The Day the Internet Died

The more things change, the more they remain the same. It’s been more than 37 years since the Morris Worm took down the Internet. We’ll find that the same attacks and defenses remain in use today. It behooves us all, as modern software developers, to understand our history.

2025 marked the 37-year anniversary of the Morris Worm. It launched November 2, 1988, and internet providers took themselves down for several days. There was no internet for the better part of a week!

Only VAXen (DEC VAX computers) and newer Suns (Sun-3 computer systems) were vulnerable. The problem was, as long as they remained connected to the internet, they could get re-infected. So the internet backbone operators partitioned the internet, disconnecting from each other until everyone was worm-free.

You might wonder how they knew when it was safe to put the internet back together again, given that they couldn’t send messages to each other. They picked up the telephone and talked to each other!

If you google Morris Worm you’ll find various articles including:

• “How a grad student trying to build the first botnet brought the internet to its knees”—the Washington Post looking back after 25 years, with good information
• “The Morris Worm”—focused on the criminal prosecution and forming of the Computer Emergency Response Team which in turn created the idea of protecting critical infrastructure
• Morris worm—Wikipedia has a photo of the floppy diskette containing the worm source code, and not much else

YouTube also has several presentations focusing on what went wrong.

The various retrospectives tell us the Morris Worm fundamentally changed the internet, and specifically our thinking about the internet. I disagree.

I want to remind you that “the more things change, the more they remain the same.” The Morris Worm exploited several internet vulnerabilities. We’ll see details later. First, do any of these sound familiar? Similar types of vulnerabilities remain today:

• Email server misconfiguration (sendmail had powerful debug commands enabled by default)
• A known operating system vulnerability (buffer overflow in fingerd, a utility commonly used at the time)
• Remote login and remote command execution via remote login
• Successfully guessing weak passwords
• Denial of service

Before the Morris Worm, people left the doors unlocked—almost nobody worried about internet security; we were all friends. The world changed. But, 37 years later, those same types of weaknesses remain. Humans remain human. Please remember that!

This is why in-depth security is essential. Whatever you’re working on, consider the security implications. Could input be unfiltered? Could something be misconfigured? Be sure you know the OWASP Top Ten.

I was not involved in fighting the Morris Worm. But over the next year, I was involved in telling the story to those who had fought the worm or had been directly affected by the attack.

Robert Morris accidentally released the worm into the wild Wednesday evening, November 2, 1988. As we’ll see in the chronology below, teams of system administrators worked overnight and throughout the day Thursday figuring out what was happening. Some of their top software developers happened to be in the class I was teaching in Minnesota: Cray Research Operating System Internals.

We had no cell phones back then, and email was partly down due to the internet collapsing. Some of my students were in and out of class to consult on the disaster in progress. None of us knew—yet—how big a deal this was.

The next time I taught the operating system internals class, I had a new handout: A Tour of the Worm by Donn Seeley of the University of Utah. This was a hugely popular handout for the next few months.

We’re not going to dive into details of how the worm worked. The bottom of the Wikipedia article links to the source code, analyses, and walk-throughs for those interested.