Memories of Melissa

Jimmy and Melissa were very close six years ago, but have since drifted apart.

Jimmy Kuo is a research fellow at McAfee and was responsible for naming the Melissa virus, which plagued homes and enterprises in March 1999.

Melissa

was spread via e-mail as an attachment called “list.doc” and contained a list of porn Web sites as well as the Melissa virus itself. It was the first instance of malware that was successfully spread as a mass e-mail by sending itself out through a user’s Outlook address book. The message appeared to originate from a friend or colleague and fooled countless people who clicked open the attachment without a second thought.

Six years later, users are more vigilant and virus solutions are more comprehensive. Viruses can still be a problem, says Kuo, but it’s the motives of their writers that are more of a concern today. “Virus writers did things for notoriety, which also enabled them to be caught,” he says, “whereas now the bad guys are just interested in money.”

Since Melissa, Kuo has turned his attention to spyware, which represents the next major pain point for many Internet users. He talked to ITBusiness.ca recently about the origins of Melissa and how it can still be used in the fight against spyware and other network nuisances in 2005.

ITBusiness.ca: Why did you decide to go with the name “Melissa”?

Jimmy Kuo: With a virus like that, when it gets sent out everywhere, there are plenty of people who would have gotten access to it all at the same time. I was the one who was credited it with naming it, in the sense that (I was) the first anti-virus researcher who stepped out for giving a legitimate reason for why it ought to be named “Melissa.”

There’s a rule in the anti-virus industry where you are not supposed to name a virus by (the same name) which the author had placed on it. However, in this case, I overrode that rule for the rest of the industry by saying that, this virus was so widespread that if all of the anti-virus companies are going to be receiving calls from their users, the user would be spontaneously asking about the “Melissa” virus. It behooves us to simply name it the Melissa virus and not try to change that. In that way, I was the instrumental person.

Also, there was a lot of debate early on as to whether it would be so very widespread. I was the one who convinced everyone that truly it would be very widespread. While it supposedly e-mailed the first 50 addresses in one’s Outlook address book . . . it was also the “all” mailing lists, since it started with A. It would turn out to be the whole company, everyone practically receiving 20 to 30 e-mails each. That’s what caused the huge deluge.

ITB: What was the old naming convention for viruses?

JK: A common way of naming the viruses was to simply reverse the spelling of name.

ITB: Like Nimda?

JK: That’s right. There is also a family of viruses called Assilem, which is the reverse spelling of Melissa. Melissa was granted a special case to allow for this situation where it was so massively widespread. If there was a follow-up, even in the same family with the same code and everything, but it did not use mass-mailing (as a distribution tool), we threw those into a family called Assilem, just so we could reserve the name Melissa, because the rest of the computer-using public had simply associated that name with a hugely mass-mailing virus and we didn’t want to have anything else clutter that name.

ITB: How was the virus writer tracked down?

JK: We were able to determine who owned the account at AOL and the account profile gave the name and had a city: Linwood, Washington. I called around for people of that name in the Seattle area – Linwood is a suburb of Seattle. . . . While I was doing this, a reporter from the Seattle Times called me and he decided to join the venture. I told him I suspected it was a person that had an unlisted phone number. His response was: no problem. Ten minutes later, he called me back and said, “I got him, I talked to him. He’s not the one. He couldn’t have done it.”

Given that, the reporter quickly wrote a story about this person and how his account had been taken from him and used to post the virus. With that scenario, AOL has a client who is claiming to have been wronged. . . . AOL was able to work quickly with the FBI and try to find the person who supposedly took the account over. They were able to track the login, the server that was used through an ISP in New Jersey. A subpoena to that ISP was able to get the phone number that was used to dial up. That allowed the FBI to go to that location and eventually arrest David Smith, who was found to be the person responsible.

He was sentenced in 2003. In May of 2003 he got a 20-month sentence. He served 19 of those months and was released in December of 2004. Then he was re-sentenced to a four-year suspended sentence. In those four years he is subject to federal oversight and not allowed to use computers unless supervision.

ITB: Since Melissa, how has the whole virus landscape changed? How has your role at McAfee changed?

JK: Last year was probably the peak of all that mass-mailing. This year, what we noticed was that the major problem was spyware and people taking over machines for nefarious purposes. Not so much mass-mailing. Mass-mailing was truly last year’s Q2, when we had the Netskys, the MyDooms and so on – two, three or five a week. Now we have one every couple of weeks.

Companies now do a lot of gateway filtering. Not just viruses, but spam and all the scams and so forth. Phishing is a form of spam – that is, in terms of security defence. Since last year, a lot of money has entered in terms of bad guys being paid – trying to steal credit card information or taking over machines and trying to use them for extortion and so forth. While mass-mailing viruses still pose a problem today, they certainly would have peaked last year. Now they’re just one small step in a much grander scheme by the viruses writers to do a whole bunch of other things, much more tending towards making money.

Being interested in money, they hide quite well. On the other hand, money does leave a paper trail and some jurisdictions are having good luck in tracking people down. The British Home Office and Scotland Yard have been able to arrest a number of people in the last year for scams and things.

ITB: What was your role with McAfee’s Anti-virus and Vulnerability Emergency Response Team (AVERT)?

JK: I founded AVERT in September 1995. I left managing AVERT in 1998.

ITB: What did AVERT do in 1995? In many ways, the Internet was still in its infancy.

JK: Our scheme was to essentially establish a worldwide network of anti-virus researchers within our company. At the time, we were structured with agents as opposed to wholly-owned subsidiaries. We weren’t quite as big a company yet. We had agents selling our product in Europe. It was a network of anti-virus researchers associated with McAfee and, of course, McAfee’s own employees. Through that network, we were able to offer 24/7 coverage. Since then, that scheme has definitely developed and all the anti-virus product makers now have at least two, if not three, major offices spaced eight hours apart in Europe and either Japan, East Asia or Australia. It’s three zones to cover eight-hour shifts, essentially. It’s much better than one group having to cover 24 hours.

ITB: Do you still work with AVERT?

JK: Yes, but my title now is McAfee fellow. I’m now a research fellow. In fact, I’m standing outside of a Barnes & Noble right now because I’m doing some research on spyware.

ITB: That seems to be the next problem area for a lot of people. How involved are you in combating spyware?

JK: In the United States last week, there was the introduction of a bill called the Burns-Wyden Bill – those are two senators – and I was involved in a piece of that to help draft the legislation and I’m involved in all sorts of sectors to help produce a globally acceptable definition (of spyware). (Senators Conrad Burns and Ron Wyden also introduced the CAN-SPAM Act.)

Right now, there’s a huge disparity. When you say “spyware,” the consumer immediately has a terrible view of it. When you say “adware,” consumers generally have a pretty bad view of it, but the people who are doing it say, “Well, it’s just another way of doing business and we’re actually providing value by providing targeted advertising.” With all of this stuff, we need to somehow form a more globally-agreed-upon definition for this. This is definitely where our attention and energy is directed right now.

ITB: One person’s spyware is another person’s cookie?

JK: That’s where the work has to be done.

ITB: When do you think we’ll get to a point where we make the distinctions and really deal with spyware?

JK: I think six months down the line, the products that are in this arena will all do a very good job, much like the anti-virus industry has done. In the anti-virus circles, we were able to agree early on and say. “We are the good guys and the bad guys are the virus writers, therefore we must co-operate.” In the spyware world, everybody’s sort of sprung up out of nowhere and there hasn’t been much agreement as to what’s truly bad and only a little bad. There hasn’t been much co-operation. In a way, the anti-virus vendors stepping into the arena carries with it a lot of pre-existing co-operation, so that ought to help. All that grey area is bad for everybody.

Comment: info@itbusiness.ca

Share on LinkedIn Share with Google+