HolidayBuyer's Guide

Melissa's long gone, but lessons remain

Six years ago, the virus taught companies and PC users to distrust e-mail. The outbreak still has lessons to teach us, experts say.

It's been six years since the Melissa macro virus first got loose, but security experts say network administrators and PC owners still have lessons to learn from it.

The virus started spreading on March 26, 1999, and traveled quickly across the Internet, using the macro functions in Microsoft Word to burrow into the computers of victims who opened the document. Within three days, hundreds of thousands of PCs were infected.

"Melissa was the second successful e-mail worm, but it was the one that really caught attention," said Richard Smith, an Internet security and privacy consultant who discovered clues in Melissa that pointed to the author of the code. "It showed how e-mail could be used to quickly spread a virus across the Internet."

Description:
Written in the Microsoft Word macro language, the virus travels as an attachment in e-mail messages. When opened, Melissa infects the victim's computer and then sends copies of itself to the top 50 addresses in the Outlook address book.

Time line:
Melissa started spreading on Friday, March 26.

On Sunday, March 28, the FBI's National Infrastructure Protection Center warned of reports of significant network degradation in many corporate networks.

By Monday, three days after it began, the mass-mailing computer virus had reached 100,000 computers, according to Computer Emergency Response Team Coordination Center.

Creator:
Subsequent investigation found that an America Online account had been used by David L. Smith, a New Jersey resident, to post the Melissa virus to several USENET news groups.

Smith pleaded guilty to creating and releasing the Melissa virus, and was sentenced to 20 months in prison. He was released in December 2004.

Trivia:
When the minute of the hour matches the day of the month (say 9:26 am on April 26), the Melissa virus inserts the following message into the an opened document: "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here."

The quote is from "The Simpsons."

Sources: CERT/CC, CNET coverage

While macro viruses pose little threat today, and most Internet users have gained a healthy distrust of the contents of their in-boxes, mass-mailing computer viruses remain among the top Internet dangers. Moreover, the social engineering technique that convinced people to open the malicious Melissa file has been honed into a more effective tool, forming the basis of the latest e-mail-borne attacks, such as phishing and spam.

Those elements are prompting antivirus researchers to look to past viruses, including Melissa, for clues about how the latest viruses could try to evade current defenses. One in every 40 e-mail messages daily carries a mass-mailing pest, according to mail service provider MessageLabs.

Melissa used now-common techniques to spread. An infected Windows system would send out e-mail messages to the first 50 entries in the computer's Microsoft Outlook address book. Each e-mail had the subject line "Important Message From" and the name of the owner of the affected PC. Because the e-mail messages were sent to known acquaintances, recipients were more likely to open them.

Attached to the e-mail was a Word document, originally titled "list.doc," that contained the Melissa virus and a list of pornographic Web sites. Under certain circumstances, the program could grab a different file from the victim's computer and insert the virus into that instead.

The rate at which Melissa proliferated serves as a lesson for researchers on how virus writers adapt to new methods of propagation, said Jimmy Kuo, a research fellow and antivirus investigator at McAfee, a security software maker. A previous virus, Happy99, had attempted to use e-mail to spread as well, but largely failed.

"We can look to Melissa for clues as to the significance of the Cabir virus for the cell phone, for example," Kuo said. "The Melissa virus showed virus writers that it was possible to spread a virus through e-mail quickly. The Cabir virus has done the same thing for phone viruses through Bluetooth."

The first mobile-phone virus to successfully spread from one handset to another--albeit only modestly--Cabir could be a blueprint for other virus writers. Cabir's major innovation, like Melissa, is its ability to spread using a new mechanism for viruses--the Bluetooth wireless technology.

Schooled in security
Melissa also had an impact on the learning curve at Microsoft. The use of its e-mail software as the means to spread the virus caused the Redmond, Wash.-based software giant to make major amendments to its applications in the name of security. The changes foreshadowed the more extensive Trustworthy Computing Initiative, which kicked off after the Code Red and Nimda worms ran rampant across the Internet.

"We look and try to learn from every one of these (incidents), and it is critical that we continue to do that, because it is going to be an ongoing effort," said Dan Leach, product manager in Microsoft's Office group.

In 2000, Microsoft launched an update to Outlook that limited the type of attachments that could be sent through the mail client, blocking the most common types of executable files. The list of blocked file types has grown to about 70 and includes Word documents, screensaver attachments and Active Server Pages.

Microsoft had previously introduced digitally signed macros for its Office documents, as a way to combat macro viruses. But only after the Melissa onslaught was the feature really used.

Those defensive measures and the higher efficiency of binary viruses like AnnaKournikova, which use executable programs rather than application features to reproduce, helped knock back macro viruses. In lists of top 10 infectors, the number of such viruses fell quickly from five in 1999 to two in 2001. Since 2002, macro viruses have not been a significant viral threat.

On the other side of the equation, Melissa also held a lesson for virus writers. The electronic trail left by David L. Smith, author of the malicious code, spawned a worldwide manhunt. Smith's mistakes, including dialing up from his home to a stolen America Online account to post the virus in newsgroups, eventually led authorities directly to the New Jersey resident. The Melissa writer served 19 months of a 20-month sentence and was released in December 2004.

The successful prosecution is responsible for stopping a lot of virus writing activity in the United States, security consultant Richard Smith said. "I think for Americans, it caused them to think twice about writing viruses," he said.

Yet that success is largely the exception, not the rule, for such investigations. While some high-profile cases--such as the arrest of MafiaBoy for several denial-of-service attacks and the arrest of the self-confessed author of the Sasser worm--could be held up as warnings, most cybercrimes go unpunished. Even with the creation of a bounty by Microsoft on the larger incidents, and the success of that program in drawing out a solid lead to Sasser's author, arrest rates are low.

In many ways, Melissa may represent an age of innocence for viruses, when the criminals were easy to catch and the viruses were easy to stop. As virus writers target new areas and organized crime enters the picture, the future starts to look darker and more tech noir.

Close
Drag