Melissa anniversary marks birth of email-aware malware
Supermodel of computer virus world turns 10, still spreading
Thursday (26 March) marks the 10th anniversary of the notorious Melissa virus, the first successful email-aware virus.
The Word macro virus, allegedly named after a lap dancer that creator David L. Smith met in Florida, spread via infected Word documents. Windows users who opened the Word document on unprotected systems became infected with the malware, which forwarded itself to the first 50 people in an infected user's Microsoft Outlook address book, further spreading the infection in the process.
Infected emails appeared with the subject lines such as "Here is that document you asked for... don’t show anyone else;-)". The basic social engineering tactic piqued people's interest to the extent that the malicious messages mushroomed in a matter of hours, overloading email servers across the globe in the process.
The virus was programmed to occasionally corrupt documents but had no money-making functions, unlike current generations of malware. Despite this, security firms reckon the virus ushered in the era of botnet-creating malware agents and mass-mailing worms that characterise the current internet security scene.
Since intercepting the virus in March 1999, email and web filtering firm MessageLabs, which is now part of Symantec, has stopped 108 different strains and more than 100,000 copies of the virus. Even this year, MessageLabs' services continue to intercept, on average, ten Melissa-infected emails a month.
"Melissa was the virus equivalent of the supermodels from the 90’s, known by one name and iconic within the industry," said Alex Shipp, senior director of emerging anti-malware technologies at MessageLabs services. "This was the first attack of this magnitude and I remember that when the numbers reached the hundreds within the first hour of stopping Melissa, which were significant levels in 1999, we knew the threat landscape had changed evermore."
A retrospective on Melissa by Graham Cluley, at Sophos, explains the time line of the attack and the eventual arrest and conviction of its author, David L. Smith, in some depth. The Melissa virus first appeared as infected Word document, containing supposed login details to pornographic websites, posted to the alt.sex usenet group.
This post was traced back to a compromised AOL account, firstname.lastname@example.org. This hack was itself traced back to a house in New Jersey, owned by Smith's brother. A week or so later Smith, then 30 and thus old for a VXer, was arrested for malware distribution offences.
Within weeks of the FBI arresting him, Smith had turned rat and was using a fake identity to communicate with and track fellow VXers around the world, it has since emerged.
According to court papers, Smith allowed the FBI to identify the Netherlands-based author of the Anna Kournikova virus as Jan de Wit, furnishing his name, home address and email address. The Dutchman was subsequently sentenced to 150 hours community service.
In 2001, Smith reportedly assisted in the investigation that led the arrest of part-time DJ Simon Vallor, the Welsh author of three viruses. Vallor was arrested by British police in February 2002, pleaded guilty to computer hacking offences and sent to jail for two years. None of the strains of malware created by Vallor did much harm, or made much impact, so this sentence appears harsh, especially in comparison to the eventual fate of the much older Smith.
Smith's assistance is probably the reason why his prosecution was delayed. Eventually, in 2002, three years after the Melissa virus spread across the globe, Smith was sentenced to 20 months behind bars.
Cluley described the Melissa virus as the "grandmother" of email-aware malware, inspiring subsequent malware authors. "Virus writers couldn't fail to notice the impact that Melissa was having, and the virus cast a long shadow as it inspired thousands of other malware attacks such as Anna Kournikova, The Love Bug, Netsky, [and] Bagle in [subsequent] years," he writes. ®
Sponsored: Customer Identity and Access Management