[TUHS] Happy birthday Morris worm

Paul Winalski paul.winalski at gmail.com
Mon Nov 4 03:12:20 AEST 2019


On 11/2/19, Warner Losh <imp at bsdimp.com> wrote:
>
> the notion of a self propagating thing
> was quite novel (even if it had been theoretically discussed in many places
> prior to the worm, and even though others had proven it via slower moving
> vectors of BBS).

Novel to the Internet community, perhaps, but an idea that dates back
to the 1960s in IBM mainframe circles.  Self-submitting OS/360 JCL
jobs, which eventually caused a crash by filling the queue files with
jobs, were well-known in the raised-floor world.

> In hindsight people like to point at it and what a terrible thing it was,
> but Robert just got there first.

Again, first on the Internet.  Back in 1980 I accidentally took down
DEC's internal engineering network (about 100 nodes, mostly VAX/VMS,
at the time) with a worm.  The network used DECnet Phase 2, which
didn't have built-in packet routing.  If you wanted to talk to a
machine that wasn't physically connected to yours, you had to
explicitly specify the packet route.  Network topology maps were thus
very valuable.

All of the VAXen on the network were configured with an unprivileged
default DECnet account that was used for any connection that didn't
explicitly specify a username/password.  One could copy arbitrary DCL
command procedures (VMS's equivalent of shell scripts) to a machine
and execute them there.  I wrote a script to collect the raw
information for making a network topology map.  The script did this:

[1] Display the local DECnet connections and send this information
back over the network link.
[2] For each adjacent network node:
[2a]  Copy the script to that node.
[2b]  Execute the remote copy, sending its info back over the network link.

The problem, of course, is I had forgotten that network adjacency is
commutative.  I ran the script on node A, which told me that A is
connected to B and C.  It then told me that B was connected to A, D,
and E.  Then that A is connected to B and C....  I realized what had
happened immediately, but it was already too late.  The network had to
be taken down, the nodes cleared of the scripts, and then reconnected.
We learned the hard way that although the non-privileged default
DECnet accounts couldn't damage the system, they could be exploited
for what we now call DDoS attacks.

Robert Morris worked as an intern one summer in DEC's compiler group.
The Fortran project leader told Morris about my 1980 worm incident.
So he certainly had heard of the concept before he fashioned his
UNIX/Internet-based worm a few years later.

-Paul W.


More information about the TUHS mailing list