Robert T. Morris Jr. '87-'88, the Cornell graduate student who authored a program which disabled thousands of mainframe computers throughout the nation, proved last week in a spectacular way that there are major security gaps in the country's computer systems.
The young computer wizard, who worked at Harvard's Aiken Computation Labs as late as this summer, also proved that current computer networks are designed so that one computer can easily be used to break through its own security.
Visiting Professor of Astrophysics Clifford Stoll, a computer security expert, estimated that Morris' Program--now known as the "Cornell virus"--caused $2 million in damage, both in the time the computers were down and the manpower expended eradicating the virus.
The FBI is currently conducting a full-scale investigation of whether Morris violated federal laws about computer security by setting loose his virus onto the nation's largest computer network, the Internet, which is also used by the Pentagon.
Stoll noted that the Cornell virus was the first true virus--a program with the ability to spread itself from computer to computer completely independently--ever released. Previous viruses depended on users taking certain steps, such as running a particular file or sending electronic mail, to allow them to spread. Morris' virus was programmed to do it all on its own.
After a series of interviews with experts on computers and computer security, it appears that the virus spread itself in a three-step process, which transformed an innocent computer into one that could infect others--like a chain-letter scheme run on the most advanced circuitry.
To move from system to system, the virus took advantage of the extensive computer links in the Internet, which connects about 60,000 mainframes throughout the nation, including educational, commercial, and military systems.
An infected host computer first sent a short message through "electronic mail" over the Internet to the target computer. By using a number of tricks, Morris' program made the target machine treat the message as a command program instead of ordinary mail, which the computer places into a file to be read by users if they wish. The message--now acting like a program--told each computer which received it to ask the host computer for the rest of the virus, according to Mckay Professor of Computer Science Mark Friedell.
The second stage of the virus then reserved a section of memory in the target computer as its workspace and began guessing passwords for user accounts on the target system.
Experts say that at least one in 20 passwords can be guessed quite easily because users choose as their password either their name, the name of a friend, their home city, or other computer-related terms. Morris exploited this fact and programmed his virus to request information about users from the computer and use that information to try to guess their passwords. Only one password on each system needed be discovered to break through the next level of computer security.
When the virus found a working password, it logged itself into the machine masquerading as that user, placed a copy of the entire virus in the computer's storage and ran it, fully infecting the target machine.
When the machine had been completely infected, the virus entered its third stage, taking on the task of spreading itself to other machines. The target became a new host, and began sending its own headers to other machines on the network.
Unlike almost any other virus written, the Cornell virus was not designed to destroy files, steal or change data, play pranks on the users, or even allow its creator to gain illegal access to the infected networks--its sole purpose was to spread itself to every machine it found.
Even its most-celebrated effect--crashing thousands of mainframes across the country--was apparently due to a programming error and was not Morris' intent.
Morris had accidentally instructed the computer to infect every 10th adjacent computer on the Internet instead of every 10,000th, according to Jeffrey I. Schiller, M.I.T. network manager. As a result, the virus tried to spread too quickly and multiple copies of the virus were sent to the same machines, eventually using too much memory and computer time, causing the systems to crash.
Stoll commented that although Morris may not have intentionally designed the virus to be destructive, he did take deliberate measures to make sure that the virus would be difficult to defeat--and that he would not be caught.
"Some people are calling this just a harmless experiment that went wrong. I'm not so sure," said Stoll. "If it were meant to be harmless, then why did [Morris] put in all these defenses? There are still some things that bother me about this."
The first, and most simple, of Morris' defenses, was that he released the virus at midnight, giving it a head start on the systems managers across the country who were home asleep when the virus began to spread.
When the system managers, did arrive, they found that the virus program was written in a secret code so that they were not able to understand it. The process of decoding the program took hours of valuable time.
After they had finally decoded the virus and began trying to interpret the program, it became apparent that Morris had included fake instruction sequences--portions of the program which would never be executed--to lead them on wild goose chases in their attempts to understand the operation of the program.
Beginning last Thursday afternoon, system managers turned off each machine, and reprogrammed them by hand to eradicate the virus. By Friday, most of the machines at Harvard and around the country had been put back on line. THE INCUBATION OF A VIRUS
EARLY THURSDAY MORNING 12:00 A.M. VIRUS RELEASED BY ROBERT MORRIS, JR. 2.00 A.M. MORRIS CALLS HARVARD TO WARN OF INFECTION LATE THRUSDAY MORNING PROGRAMMERS BEGIN DEBUGGING SYSTEMS AFFECTED BY VIRUS LATE FRIDAY MOST UNITS WORKING AGAIN, MORRIS NAMED AS VIRUS ORIGINATOR
Read more in News
Firms Attend Career Forum