RSSThe Melissa virus turns 10
By Angela Gunn | Published March 26, 2009, 10:31 AM
The computer worm that gave macros a bad name and changed the shape of malware detection was first detected ten years ago today (Thursday). Melissa was a stake in the heart of the old signature-based anti-virus model and pointed the way toward both more interesting forms of detection and more virulent malware.
Like most infants, Melissa started out as a harmless expression of love -- in this case, allegedly a hacker's love for a lap dancer (don't judge). It was, appropriately enough, first distributed via alt.sex, the Usenet group. The host Word file allegedly contained information for an assortment of adult-entertainment sites, but the payload was the Word macro, which functioned in the 97 and 2000 versions of Microsoft's word processor as well as in various versions of Excel. If a Melissa-infected file was opened in one of those programs, the poisonous macro looked into Outlook's address book and sends itself to 40-50 of the names it found there.
Sounds simple and, even compared to contemporaries such as Happy99, it was a relatively polite intruder, only vandalizing files under very particular circumstances and then only to insert a Simpsons quote ("Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here"). And it wasn't entirely new in structure, either; the first polymorphic viruses were built a full nine years earlier, and the first Word-macro virus came on the scene in 1995. (Damn teenagers.) But, as Paul Wood points out, Melissa was able to raise a special type of havoc.
Wood is an intelligence analyst with MessageLabs, a division of Symantec. He says that Melissa was a game-changer in part because it took unprecedented advantage of email, where most infections had previous relied on files downloaded to a computer or transferred from an infected floppy disk. And not just advantage of any random e-mail, either, but e-mail from someone the recipients "knew," since the infected message appeared to come from a known correspondent at a familiar domain. It was, in other words, a worm wise in the basics of social engineering.
Combining e-mail's speedy dissemination vector with the ubiquity of Microsoft's Office applications made for a potent brew, one that caused severe traffic problems for mail servers around the world. And life as a macro meant that Melissa's payload didn't stay benign for long, since anyone could easily get in there and make adjustments; the ability of some variants to select from a variety of subject lines and message bodies made things worse yet. Wood says there are currently 108 known strains of Melissa, and MessageLabs has seen over 100,000 copies over the years -- including, to this day, about 10 each month. (Considering that fixes have been available for a decade, the mind simply reels at what else those infected machines might harbor.) Variants such as Madcow, Papa, and such carried other, more vicious payloads.
Since 1999, much has changed with malware. Many of those changes can be ascribed to what we learned from Melissa, notes Wood. The era of signature-based virus detection, not to mention the era of signature updates delivered via floppy a few times each year, is "certainly showing its age," as he puts it. Our understanding of effective defense encompasses not only desktop protections but defense at the network and ISP levels and beyond. And the bad guys these days "will use whatever techniques they can apply" in combination, not just one vector such as e-mail. (The Conficker infection causing such consternation right now has, in fact, no e-mail component.) E-mail can be useful as part of a targeted attack -- getting an infection onto a specific network -- but it's rare these days for messages themselves or their attachments to be the extent of the problem.
The bad guys have gotten far more organized and disciplined, too. The Melissa worm was eventually traced back to a New Jersey programmer, David L. Smith, who was sentenced to 20 months in federal prison and fined $5,000 for his little escapade. In contrast, Microsoft is offering $250,000 for the arrest of whoever's responsible for Conficker, and it's not likely that the reward will ever be disbursed. Today, large, segmented criminal enterprises coordinate malware attacks, botnets, and the like, laundering the money and keeping all but a few participants in the dark about who's involved. And, sadly, lap dancers are no longer immortalized in the annals of computer history.
pretty cool for that dancer- bet she doesn't even know her place in history.
Score: 1
|I wish I knew! My guess is that whoever she is, she does -- Smith's photo was in the news at the time, and if she was aware of the virus she would know that it shared a name (or work name anyway) with her, so maybe the pieces clicked together. Heck, maybe he even said something. After all, it was in its twisted way a sort of love offering, and what good's a love offering if you don't tell the person to whom it's offered?
Score: 0
|I'm still gonna go with the idea she doesn't know. I don't know of a whole lot of dancers that keep up with the computer virus industry. (Maybe the biological variants :-) )
Also this guy was a nerd (assuming), too afraid to even talk to a girl much less a hot dancer (assuming again). Your right about the stage name thing. - I am sure Melissa was not her real name. Also could have been a lot of dancers named Melissa at this club (or clubs). - He probably visited multiple clubs, with many girls dancing named Melissa - how would the real Melissa know she was the one?
Score: 0
|Is it wrong that I'm totally enjoying this conversation? (More fun to talk about lap dancers than earnings reports any day of the week, my friend.) I dunno -- I still think that he might've used this as an entree to conversation. (Now there's an opening gambit for a shy guy: "Hey, I wrote a virus in your honor!") And his picture ran in a lot of mainstream media, not just in the tech rags of the era. It could have happened, if she's good with faces and inclined to read the papers!
OTOH, you're right that a lot of customers might just be of the sit-in-back-and-stare-glumly type (protip: dancers don't like that as much as they like people who tip well and aren't creepy; they're there to make money after all, and that's how money gets made). And Melissa... yeah, ten years ago especially, that was a not-uncommon, not-unpretty name and therefore one favored by a certain number of ladies who might need a pretty-girl-next-door sort of stage name. (Now isn't that a chart you'd love to see -- stripper stage names over the decades? There's a cultural index for you...)
Score: 0
|