Tom Clancy couldn’t have weaved a better web of suspense and intrigue. It had everything: a villain working under a string of shadowy aliases; news hype mixed with general chaos; an FBI manhunt led by expert freelance bloodhounds
And in the end the Feds got their guy.
Don’t look for this cyberthriller to be appearing at a theater near you anytime soon. There was hardly enough plot development to warrant a made-for-TV movie. It was over in the blink of an eye.
I’m talking about Melissa, the macro virus that managed to rocket into the top three of the most replicated viruses in just a matter of days. Its alleged creator, David Smith of New Jersey — originally known as SkyRoket, then as VicodinES — is probably the first virus writer to have his smiling mug shot plastered across the front pages of the world’s newspapers. Will he be the last? Don’t count on it.
Melissa might not go down as the work of a genius (and the jury’s still out on whether Smith was the sole creator), but it was terribly clever in its simplicity. Chilling simplicity.
Melissa was planted in one of the Net’s biggest disease-breeding grounds, the alt.sex newsgroup, and propagated itself through familiarity, triggering mass e-mailings to people culled from victims’ personal address books. (The virus utilized MS Outlook Express but could use other e-mail clients.) Smart e-mail users are suspicious of communiques from strangers, but what if it comes from a colleague or Aunt Emma? And probably most people didn’t question the harm of the attached Microsoft Word file. However, by opening the e-mail, and inadvertently activating the macro (basically a powerful script within MS Word), Netizens unwittingly created chain letters from hell.
Melissa exploited not only the technology of the e-mail client and word processor, but also human nature. It gained our trust, and turned us into spammers (hawking porn site passwords no less).
According to a report from the CERT Coordination Center at Carnegie Mellon University, Melissa was effective in choking over 300 corporate servers and infecting more than 100,000 computers worldwide. That adds up to millions in lost productivity, plus U.S. taxpayer dollars burned up in the investigation by the newly formed National Infrastructure Protection Center. But beyond that, the damage might have been more severe: If a sensitive document happened to be open when Melissa was running, it could be mass-e-mailed as well, even to mailing lists.
Compared to many viruses, Melissa was fairly tame in that it didn’t actually harm disk drives or corrupt data. Perhaps Melissa caused the biggest damage by showing black-hatted virus writers that they too could scrawl their names all over the Net. A string of copycat Melissa variants are already proving to be more malicious in nature. The ante is increasing.
Looming over this cyberthriller is Microsoft. (Smith didn’t name his virus, but Melissa is the name of guess who’s wife.) Ultimately, experts say, it is the lax security of MS Office and its tight integration with other applications that allowed Melissa to replicate so easily. Microsoft promptly responded with a patch, but this was without a doubt yet another blow to the behemoth’s crumbling credibility (and a terrific boost for antivirus companies). If Smith intended to sling a stone at Goliath, this was quite a solid hit.
The twist here is that Smith’s demise can be traced to one of the company’s more controversial technologies: the Global Unique Identifier (GUID). As discussed in last week’s Tangled Webs, Microsoft’s GUID could be considered an invasion of privacy since the collected data was being compiled on a database at Microsoft. But in this case, the GUID gave the virus sleuths the fingerprints they needed. Isn’t it ironic?
From a higher vantage point, though, we can see the Melissa virus as one that came from within ourselves, spawned from our own need for user-friendliness and convenience. Melissa exploited our vulnerability and preyed on our dependency. Conspiracy theorists are likely to call the macros, GUIDs and product integration all parts of the evil master plan, but the reality is that consumers bought it. They wanted the whole package and they got it, with all the strings attached. They like the wizards, the defaults, the invisible tech. And now they know the price.
In chat rooms and newsgroups, system administrators are calling for Smith’s head, but maybe they should be thanking him for the dress rehearsal. What happens when people with more serious agendas utilize the lessons learned from Melissa?
Ponder this example: A few weeks ago Serbian nationalists spammed the media of the world with photographs and reports from Kosovo. The list of addressees (which included The Japan Times) was enormous, well into the hundreds.
Monday another group, claiming to represent the students of Serbia and protesting the attack of “NATO fascists,” led by “the American sex maniac,” spammed what appears to be the same list, only this time the addresses were cloaked (simply by sending a blind copy via “bcc”). Angry recipients responded to the list with heated retorts and requests to be taken off the mailing list which only resulted in more unwanted e-mail to everyone else on the list. (The BBC’s World Service politely sent several automated replies thanking the sender for its e-mail.) Many victims thought that somehow they were the source of the spam. Until everyone figures it out, the media will be spamming itself into a furor, simply by hitting the reply button. What we have here is “Dr. Strangelove” adapted for the Net.
David Smith probably wanted recognition from the virus writer underground, but got much more than that. Political groups want the world’s attention. And Smith, in his bid for virus writer fame, gave them to the tools. Can you see the flag of anarchy by SkyRoket’s red glare?