Feeds

Melissa anniversary marks birth of email-aware malware

Supermodel of computer virus world turns 10, still spreading

Security for virtualized datacentres

Thursday (26 March) marks the 10th anniversary of the notorious Melissa virus, the first successful email-aware virus.

The Word macro virus, allegedly named after a lap dancer that creator David L. Smith met in Florida, spread via infected Word documents. Windows users who opened the Word document on unprotected systems became infected with the malware, which forwarded itself to the first 50 people in an infected user's Microsoft Outlook address book, further spreading the infection in the process.

Infected emails appeared with the subject lines such as "Here is that document you asked for... don’t show anyone else;-)". The basic social engineering tactic piqued people's interest to the extent that the malicious messages mushroomed in a matter of hours, overloading email servers across the globe in the process.

The virus was programmed to occasionally corrupt documents but had no money-making functions, unlike current generations of malware. Despite this, security firms reckon the virus ushered in the era of botnet-creating malware agents and mass-mailing worms that characterise the current internet security scene.

Since intercepting the virus in March 1999, email and web filtering firm MessageLabs, which is now part of Symantec, has stopped 108 different strains and more than 100,000 copies of the virus. Even this year, MessageLabs' services continue to intercept, on average, ten Melissa-infected emails a month.

"Melissa was the virus equivalent of the supermodels from the 90’s, known by one name and iconic within the industry," said Alex Shipp, senior director of emerging anti-malware technologies at MessageLabs services. "This was the first attack of this magnitude and I remember that when the numbers reached the hundreds within the first hour of stopping Melissa, which were significant levels in 1999, we knew the threat landscape had changed evermore."

A retrospective on Melissa by Graham Cluley, at Sophos, explains the time line of the attack and the eventual arrest and conviction of its author, David L. Smith, in some depth. The Melissa virus first appeared as infected Word document, containing supposed login details to pornographic websites, posted to the alt.sex usenet group.

This post was traced back to a compromised AOL account, skyrocket@aol.com. This hack was itself traced back to a house in New Jersey, owned by Smith's brother. A week or so later Smith, then 30 and thus old for a VXer, was arrested for malware distribution offences.

Within weeks of the FBI arresting him, Smith had turned rat and was using a fake identity to communicate with and track fellow VXers around the world, it has since emerged.

According to court papers, Smith allowed the FBI to identify the Netherlands-based author of the Anna Kournikova virus as Jan de Wit, furnishing his name, home address and email address. The Dutchman was subsequently sentenced to 150 hours community service.

In 2001, Smith reportedly assisted in the investigation that led the arrest of part-time DJ Simon Vallor, the Welsh author of three viruses. Vallor was arrested by British police in February 2002, pleaded guilty to computer hacking offences and sent to jail for two years. None of the strains of malware created by Vallor did much harm, or made much impact, so this sentence appears harsh, especially in comparison to the eventual fate of the much older Smith.

Smith's assistance is probably the reason why his prosecution was delayed. Eventually, in 2002, three years after the Melissa virus spread across the globe, Smith was sentenced to 20 months behind bars.

Cluley described the Melissa virus as the "grandmother" of email-aware malware, inspiring subsequent malware authors. "Virus writers couldn't fail to notice the impact that Melissa was having, and the virus cast a long shadow as it inspired thousands of other malware attacks such as Anna Kournikova, The Love Bug, Netsky, [and] Bagle in [subsequent] years," he writes. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
Admins! Never mind POODLE, there're NEW OpenSSL bugs to splat
Four new patches for open-source crypto libraries
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.