Six Years After Melissa, Mass-Mailed Malware Has Peaked
Jimmy Kuo, a research fellow with McAfee, was in on the first discussions as samples of the still-not-named virus were captured and put under the forensics microscope.
Melissa, which was a Word macro virus -- a form rarely seen these days -- was most distinguished by its propagation technique, which involved grabbing the first 50 addresses from Microsoft Outlook, then sending itself to those recipients.
Kuo argued that the propagation scheme would quickly spread, and even flood mail servers with a deluge of messages, predictions that were borne out by events but at first resisted by fellow researchers.
"The first discussions were that the virus wouldn't get very far because it would end up mailing itself, over and over, to essentially the same 50 people within an organization," said Kuo. "But I made the assertion that that wasn't true, because mailing lists were typically among that first 50 due to their spelling -- like 'All' -- or other factors.
"This thing is out there and it's going to get huge," Kuo remembered telling the McAfee team.
The next day, Kuo started trolling the Usenet postings -- McAfee did then, and still does, scan every posting that includes executable code, sniffing for clues to worms and viruses -- and started tracing several that seemed suspicious. With the help of a reporter for the Seattle Times, Kuo was able to track down the AOL account used to post the Melissa-related messages to Usenet. From there, the FBI took over, and located David L. Smith, who had stolen the Washington man's log-in information to use the purloined account.
Smith pleaded guilty to creating Melissa -- which was named after a topless dancer he knew from Florida -- in 1999, and in 2002 was sentenced to serve 20 months in federal prison. He's now serving three years of supervision, which also forbids him from using the Internet.
"It was a very exciting time," Kuo said, of the Melissa outbreak and his search for its author.
"The good news now," he said, "is that what Melissa ushered in is finally waning. Mass-mailed worms and viruses reached their peak last year."
Not that that means we're any safer, really. As he called the six-year run of mass-mailed viruses past its prime, Kuo also made a call to deal with the underlying problem that allows e-mail to serve as an attack vector for hackers and thieves.
"The mechanism of mass-mailing viruses relies on spoofing the From: address, and that aspect has been taken over by the phishers. This spoofing is the singular point for mass-mailing viruses and worms, for spam, for all phishing attacks.
"If we can address this issue of forged headers, and we are, we can diminish the impact of these attacks."
In particular, he pointed to the recent public debut of technology from IBM that can use currently-available means to match the sender address with its sending IP address, one way to nail spoofers.
"As more of these [sender authentication] technologies are used, the amount of spoofed mail will diminish," said Kuo. "Of course, there's now money behind attacks, so while they will diminish in the short run, criminals will turn to other ways and other mechanisms."