01:22 PM

Six Years After Melissa, Mass-Mailed Malware Has Peaked

The six-year run of mass-mailed viruses like Melissa may be past their prime, but a research fellow at McAfee says the industry still needs to deal with the underlying problem that allows E-mail to serve as an attack vector for hackers and thieves.

On March 26, 1999, Melissa, the first virus that spread by mailing copies of itself to addresses it dug out of infected machines, swept the Internet. Six years later, mass-mailed worms have reached their peak, said the researcher who led authorities to the hacker who wrote Melissa.

Jimmy Kuo, a research fellow with McAfee, was in on the first discussions as samples of the still-not-named virus were captured and put under the forensics microscope.

Melissa, which was a Word macro virus -- a form rarely seen these days -- was most distinguished by its propagation technique, which involved grabbing the first 50 addresses from Microsoft Outlook, then sending itself to those recipients.

Kuo argued that the propagation scheme would quickly spread, and even flood mail servers with a deluge of messages, predictions that were borne out by events but at first resisted by fellow researchers.

"The first discussions were that the virus wouldn't get very far because it would end up mailing itself, over and over, to essentially the same 50 people within an organization," said Kuo. "But I made the assertion that that wasn't true, because mailing lists were typically among that first 50 due to their spelling -- like 'All' -- or other factors.

"This thing is out there and it's going to get huge," Kuo remembered telling the McAfee team.

The next day, Kuo started trolling the Usenet postings -- McAfee did then, and still does, scan every posting that includes executable code, sniffing for clues to worms and viruses -- and started tracing several that seemed suspicious. With the help of a reporter for the Seattle Times, Kuo was able to track down the AOL account used to post the Melissa-related messages to Usenet. From there, the FBI took over, and located David L. Smith, who had stolen the Washington man's log-in information to use the purloined account.

Smith pleaded guilty to creating Melissa -- which was named after a topless dancer he knew from Florida -- in 1999, and in 2002 was sentenced to serve 20 months in federal prison. He's now serving three years of supervision, which also forbids him from using the Internet.

"It was a very exciting time," Kuo said, of the Melissa outbreak and his search for its author.

"The good news now," he said, "is that what Melissa ushered in is finally waning. Mass-mailed worms and viruses reached their peak last year."

Not that that means we're any safer, really. As he called the six-year run of mass-mailed viruses past its prime, Kuo also made a call to deal with the underlying problem that allows e-mail to serve as an attack vector for hackers and thieves.

"The mechanism of mass-mailing viruses relies on spoofing the From: address, and that aspect has been taken over by the phishers. This spoofing is the singular point for mass-mailing viruses and worms, for spam, for all phishing attacks.

"If we can address this issue of forged headers, and we are, we can diminish the impact of these attacks."

In particular, he pointed to the recent public debut of technology from IBM that can use currently-available means to match the sender address with its sending IP address, one way to nail spoofers.

"As more of these [sender authentication] technologies are used, the amount of spoofed mail will diminish," said Kuo. "Of course, there's now money behind attacks, so while they will diminish in the short run, criminals will turn to other ways and other mechanisms."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of July 17, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.