gave the virus a second method of entry.

After discovering the mistake that made the virus multiply much faster than he had planned, Mr. Morris had a friend send a message to an electronic bulletin board (which carries computerized messages) explaining how to eradicate the virus. But it apparently wasn't noticed.

Unlike MIT, Berkeley and Bellcore, many computer sites weren't staffed when the virus hit. At Princeton, for example, computer records show the exact time it struck -- 10:34. But nobody noticed until midnight. Victor Dukhovni, a 25-year old systems programmer, was getting ready to go to bed; as is his custom, he turned to his home computer and asked for a backup of files for the mathematics department, where he services computers.

He says he noticed "strange things going on." The system was slow, and it was running programs he didn't recognize. He left home and took the three-minute trip across the deserted campus to the math department. A newcomer at his job, he didn't possess home phone numbers for colleagues who could help, so he worked alone. An hour later, he discovered a worm in the mail, reproducing at a fast rate. He started trying to figure out what to do.

Officials at Los Alamos also noticed something odd around midnight EST, but they didn't suspect a major virus for several hours. The virus was running amok, and no one knew it.

Mr. Chesnais and his MIT colleagues in Cambridge returned at midnight from their ice-cream break. Their computers and others at MIT again were sluggish. "It was as if 20 or 30 people were working at the same time on the system," he adds. "Then, we knew something was amiss." Crowding around two terminals, the programmers began trying to trace the problem. By 2:30 in the morning, Mr. Chesnais says, "we definitely determined something was coming through the electronic mail. We shut ourselves off the (MIT internal) network so the virus in our system wouldn't spread."

Exhausted, they left at 3:30, knowing they had a problem but not how to fix it.

By then, Berkeley had specifically identified the virus -- but it had no antidote, either. In his 2:28 a.m. alert, Mr. Yee warned: "We are currently under attack from an Internet virus. . . . The program appears as files that start with the letter x. Removing them is not enough, as they will come back in the next wave of attacks. For now, turning off the (mail) seems to be the only help."

What made the virus all the more terrifying is that nobody knew for sure at the time that it was benign. "There's no reason why it couldn't have wiped out people's files, put subtle time bomb things in the system or sent junk mail to anyone," says Robert Logan, a computer systems manager at California Institute of Technology in Pasadena.

At Berkeley, researchers and students feverishly sought a vaccine. "There were about a dozen people working in a small room on eight computers and terminals," says Scott Silvey, a 23-year-old Berkeley senior from Cupertino, Calif. "It was crowded. The phones were ringing. People called from the Navy, the Air Force, from Florida."

Finding a fix was difficult because they had to comb through and analyze complex computer code to determine exactly what loophole the virus was attacking. Finally, they found the code in the electronic-mail software where the virus was entering, and fired off another message to computer centers on how to plug the hole.

But that wasn't enough. "The initial information we gave would stop the virus. But the virus could circumvent those measures," Mr. Silvey notes. Once the virus entered a machine, the virus had a way of learning what other machines could be reached; the first fix didn't remedy that. The Berkeley programmers continued sending messages with more comprehensive and sophisticated fixes to prevent the virus until 9 a.m. EST. Installing and running the vaccine to disinfect a computer took only 20 minutes.

As they began to understand the virus, some researchers began calling friends at their homes all over the country. Hans-Werner Braun, an engineer at the University of Michigan in Ann Arbor, was awakened at 4 a.m. by virus trackers in California. Heading for the home computer he has connected with his computer at work, Mr. Braun applied the fix within an hour.

But communications between researchers were limited by the fact that they often deal with one another by electronic mail, not by telephone. With some computers shut down to isolate the virus, electronic mail was disrupted.

Trying to reach some computer sites, the Berkeley crew found that many had no emergency phone contacts or contingency plans to deal with such an outbreak. "The sites without an emergency plan didn't do well," says Russell Brand, an artificial intelligence doctoral candidate at Berkeley and a researcher at the nearby Lawrence Livermore Laboratory, who happened to be writing a scientific paper about computer security on his home computer when he discovered the problem at Livermore.

Indeed, not everyone was as fortunate as Mr. Braun. Working alone, Mr. Dukhovni at Princeton thought at 3 a.m. that he had found how the virus was working and tried to send electronic mail directly to a program, just as the worm had done. A minute later, a mysterious message appeared on his screen: "You blew it." (It isn't clear what prompted that message.) He continued working, without success, until 7:30 a.m., then shut down the math department's system, isolated it and alerted other university officials. At about 9, the Berkeley solution arrived.

Computer researchers at many institutions didn't know about the virus until they got to work Thursday morning -- and their systems already had been infected. At New York University, the problem wasn't noticed until 9:30. By then, all 15 work stations at the school's Courant Institute of Mathematical Sciences were infected, and the virus had spread elsewhere on campus.

"We were tense, worried about losing files and work," says Gary Rosenblum, a computer systems manager. "You hear about this kind of thing, but it was hard to believe this was happening." At 2 p.m., he shut down the infected computers to clear the system.

By midday Thursday, the virus was mostly contained. Researchers were going through their systems, computer by computer, to find out which had been infected and apply the antidote.

But the battle wasn't over. Because some of the early fixes didn't close all the holes, some computers remained vulnerable. At 5 p.m. Thursday, "our system was attacked again," says Mr. Chesnais. "What makes the little beastie as nasty as it is, is that it knows more than one" way to enter Internet programs and propagate itself, says Jeffrey Schiller, MIT manager of networks. "This person (the perpetrator) was a real wizard." At some locations around the nation, the virus wasn't eradicated until Friday; and there is no way to be sure that it has been caught everywhere.

Some computers connected through Internet weren't infected -- although not for lack of trying by the virus. At the University of Maryland, for example, a computer equipped with a security system logged about 2,000 failed attempts by the persistent virus. (Others at the school without such protection were infected.) The virus attacked Argonne National Laboratory outside Chicago starting at 11:54 p.m. EST Wednesday and throughout the night. But only one of the lab's many computers was infected. Luckily, researchers a few months ago had modified the widely used code for gaining access to the system.

AT&T's Bell Laboratories in Murray Hill, N.J., where young Mr. Morris worked for a time -- also escaped. A year ago, Bell Labs patched its software to eliminate the loophole in its electronic mail software. When Bell tried to warn other institutions of the potential for a breach in security, Bell found that few shared "our rather paranoid view of communications software," says Douglas McIlroy, a member of the technical staff.

And, while Arpanet is used for unclassified, defense-related work, classified defense computers that use separate networks weren't affected by last week's attack. Because they employ greater security, they would be far more difficult to penetrate.

Now that the crisis is over, computer scientists are expressing both awe and anger at the virus. Although viruses have plagued computers for years, the vast majority until lately have gone after personal computers. Last week's virus reached a new level. "We've never seen (a virus) this large and as successful," says Robert J. Cosgrove, the director of computing systems at Carnegie-Mellon University in Pittsburgh, one of the schools attacked by the virus.

Though they believe the virus was dangerous, many admire the technical achievement. "He's somebody we would hire," says Rick Stevens, a computer scientist at Argonne, speaking of the perpetrator. "The right to hack is held higher than the right of someone to tell you not to. It's an inalienable right."

Little details in the virus were brilliant. Mr. Chesnais at MIT notes that researchers discovered that whenever the virus infected a computer, it would make a connection with a computer at Berkeley named Ernie. (All machines on the system have associated numbers and names). Many believe this was a decoy to divert attention away from Mr. Morris on the East Coast.

John Crowley, a computer security expert at Information Security International Inc., a Silver Spring, Md., firm staffed by former officials from the super-secret National Security Agency, says of the virus's modus operandi: "It's almost like information jamming. Nice attack, from an artistic point of view."

But many are upset. At NASA's Ames center, the 52,000 outside researchers hooked up to Ames each has had to spend four to eight hours figuring out whether their computers were infected. "That's 142 man-years of work just because some bozo sticks a virus on the machine," a NASA spokesman says. Adds Bill Russell, manager of NYU's computer network: "I've lost three days' work. . . . If the person was trying to point out that security holes exist in large, connected computer networks, this is the wrong way to do it. It's like someone proving there's a security hole at a bank by robbing the bank."

Above all, the incident has left computer experts with an uneasy feeling. While security can be improved upon, it may never be perfected. "There will always be chinks in our armor," says James D. Bruce, the vice president for information systems at MIT.

One Mistake and 'Harmless' Mischief Brought Notoriety to Robert Morris Jr.

By David Stipp and Paul B. Carroll
The Wall Street Journal

November 7, 1988

A Cornell University graduate student who apparently unleashed the virus that infested computers across the nation last week tells friends the problems he caused resulted from a little mistake he made at the end of a long, tiring day.

They paint a picture of a brilliant young computer-science student planning a harmless experiment with an electronic-mail system and, without meaning to, creating a Frankenstein's monster.

Robert T. Morris Jr., a grad student at Cornell, had devised the virus to be a slowly replicating program that would scarcely be detectable in the electronic mail system it infested, says one of his friends. "At the last minute, he made some changes and put in a bug" -- an inadvertent error in the virus program that caused it to reproduce itself wildly through the system. At about 9 p.m. Wednesday, Mr. Morris "hit the carriage return (on his computer keyboard) and the virus went everywhere."

The friend adds that Mr. Morris may have intended to prove his mettle as a computer security expert by creating the virus. "It used to be that if you could break into a computer system, people would hire you," he says.

Mr. Morris apparently later tried without success to stop the virus's progress through the electronic mail system by posting a message in the system about how to stop the virus. But the message went unseen and unheeded by most of the infected, and soon the virus was out of control.

Mr. Morris's father, Robert T. Morris Sr., is an expert on computer security and the chief scientist at the National Computer Security Center. Mr. Morris Sr. won't say whether his son wrote the virus. But he does volunteer that the virus was created as "an intellectual test."

The younger Mr. Morris has been interested in computers since he was a teenager and has held numerous programming jobs going back at least to 1980, when he was 15, says Mr. Morris Sr. He adds that despite his youth his son took computer jobs "all over the country." Mr. Morris won't name his son's former employers but says they initially were small firms -- ones that would take a chance on a high-school kid.

Mr. Morris says his son's interest in viruses may date back to the mid-1970s when his son read a science fiction book called "Shock Wave Rider," which described the possibility of viruses. The book captivated him.

Young Mr. Morris graduated last year from Harvard with a degree in computer science. Acquaintances of his there describe him as dedicated student known in college as a guru of Unix, a widely used master control program in computers, a version of which has flaws that last week enabled the virus to spread through the electronic mail system. "Sometimes when people had questions about Unix, it was easier to ask (Mr. Morris the answer) than to look it up in a manual," says Mark Friedell, an assistant professor of computer science at Harvard who was Mr. Morris's senior thesis adviser.

When he learned that Mr. Morris apparently had created the virus that played hob with computers all over the country, Mr. Friedell says, "I was shocked." He adds that the young man "isn't malicious, and he isn't a nerd. He is an articulate, well-balanced guy. At Harvard, he was generous with his time (in helping others solve computer problems). And while he was guilty of an extreme lapse in judgment, I think his intention was to produce an innocuous thing that wouldn't bother anybody."

John Hopcroft, the chairman of the Cornell computer science department describes Mr. Morris as a serious student. Keshav Pingali, a Cornell assistant professor who has Mr. Morris in a small class on microprocessor design, says Mr. Morris is unusually curious: "He did seem extremely inquisitive about how things worked."

Computer scientists say they are mad that certain people newly acquainted with Mr. Morris seem to regard him as a folk hero. If what he wanted was to point out security flaws, his critics say, the way he found to do it is hard to justify. "It was one of the jerkiest things I've ever heard of," says Harvard's Mr. Friedell.

Mr. Morris Jr. hasn't been reachable lately; his father says he had plans for the weekend. The elder Mr. Morris confirms that he has spoken with the Federal Bureau of Investigation and that his son will talk to the FBI, too, sometime this week after he first talks to a lawyer.

Cornell officials say they aren't sure what disciplinary action the school might take against Mr. Morris, but they don't rule out expulsion.