Malicious Life Podcast: The Melissa Virus Transcript
Here’s a hypothetical: what’s the most embarrassing thing you could think of doing? Freezing up in the middle of a stage performance? Having the pants of your Ass rip in public? It happened to me once in 5th grade. Yeah, I still remember that one.
What about accidentally sending pornography to fifty of your closest friends and family? Yes, including your colleagues, your secret crush, even Nana. I think we can agree that would be very unpleasant to deal with. And it happened to a hundred thousand people, in May of 1999.
Malware was a budding industry in the 1990s, but most of it shared one core problem: means of distribution. There were file viruses–which infected exe file types on a local system–boot sector viruses–which transferred from one computer to another via floppy disks–macro viruses–which leveraged Microsoft Office macros to spread between documents on a computer–and more. But just as these viruses were starting to pop up, Microsoft was patching their programs to cover up security holes, and companies were designing antivirus softwares. And, really, if floppy disks are the means by which your virus spreads, you’re just not casting a wide enough net.
What black hats were really missing was an efficient means of transfer –a channel you could hitch your malignant code to, then let it work its magic from there. That way you wouldn’t just wreck one poor machine, but a huge web of thousands of connected machines. And how do computers usually transfer data between one another? Well, one way you might be familiar with is email. Some of the more innovative black hats of the 90s had their sights set on SMTP–Simple Mail Transfer Protocol, the means by which mail is sent over the internet. One person managed to break through, and set the precedent for all those to come.
The first key insight made by the Melissa virus author is one which you may have some experience with in your own life: they knew that people don’t think straight when it comes to sex. It’s the principle that fuels adultery, uncomfortable one-night stands, and all those other embarrassing things that happen on weekends.
On March 26th, 1999, a post went up on the alt.sex Usenet newsgroup forum. It was a Microsoft Word document titled ‘LIST.doc’, with password information for 80 adult film websites. Naturally, it drew some excited clicks. Once one person opened LIST.doc, Melissa was underway. The Word document contained a Macro. Macros are bits of code – scripts written in Visual Basic – embedded in a document, which can perform various tasks. Malicious code might make use of this scripting mechanism to, say, open endless windows of porn websites on your computer – which is exactly what Melissa did. With dozens of porn websites clogging your desktop, you’ll probably have deduced within the first few seconds that you’ve been hacked. But it’s already too late to fix. Once you manage to somehow return to your email window you might notice that your computer already emailed that LIST.doc to 50 of your contacts. The email reads:
From: [You]
Subject: Important Message From [You]
Message: Here is that document you asked for [dot dot dot] don’t show anyone else [winky face emoji]
You can try warning your nieces and nephews to not open their emails but, eventually, at least a few people will fall in the same trap, and so it goes from there.
In the span of just five days, Melissa infected over 100,000 computers around the world: in doing so, it quickly became the fastest-spreading virus in computer history to date. Entire corporate mail systems – such as Intel’s and Lockheed-Martin’s – shut down due to the sheer infected email traffic alone. According to postmortem analyses, the Melissa virus caused approximately 80 million dollars worth of damage in the United States, and up to 1.1 billion worldwide, reaching countries as far as Singapore, New Zealand, Sweden and Qatar. Included in the hundred-thousand or so victims were around 300 companies. The damages were attributed to loss of productivity at companies, time and effort spent in reversing its effects, and the denial of service caused by clogged email servers. Among Melissa’s most notable victims is GT Interactive, a video game publisher, which accidentally sent the virus out in a press release, causing a good deal of embarrassment. Another website reported that in a period of just 45 minutes they’d received some 32,000 Melissa-infected emails.
It’s almost cliche nowadays, but Melissa was actually the first ever virus spread via a Microsoft Word email attachment. It was quite an innovative program, with a few bells and whistles that, if all the porno wasn’t enough for you, added a certain element of character distinguishing Melissa from other macro viruses of its time. For example, the malware infects the ‘Normal.Dot’ template–default for all Word documents–allowing it to send files other than the original LIST.doc, including your personal documents with potentially sensitive personal information in them. Unbenounced to the computer’s owner, all documents opened and created once Melissa is contracted–due to its Normal.Dot infection–will also become infected by the virus. Therefore, even sending, say, a work email with a spreadsheet attachment is problematic post-Melissa, as that or any other document from the host computer will provide a host body to the virus all the same.
Who was Melissa’s author? Well, there were some clues in the code itself.
When LIST.doc is opened, the malware checks the local machine’s Microsoft Office registry key for a subdirectory titled “Melissa?”. That title gave the malware its name. The program then looks for the string “by Kwijybo”. If that string is found, Melissa will not proceed: this is how it determines whether the host has already become infected or not. If no such value is found, the prescripted email will be sent to the first 50 email addresses found in the user’s Microsoft Outlook address book.
Strangest of all, though, is a function seemingly written in for the programmer’s amusement. It’s triggered only when the LIST.doc is opened at precisely a time when the day of the month corresponds with the minute of the hour–as in, if the date is March 26th, and the document is opened at, say, 10:26 or 11:26 p.m. In such cases, a payload will be triggered and Melissa will write into the infected document the following: “Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game’s over. I’m outta here.” It’s a quote taken from Season 1, Episode 2 of the Simpsons, when Bart lays down the word “kwijybo” to win at scrabble. (You’ll remember “Kwijybo” was the moniker the Melissa hacker gave themselves in their own code.) Bart gets up to walk away from the table when Homer grabs his arm. “Wait a minute, you little cheater. You’re not going anywhere ’til you tell me what a Kwyjibo is.” Bart looks up at his father: “Kwyjibo. Uh, a big dumb, balding North American ape. With no chin.” Homer lunges at Bart. “Uh oh, Kwyjibo on the loose!”
Unfortunately, these Simpsons references turned out to be a dead end, as far as finding the mysterious hacker. There was, however, another lead.
Scott Steinmetz wasn’t a small guy: greyish-brown hair, wide build. He was 36 years-old, working as a civil engineer. His personal motto: “Be happy in all you do.”
I’m not sure what Scott was up to that Friday, March 26th. Maybe he was staying late at work, or out somewhere with his wife. Whatever it was, he didn’t yet know that he was implicated in an event occurring hundreds of miles away. The newsgroup message which contained the original List.doc was posted using his email address: “skyroket@aol.com”. His weekend was about to take a turn for the weird.
The FBI obtained a court order to seek information from America Online regarding the user behind “skyroket@aol.com”. Meanwhile, the real Scott Steinmetz’ email account–normally populated by a couple of messages per week–was now receiving traffic of 20-plus per hour. And these weren’t malicious phishing emails, either. It was hate mail from malware victims, fan mail from malware admirers. There were requests for code from other hackers, and lots of requests for interview from the press.
There was just one problem: Scott Steinmetz had no idea why any of this was happening. Only after speaking with reporters did Scott come to learn that he had become the primary suspect of a criminal investigation into a ruinous, global-reaching computer virus. Understandably, he got a little anxious. As a sign of cooperation, he called the FBI on the night of March 29th, offering himself for questioning.
“I am not the creator of the virus, nor did I have any part in the distribution of the virus,” Steinmetz told the press, adding that he’d be deleting his AOL account as a result of what he saw as its security failures. “Here I am associated with it,” he added, “and I’m barely computer-literate.”
Oh, and remember his job as a civil engineer? Just as Scott Steinmetz’ life became engulfed in chaos, he learned that the very virus he was suspected of creating actually breached his own company’s computer systems! Evidently, Scott was both the killer and the dead body.
The FBI’s investigators discovered that the the same email address was linked with a website where virus authors posted their malicious creations. “Skyroket” had been discovered to have been posting viruses to the internet even two years prior under the name VicodinES, who modestly described themself as a “noted virus researcher”.
The investigators tracked the website back to a web host located at Access Orlando, a small Florida-based internet provider. The server hosted “Source of Kaos”, a web collective for a number of shady sites crawling with malicious material. It was being leased by the company, for $150 a month, to a man named Roger Sibert.
Sibert was something of a shady fellow, himself. He told FBI agents that he didn’t know VicodinES personally, only that they’d in the past shared some email correspondence. But this wasn’t unusual for Sibert. He intentionally let people with unpopular and malicious intent publish their own websites through his server–in fact, of the 80 sites under SourceofKaos, almost all housed virus creators and collectors.
The FBI approached Access Orlando to take down Roger Sibert’s server. They proceeded to physically confiscate his machine, and search through its logs for evidence related to VicodinES. All of the half-leads up to this point lead to one more player: Monmouth Internet, located in Monmouth County, New Jersey. State police served Monmouth a communications warrant, in connection with a specific internet protocol address: 209.191.60.64. There was an issue, though. Where most people have a specific IP address that uniquely, consistently identifies their computer on the larger internet, Monmouth is one of those internet service providers that lends its customers a level of anonymity by providing them a new, randomly-assigned IP address every time they connect to their ISP. VicodinES wasn’t making this easy. The FBI obtained not just one computer, but all of the computers that would have been logged under that IP number on March 26th, when the Melissa virus was first posted. As Mark Stevens, operations manager at Monmouth, told Zdnet: “There could have been two people with the IP that day, there could have been 10.”
In parallel with the FBI investigation, several independent security researchers conducted their own private hunt after VicodinES. One of those independent researchers was a man named Richard Smith. Smith knew of a hidden feature added by Microsoft to every Office Document: a Global Unique Identifier, or GUID. A GUID is essentially an electronic fingerprint. It is to Microsoft programs what jersey numbers are to athletes–a unique number given to any given item within a program. But the GUID doesn’t just stop at software items–it also gives a unique number to, for instance, ethernet adapter addresses. That number could be used to identify the specific PC on which a document was created.
When Richard Smith heard of the Word document which started the Melissa infestation, the gears in his head started spinning. He grabbed a copy of this original .doc and extracted the GUID it contained. He then compared this GUID to GUIDs found in other documents created by VicodinES. They were identical. Also in these documents he found a name: David L. Smith. Richard contacted the FBI investigators and gave them the information he discovered – just as they themselves matched the IP they found to dial-up providers in the area, connecting it with a phone number and home address.
Agents approached the suspect’s house, but found no one inside. They went around the neighborhood to question neighbors, who tipped them off that the homeowner had a brother in the area. The FBI went to the brother’s house, and knocked on the door.
Inside the Eatontown home they found their man: 30 year-old David L. Smith. Within a week of that first fateful post on alt.sex, authorities had found their perp.
David Smith is built like a football player: tall, wide, can pull off round professor’s glasses without looking less manly. He’s got slick black hair, parted at the side, and a light complexion. Really, he looks like an agent in The Matrix.
Shortly after the arrest, Smith admitted to creating and publishing the Melissa virus from his home in Aberdeen, New Jersey, through the hacked email account ‘skyroket@aol.com’. On December 9th, 1999 he pleaded guilty in state and federal court, then was released on bail. His sentencing date was set, then delayed. Then delayed again. And again. In the end, his final court appearance was put off five separate times, and it wasn’t because he had a good lawyer.
Only a year after it began would the press come to learn that, within weeks of arrest, David Smith turned into an FBI snitch. He adopted a false identity then began working 18 hours a week helping track and initiate communication with other targets of FBI computer crimes investigations. In so doing, he would hand the FBI the name, home address and email address of Jan de Wit, the Dutch author of the Anna Kournikova virus, leading to de Wit’s arrest. As late as 2001 Smith was speaking undercover to Simon Vallor, author of three viruses. The FBI passed on their records to British authorities, and Vallor was later given a two-year jail term. At this point, Smith was working 40 hours a week for the FBI, and they even began to pay his rent, utilities and insurance bills, totaling an estimated $12,000! VicodinES was now, basically, on FBI payroll.
In court, Smith attested that he’d not intended to cause anything worse than incidental or minimal damage with his virus. He noted that, aside from its nasty spreading mechanism, Melissa wasn’t coded to do any real, measurable damage to anyone’s computers. Realistically he was right–considering its radius of effect, had Smith coded some real destructive mechanisms into Melissa, it could have done much more serious damage to lots of people. Worst case scenario, based on the charges made, Smith faced decades incarcerated and hundreds of thousands of dollars in fines. His presiding judge, however, taking into consideration his work helping the FBI, ultimately handed down a sentence of 20 months in prison, three years of supervised release, 100 hours of community service, and a $5,000 fine.
Meanwhile, Melissa had already birthed a generation of admirers and copycats. Variations on the virus popped up in small corners of the internet. The Melissa virus is remembered less so today for the damage it caused in 1999, more for its influence on later mass email spammers. There were, arguably, a few mass-email malware programs that predated Melissa, like Christmas Tree Exec and Happy99, but none had such a far reach, nor the fiery media response, that Melissa did. For that reason, you could reasonably connect the garbage in your spam folder today to David L. Smith’s work from almost two decades ago.
Oh wait, I forgot the most important fact of all! Want to know why it was called the “Melissa” virus in the first place? David Smith named it after a stripper he met in Florida.