Happy 20th birthday, internet worm!

This weekend marks the 20th anniversary of the Internet Worm, the first major worm that propagated on the Internet. Even though many years have passed and underlying media has changed, worms are still able to wreak havoc and keep system administrators up at night. Today the damage done by worms is far less visible and far less newsworthy but far more difficult to repair than in the past.

On November 2nd, 1988, Robert Tappan Morris launched an application ostensibly designed to count the number of systems on the Internet. It was designed to propagate across Unix systems by exploiting several vulnerabilities, including a conceptual flaw in how r-services (rlogin, rsh, and rexec) authenticate connections, the archaic remote debug feature in Sendmail, and a buffer overflow in the finger daemon. Due to a flaw in it’s design, the Worm attempted far more propagation attempts than were necessary, causing targeted machines to slow dramatically from resource starvation. Long story short, the then Mr. Morris was caught, found guilty, and sentenced to probation and community service.

Many years of highly visible worms followed. Who could forget such classic hits as Melissa and I Love You, viruses that attacked software that is standard on Windows PCs, as well as Code Red and SQL Slammer for their Windows Server brethren. These worms were created just for the sole fact that they could be created. Their existence served no purpose but to exist. The damage done by the load they created on networks and systems made headlines not just on technical forums but in real newspapers.

Today’s worms, however, feel no need to make themselves known, and their authors don’t want to be visible. The authors want the worms to do one thing only, and that is make money. Modern worm authors will use any underlying transport mechanism that is available, eschewing operating system and programming language religious barriers maintained by more orthodox hackers. They propagate using systems like Facebook messages for lures, redirecting users through legitimate sites such as Google until finally they reach a piece of malware that claims to be a video, with the final goal being the infection of another desktop and restarting the infection process again. Even when the messages have been cleaned up from the servers, tens of thousands of desktop systems are left compromised and transmitting keystroke logs and credit card numbers captured from the unsuspecting user.

Two decades ago, we experienced a rare contagion that left us with thousands of servers compromised and experienced system administrators burning overtime to remediate the situation in what became a historical event. Today, we see frequent contagions that leave us with millions of compromised desktops and home users who are completely unprepared to fix the situation, costing us a fortune in losses due to electronic financial fraud, and it happens so frequently that it is no longer newsworthy. As a result, the average user feels safer because the headlines have gone away without realizing they are in far worse shape from a financial risk perspective than before.

One last topic I want to mention. The criminal justice system could have thrown the book at Robert Tappan Morris 20 years ago, and it chose not to. Mr. Morris went on to become Dr. Morris, Professor at MIT and co-founder of Y-Combinator, a venture incubator that helps ignite promising startups. While not all individuals who come before the courts have the capacity to achieve that level of success, it would be wrong to think that every teenager and college student who ends up in Mr. Morris’s situation is irredeemable and should not be allowed to contribute to society. Who knows what the future may hold for both the individual and technology at large once these kids are directed a better path.

[Source: zdnet]