The year was 1999. The month March. There was already lots of talk about the Y2K bug, budgets being allocated to computer and software updates, bunkers being prepared for the end of the world. Meanwhile, for many, it was business as usual. You still have to go to work. Pay the bills. Buy groceries.
For David L. Smith, however, things were less routine. The American, hitherto unknown to many, was preoccupied with what would be his most and only infamous creation. Eventually, on or around 26th, he let loose the Melissa virus (officially known as W97M/Melissa.A@mm).
A voracious appetite
Within hours, the macro virus had spread far and wide, infecting tens of thousands of computers throughout the world that were reliant on Microsoft Outlook for email, including those located within government agencies.
Aryeh Goretsky, distinguished researcher at ESET, who was director of support at Tribal Voice at the time, recollects “marveling” at the speed of the virus, which resulted in Tribal Voice’s email service and internet connectivity slowing down markedly.
"I remember going into the macro editor in Word, looking through the human-readable code, and thinking that this can't be good."
He says: “I remember going into the macro editor in Word, looking through the human-readable code, and thinking ‘Oh, this can't be good – it really drops the level of technical literacy for writing viruses.’"
The damage was substantial, the cost significant (more than $80 million according to the FBI). It could have been a lot worse had Mr. Smith not been apprehended within a week of the virus being launched.
“The capabilities of the virus itself were more annoying than catastrophic,” explains Lysa Myers, security researcher at ESET. “Nevertheless, for the many companies that had severe losses in productivity, I’m sure it caused more than enough damage.”
Not business as usual
Ms. Myers was only a few weeks into her new role at the virus labs when, as she puts it, Melissa “reared its ugly head”. Needless to say, the following week was a long and hard one.
“A few people had contacted the labs, asking for help in panicked tones because of problems caused by a document that they’d received."
“A few people had contacted the labs, asking for help in panicked tones because of problems caused by a document that they’d received – and opened – that spread like wildfire through their mail systems,” she explains.
“I remember virus researchers and support asking for a sample of these docs, and then being absolutely deluged with replies from those initial few people and then from thousands of others. It was all hands on deck for the next three days straight, where we all worked around the clock to make sure that everyone who needed help was taken care of.”
Controversially, Mr. Smith said at the time of his sentencing – where he pleaded guilty – that he had no idea that the virus would have this sort of impact and inflict this kind of damage. He even said it was intended to be nothing more than a harmless joke.
He elaborated: “When I posted the virus, I expected that any financial injury would be minor and incidental. In fact, I included features designed to prevent substantial damage. I had no idea there would be such profound consequences to others.”
Mr. Smith was subsequently sentenced to 20 months behind bars, fined $5,000 and ordered, on release, to “not be involved with computer networks, the internet or internet bulletin boards unless authorized by the court”. Little is know of his whereabouts or activities today.
How Melissa reached wide and far
The mass-mailing virus, which was named after an exotic dancer, was spread via email with a Word document attachment. In order to infect computers, it needed to be actively downloaded by an individual. In other words, recipients of the email had to, in some way, be persuaded to click on the attachment. Needless to say, many did.
Mr. Smith was acutely aware of this, socially engineering Melissa to entice its victims to click on the attachment. Part of its success came from that fact that its messages were from the email account of a family member, friend or colleague.
In other words, it appeared to have been sent from someone you would normally trust (and remember, these were still the early days of the internet and viruses weren’t common knowledge outside of specialist circles). In general, the email read something like:
- Subject line: Important Message From [name of person]
- Body text: Here is that document you asked for...don't show anyone else ;-)
Melissa, like most VBA macro viruses, copied itself into the user's default template so as to infect documents subsequently closed. As was also common, it disabled the program's macro security settings. However, its novelty lies in its primary payload, which attempts to use Outlook to mail the infected document to up to 50 addresses in each Outlook address list it finds on the victim's system.
"It attempts to use Outlook to mail the infected document to up to 50 addresses in each Outlook address list it finds on the victim's system.”
The last point is important, as it was instrumental in the virus’ rapid dissemination – it meant that the spill out from each download could be significant. Think about it, one infected computer had the potential to infect 50 additional computers for each address list in every address book it found. (In an organization using Microsoft Exchange, there are usually at least two: the user's personal address book and Exchange's Global Address List.) Add even one other person to the number of people whose systems are affected and already you have quite a chain reaction on your hands. In addition, many of those email addresses were actually groups of other email addresses, so it was often more than just one person being emailed... which made Melissa into a malstrøm.
For further details, see Ian Whalley's analysis for Virus Bulletin's May 1999 edition: Melissa: The Little Virus That Could...
A new millennium, a new threat
If something is not on your radar, you’re not likely to think about. If something is relatively niche and outside of your day-to-day activity, personally and professionally, again, chances are it’s likely to have not crossed your mind.
The Melissa virus was a something of a wake-up call. Organizations recognized their shortcomings and knew things had to change.
That was the assessment then. How deep that learning has been subsequently is questionable. As Ms. Myers highlights: “How many companies today filter potentially malicious attachment types? How many companies have a backup in case of emergency? How many companies have ways to update their anti-malware software in case of network outage?”
In addition to raising awareness of individual and organizational shortcomings, the Melissa virus also hinted at the speed at which viruses and malicious software can be propagated online, the techniques that cybercriminals and attackers have at their disposal – social engineering being a good example – and how vulnerable people are to this threat. It also hinted at what was to come.
“The title of an article by Esther Dyson – Melissa is a marketing tool – sums up a great deal of discussion I saw at that time,” says David Harley, senior research fellow at ESET.
“It’s probably not too fanciful to suggest that the idea of Melissa as ‘viral marketing’ influenced not only the ‘legitimate’ cultural development of the internet, but the subsequent shift in malware away from ego-gratification and seeking of peer approval to full-blown, fully-monetized criminality.”
Melissa might have appeared at the back end of the previous century, but it certainly foreshadowed much of what has been in evidence in the 21st century. Cybercrime is one of the biggest threats of the day and one of the most complex, threatening and devastating forms of crime.