Morris worm
The Morris Worm is a self-replicating network worm released by Robert Tappan Morris on November 2, 1988, and widely regarded as the first major Internet worm. It spread across Internet-connected university, government, military, and research systems, flooding the ARPANET/Internet and causing thousands of hosts to crash or become unusable through uncontrolled replication and resource exhaustion. Multiple sources in the content state it affected about 6,000 machines and disrupted educational institutions, military sites, medical research facilities, universities, laboratories, and research institutes.
The worm was designed to propagate autonomously and used several infection vectors directly mentioned in the content: exploitation of a bug in SENDMAIL, exploitation of a bug in the Unix finger daemon, abuse of trusted-host relationships, and password guessing. The content also specifically states that it spread in part by exploiting a stack buffer overflow in the Unix finger server. Morris attempted to make the worm spread widely while avoiding detection, including releasing it from an MIT system to obscure its Cornell origin. Its replication logic caused far more reinfection than intended, leading to severe network congestion and system failures.
The stated purpose in the content was to demonstrate or map network security weaknesses, but the worm instead caused major operational disruption. Reported impacts include computers crashing or becoming catatonic, widespread service disruption, and response costs ranging from hundreds to tens of thousands of dollars per affected installation; other cited damage estimates range from at least $200,000 to as high as $95 million. The incident led to the creation of the CERT Coordination Center in November 1988 and Robert Tappan Morris became the first person convicted under the U.S. Computer Fraud and Abuse Act for releasing it.
High-confidence identifiers and context from the content include the name Morris Worm / Morris worm / Internet Worm, release date November 2, 1988, creator Robert Tappan Morris, and targeting of Unix-connected Internet hosts via finger, sendmail, trusted relationships, and password guessing.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
6 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Privilege Escalation
1 technique
Privilege Escalation
Lateral Movement
1 technique
Lateral Movement
Command and Control
1 technique
Command and Control
Impact
2 techniques
Impact
Recent activity
32 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A self-propagating worm that spread across insecure networks with the objective of propagation rather than adaptive post-compromise operations.
Described as the first computer worm, created in 1988 by Robert Morris.
Named 1980s-era worm (listed as part of a historical timeline). No behavior details provided in the content.
Internet worm referenced as an example of an autonomous system exceeding intended boundaries by spreading beyond its original purpose.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.