10 Years With Melissa, the Worm that Changed the World

By Larry Seltzer  |  Posted 2009-03-03 Print this article Print

Malware was in the minor leagues before Melissa showed everyone how to really harass the Internet. 10 years later we still don't have a good solution to mail worms.

It was the first of the mail viruses. Melissa hit the scene in March of 1999 and seemed a little like black magic. Open an e-mail attachment, from someone you know, no less, and suddenly other people you know are getting the same e-mail. Melissa required Microsoft Office, Word and Outlook in particular, using VBA for programming and MAPI for transport. Some modifications were needed to the model, but the mail virus was an inspiration which transformed the world of malware and went on to build the massive populations of botnets that infect and persecute the world.

Authors of mail worms pretty quickly moved on to SMTP as a transport instead of MAPI. Microsoft filled the holes that made Melissa possible, but of course even today patches are never applied quickly to make enough of a difference to such things. And even today there are ISPs that are only beginning to take measures to stop SMTP mail bots. So I think of Melissa as the intellectual inspiration for most of what really troubles the world of Windows PCs these days. It didn't do a whole lot of permanent damage on its own, but it showed the way.

For a sense of what malware was like prior to the advent of Melissa I took a look at the WildList for March, 1999. The WildList is an anachronism today; so much malware comes out every day that lists of specific threats aren't useful anymore. But what's really interesting is the difference in techniques. That WildList is dominated by a combination of boot sector viruses and macro viruses. These were serious problems in their day, but compared to malware today they were a petty nuisance. There were also some genuine viruses (such as CIH/Chernobyl) which were not just nuisances and which in fact could cause great damage. But this damage was also a factor that limited their growth.

The main weakness in the pre-Melissa malware is that it had no means, or at least no good means, of spreading themselves over networks, and the Internet in particular. Boot sector viruses spread through floppy disks. I once worked on a large testing project that got slowed considerably by an outbreak of the Stoned virus, the most famous of boot sector viruses. Unpleasant, but surmountable with some systematic good practice. Macro viruses such as Wazzu spread by infecting other Office documents on the same system, typically by infecting the AutoOpen macro or other such Office facilities. File viruses such as Chernobyl infected other EXEs they found on the system.

These classes of malware still exist in the world, but they were largely undone through a variety of factors: one was detection by anti-virus software. Some changes in Office itself made macro viruses harder to write successfully, and of course floppy disks became less common. But the real difference is that they were out-competed by new, much more powerful malware types that could spread through more dynamic means.

Melissa wasn't enough to induce Microsoft to change the all-too-permissive behavior of its programs. It wasn't until after the ILoveYou worm almost a year later that Microsoft released the Outlook Email Security Update which blocks the basic Outlook VBA model of mail worms. And Bill Gates's memo about security to Microsoft employees didn't come until early 2002.

No less than spam, mail worms turned SMTP, one of the most important protocols on the Internet, into an untrustworthy mess. There have been efforts through standards bodies and private initiatives to fix it, but it's basically in tatters, a victim of design errors and the likes of David L. Smith, author of Melissa.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel