How the Morris Worm of 1988 Became the First Internet Disaster

Table of Contents

• The Internet in 1988: Small but Growing Fast
• Who Was Robert Tappan Morris?
• How the Worm Actually Worked (Simple Explanation)
• The Night It Spread: Hour by Hour
• Damage and Cost: Millions of Dollars, Zero Data Lost
• The Cleanup: Programmers Working Through the Night
• The Aftermath: CERT, Laws, and New Rules
• The Lasting Legacy of the Morris Worm
• Timeline of the Morris Worm Events
• Conclusion
• Frequently Asked Questions

The Internet in 1988: Small but Growing Fast

In 1988, the internet was tiny compared to today. Only about 60,000 computers were connected, mostly at universities, government labs, and a few companies. There were no web pages, no Google, no social media. People used email, file transfers, and remote login. Most machines ran Unix, and security was based on trust: if you were on the internet, you were supposed to be a researcher who played nice. Passwords existed, but many were weak or shared. That trusting environment made the perfect playground for a worm.

Who Was Robert Tappan Morris?

Robert Tappan Morris was a brilliant but quiet 23-year-old first-year graduate student at Cornell University. His father, Robert Morris Sr., was a top computer scientist at Bell Labs and one of the authors of Unix. Young Robert grew up around computers and knew the internet inside out. He wanted to answer a simple question: how big is the internet? There was no easy way to count machines, so he decided to write a program that would quietly spread and report back. He never meant to cause harm.

How the Worm Actually Worked (Simple Explanation)

The worm used three main tricks to spread:

• Weak passwords: It tried a list of common passwords (including “password”, names, and blank).
• A bug in the Unix sendmail program: A hidden back door let it enter without a password.
• A bug in the finger command: Another way to sneak in without credentials.

Once inside a machine, the worm would:

• Hide its files so it was hard to spot.
• Try to infect every other machine it could reach.
• Re-infect the same machine over and over because of a coding mistake.

That last mistake was fatal. Morris added code to infect every seventh machine it found to avoid being noticed, but a small error meant machines kept getting infected hundreds of times, using all memory and CPU until they crashed.

The Night It Spread: Hour by Hour by Hour

• 8:00 PM, Nov 2 – Morris releases the worm from a computer at MIT to hide his trail.
• 9:00 PM – First reports of slow machines at Berkeley and UC San Diego.
• 11:00 PM – Harvard and Princeton machines freeze.
• 2:00 AM, Nov 3 – Hundreds of sites are infected.
• Morning, Nov 3 – NASA, military labs, and major universities go offline to stop spread.

By daylight, about 6,000 machines (10% of the entire internet) were infected or shut down on purpose.

Damage and Cost: Millions of Dollars, Zero Data Lost

The worm did not delete files or steal secrets. It only made machines unusable by eating all resources. Cleanup cost estimates ranged from $100,000 to $10 million per site. Total cost across the U.S. was likely tens of millions in 1988 dollars. It was the most expensive computer incident in history up to that point.

The Cleanup: Programmers Working Through the Night

Researchers at Berkeley and Purdue quickly figured out how the worm worked and posted fixes by email and Usenet. Because the internet itself was broken, they used phones and fax machines to share instructions. Within 72 hours most sites were clean, but the shock remained.

The Aftermath: CERT, Laws, and New Rules

The worm caused immediate changes:

• November 1988 – DARPA created the first Computer Emergency Response Team (CERT) at Carnegie Mellon.
• 1989 – Morris became the first person convicted under the new Computer Fraud and Abuse Act.
• Universities started requiring strong passwords and closing known bugs.
• Companies realized they needed full-time security staff.

The Lasting Legacy of the Morris Worm

Today we still live with decisions made because of the Morris Worm:

• CERTs exist in almost every country.
• Software companies now have bug-bounty programs and quick patch cycles.
• Every new protocol is designed with security in mind first.
• Robert Morris himself became a respected professor at MIT and co-founded a successful startup.

Timeline of the Morris Worm Events

Conclusion

The Morris Worm was not created with evil intent, yet it became the first real internet disaster because it showed how fragile the young network was. One small coding mistake by one student brought thousands of computers to their knees and cost millions. The reaction was swift and permanent: CERTs, stronger laws, patched software, and a new profession called “cybersecurity specialist” were all born in the months that followed. Every time your phone or laptop downloads a security update today, you are living in the world the Morris Worm helped create. It was the moment the internet grew up and realized it needed seat belts.

Who created the Morris Worm?

Robert Tappan Morris, a 23-year-old Cornell graduate student.

Was the Morris Worm meant to cause damage?

No, it was designed only to measure internet size, but a bug made it spread uncontrollably.

How many computers were infected?

About 6,000, roughly 10% of the entire internet in 1988.

Did the worm delete data?

No, it only used memory and CPU until machines crashed.

How much did the cleanup cost?

Estimates range from $10 million to $100 million in 1988 dollars.

What bugs did the worm exploit?

Weak passwords, a sendmail back door, and a finger daemon buffer overflow.

When was CERT created?

December 1988, directly because of the worm.

What happened to Robert Morris legally?

He was convicted in 1990, fined, and sentenced to community service, later became a respected professor.

How long did it take to stop the worm?

Most sites were clean within 3–5 days.

Was the internet shut down?

No, but many sites disconnected themselves to stop spread.

Why could the worm spread so fast?

Trust-based security and known software bugs that had never been fixed.

Did anyone go to jail immediately?

No, Morris was the first person prosecuted later under the CFAA.

Is the Morris Worm source code still available?

Yes, decompiled versions are studied in security classes.

Did the worm affect home PCs?

Almost none, only Unix research machines were vulnerable.

What lesson did companies learn?

Patch known bugs quickly and use strong passwords.

Was this the first worm ever?

No, Creeper in 1971 was earlier, but Morris was the first to cause real damage.

Why do we still talk about it?

It was the “9/11” of the early internet, the moment everyone realized the network needed protection.

Did the worm have a name inside the code?

No, it is called the Morris Worm after its author.

How big was the internet in 1988?

About 60,000 computers total.

What would the same worm cost today?

Billions, if it succeeded on today’s scale.