David Perry, Global Director of Education, Trend Micro, Inc.
Friday, March 26, 2009
All the email said was: Here is that document you asked for ... don't show anyone else ;-)
But that was enough – 7 innocuous words coming through an email led to the world’s first computer virus that powered its way through millions of corporate computers, an FBI hunt and a media circus that involved hours of prime time news and yards of newspaper copy.
Ten years ago this month the face of the security industry changed dramatically with an innocent sounding virus called Melissa. Melissa was not the first computer virus (not by a decade, nor by thousands of other viruses) but it was an important one, a milestone in the history of such things. It deserves a solid footnote in the annals of computer security, and holds a lesson that will help us in the future. But to understand this worm (worms are a subset of viruses, according to malware experts) one needs to examine a little of the history before it, and the world into which it was launched.
Life was very different just a decade ago. I was working in computer security at the time. I was on vacation in Orlando when my pager, and note this was back in the time of pagers, went off in the middle of a ride, bringing me a text message about this new and breaking virus. I immediately went back to my hotel and went online (via a phone link) and read the news and analysis of this new worm, Melissa. I had to go offline to call the media, but soon the story was pretty well established. The age of the email worm had begun.
By the time Melissa hit and brought the term computer virus into the masses vernacular many of us computer geeks had already studied them for years. Viruses were first seen in the mid to late 1980’s, but the idea of the computer virus was already well known from science fiction. Early examples either travelled on floppy disks, or infected common computer programs (notably COMMAND.COM). In fact I write this article on another virus milestone date. March 6 was the trigger date of the MICHELANGELO virus. As computers became more and more common, so did the computer viruses that infected them. These early computer viruses spread slowly, and an infected office would need to scan hundreds of floppy disks in order to eradicate them. Eventually, changes in the operating system would eliminate the vulnerability to boot sector viruses, and many predicted that the era of computer viruses was over.
LESSON ONE: It’s Never Over!
After the death of the boot sector virus (which, incidentally, is again finding new life in USB thumb drives) the MACRO virus was invented, and quickly proved more virulent and more destructive than anything ever seen up to that time. Macro viruses attacked applications rather than the operating system, and were written in easy-to-master Visual Basic. At the end of the decade, changes to the Microsoft office system were ending that first set of macro viruses, but that last big macro virus was going to be a doozy.
LESSON TWO: Never Say Never!
Email was becoming a popular medium, first inside of local area networks, then by use of online services like CompuServe and AOL, and finally by connection to the Internet. In those days, there was a chain letter circulating, with a warning about an alleged virus called GOOD TIMES. The chain letter warned that any email with the subject of Good Times was actually a virus, but there was no virus, only a chain letter, and a hoax. This hoax was first seen in 1994, and continued unabated through the rest of the decade. Many virus experts denied again and again the possibility of any email ever containing a computer virus. The chain letter hoax remained with the world for many years, and we still see hoaxes all the time. It’s a good rule of thumb that any warning arriving via a chain letter is false. There have been no exceptions to this rule, at the time of this writing. The claim that there would never be an email based virus eventually was disproved. It happened on March 26th of 1999.
LESSON THREE: The Next Wave Will Catch You by Surprise!
MELISSA: MARCH 26, 1999
Melissa first appeared on the Usenet group alt.sex, and contained an attached word document holding a list of passwords to pay porn sites. Whether the passwords worked or not is not the important part, because the posting had another purpose. When the word document was opened, it launched a macro virus that caused the user’s own machine to mail the virus on to fifty addresses in the Outlook address book. Melissa was both a virus (because it made copies of itself, or replicated) and a worm (because it spread under its own power to other computer systems and email accounts) In a matter of hours the Melissa worm was evident in many of the world’s computer networks, and in a matter of days nearly every computer user had either seen, or been infected by Melissa.
Melissa was an internet borne virus (and only one company at the time offered internet gateway email blocking) and it was visible. One could not deny the presence of this virus if it sat in the email inbox. (Previous viruses and viruses since this time are and were invisible as a rule, just like their biological namesakes.)A search involving the FBI, local law enforcement, America Online, and many behind the scenes virus experts identified the original poster, who used the handle Kwyjibo, as being the same as another frequent Usenet regular named Vicodin. Eventually this created a trail that led back to David Smith of Aberdeen Township, New Jersey. The virus took its name from a Florida stripper favored by the hacker. Smith’s trial took a long time to go to court, but he was eventually charged with using the virus and illegal damage and access to multiple computer systems. Details of the court case can be found in this DOJ document.
Smith served twenty months in prison, and paid a fine of $5,000. His virus did not gain him any money -- it was written only for personal bragging rights. It was, perhaps, inevitable that somebody would invent the email worm, but the prize (such as it is) goes to David Smith.
LESSON FOUR: Each New Virus Threat is Worse than the One Before
The boot sector viruses were dominant from 1986 until 1995. At the very most there were a couple of thousand of them, mostly extremely minor variations on existing work. The macro viruses, which were dominant from the summer of 1995 until 2000, were much worse, with tens of thousands of new variants each month. Email worms, first appearing with Melissa were even worse, harnessing the power of the Internet to spread to thousands of people per second, bringing network email systems to a halt and infecting more than a million people before being stopped. Each new development in malicious code is much worse than the one that preceded it, with no exceptions. Today’s malware is the worst we have ever seen, both in number, in execution, and in the danger it represents to end users. Melissa outbreak day was awfully bad at the time, the worst thing we had ever seen. It would fit into ONE MINUTE of 2009, where rampant infection and cybercrime have overrun the entire world.
LESSON FIVE: Innovation brings Imitation and leads to Saturation!
Once the flood gates of email worms opened, there were tens of thousands of copycats. Some refined the technique, by carrying their own email program. This freed the genre from ties to any one email program, making it universal. Email worms developed and prospered for the next five years, at the same time as the rise of SPAM. Eventually the ‘bad guys’ discovered ways to spread malicious code (now known under the universal moniker of MALWARE) using other methods including buffer overflows, network shares, and most importantly, via the World Wide Web. Any virus email you find today (in 2009) likely contains not an infected file but a link to an infected Web site. Many of these poisoned Web sites are also not tied to emails but are ‘drive-by’ infections, catching unwary users who surf to them and are caught. Today, most malware is profit driven, international and absolutely criminal in its intent.
David Smith wanted the fame of being known as an elite hacker. Today’s hackers want your credit card number, your bank password, or the illicit use of your computer for their purposes. Those hackers are not lone individuals but are part of organized crime networks. At the time Melissa was created, people were shocked at the fifty thousand or so known viruses in the world. Today we encounter twice that many malware every single day. The current count of known malicious programs contains more than twenty million samples, (including binaries, emails, scripts and URLs). It becomes necessary to detect not the code itself, but it’s passage through Internet waters and the reliability of it’s source.
LESSON SIX: Don’t blame it on technology
The Internet and malware co-evolve, and every new innovation in computing brings with it new vulnerabilities, new weaknesses and new opportunities of exploitation. There were other such watersheds before Melissa, and many since that day, but on March 26th, you might want to consider this: “It is a well-known fact that no other section of the population avail themselves more readily and speedily of the latest triumphs of science than the criminal class. The educated criminal skims the cream fromevery new invention, if he can make use of it.”
Chicago police inspector John Bonfield, 1888
That quote can be found in a book called The Victorian Internet, by Tom Standage, and it refers to frauds and other crimes performed on the TELEGRAPH. The Internet is no safer and no more dangerous than any other medium of human interaction. It does automate the process, permitting criminals and con men alike to attack thousands, perhaps millions of victims each day. But one final lesson should be taken to heart. The problems of computer viruses are not problems of computer technology, they are problems of human behavior.