The Melissa virus turns 10

The computer worm that gave macros a bad name and changed the shape of malware detection was first detected ten years ago today (Thursday). Melissa was a stake in the heart of the old signature-based anti-virus model and pointed the way toward both more interesting forms of detection and more virulent malware.

Like most infants, Melissa started out as a harmless expression of love -- in this case, allegedly a hacker's love for a lap dancer (don't judge). It was, appropriately enough, first distributed via alt.sex, the Usenet group. The host Word file allegedly contained information for an assortment of adult-entertainment sites, but the payload was the Word macro, which functioned in the 97 and 2000 versions of Microsoft's word processor as well as in various versions of Excel. If a Melissa-infected file was opened in one of those programs, the poisonous macro looked into Outlook's address book and sends itself to 40-50 of the names it found there.

Sounds simple and, even compared to contemporaries such as Happy99, it was a relatively polite intruder, only vandalizing files under very particular circumstances and then only to insert a Simpsons quote ("Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here"). And it wasn't entirely new in structure, either; the first polymorphic viruses were built a full nine years earlier, and the first Word-macro virus came on the scene in 1995. (Damn teenagers.) But, as Paul Wood points out, Melissa was able to raise a special type of havoc.

Wood is an intelligence analyst with MessageLabs, a division of Symantec. He says that Melissa was a game-changer in part because it took unprecedented advantage of email, where most infections had previous relied on files downloaded to a computer or transferred from an infected floppy disk. And not just advantage of any random e-mail, either, but e-mail from someone the recipients "knew," since the infected message appeared to come from a known correspondent at a familiar domain. It was, in other words, a worm wise in the basics of social engineering.

Combining e-mail's speedy dissemination vector with the ubiquity of Microsoft's Office applications made for a potent brew, one that caused severe traffic problems for mail servers around the world. And life as a macro meant that Melissa's payload didn't stay benign for long, since anyone could easily get in there and make adjustments; the ability of some variants to select from a variety of subject lines and message bodies made things worse yet. Wood says there are currently 108 known strains of Melissa, and MessageLabs has seen over 100,000 copies over the years -- including, to this day, about 10 each month. (Considering that fixes have been available for a decade, the mind simply reels at what else those infected machines might harbor.) Variants such as Madcow, Papa, and such carried other, more vicious payloads.

Since 1999, much has changed with malware. Many of those changes can be ascribed to what we learned from Melissa, notes Wood. The era of signature-based virus detection, not to mention the era of signature updates delivered via floppy a few times each year, is "certainly showing its age," as he puts it. Our understanding of effective defense encompasses not only desktop protections but defense at the network and ISP levels and beyond. And the bad guys these days "will use whatever techniques they can apply" in combination, not just one vector such as e-mail. (The Conficker infection causing such consternation right now has, in fact, no e-mail component.) E-mail can be useful as part of a targeted attack -- getting an infection onto a specific network -- but it's rare these days for messages themselves or their attachments to be the extent of the problem.

The bad guys have gotten far more organized and disciplined, too. The Melissa worm was eventually traced back to a New Jersey programmer, David L. Smith, who was sentenced to 20 months in federal prison and fined $5,000 for his little escapade. In contrast, Microsoft is offering $250,000 for the arrest of whoever's responsible for Conficker, and it's not likely that the reward will ever be disbursed. Today, large, segmented criminal enterprises coordinate malware attacks, botnets, and the like, laundering the money and keeping all but a few participants in the dark about who's involved. And, sadly, lap dancers are no longer immortalized in the annals of computer history.