Ten Years of Worms Have Left Email Security In Tattters

In 1999 the Melissa worm announced a new kind of attack. Ten years later, the security industry is still catching up, says Larry Seltzer

Melissa was the first of the mail viruses. It hit the scene in March of 1999 and seemed a little like black magic. Open an e-mail attachment, from someone you know, no less, and suddenly other people you know are getting the same e-mail.

Melissa required Microsoft Office, Word and Outlook in particular, using VBA for programming and MAPI for transport. Some modifications were needed to the model, but the mail virus was an inspiration which transformed the world of malware and went on to build the massive populations of botnets that infect and persecute the world.

Authors of mail worms pretty quickly moved on to SMTP as a transport instead of MAPI. Microsoft filled the holes that made Melissa possible, but of course even today patches are never applied quickly to make enough of a difference to such things. And even today there are ISPs that are only beginning to take measures to stop SMTP mail bots. So I think of Melissa as the intellectual inspiration for most of what really troubles the world of Windows PCs these days. It didn’t do a whole lot of permanent damage on its own, but it showed the way.

For a sense of what malware was like prior to the advent of Melissa I took a look at the WildList for March, 1999. The WildList is an anachronism today; so much malware comes out every day that lists of specific threats aren’t useful anymore. But what’s really interesting is the difference in techniques. That WildList is dominated by a combination of boot sector viruses and macro viruses. These were serious problems in their day, but compared to malware today they were a petty nuisance. There were also some genuine viruses (such as CIH/Chernobyl) which were not just nuisances and which in fact could cause great damage. But this damage was also a factor that limited their growth.

The main weakness in the pre-Melissa malware is that it had no means, or at least no effective means, of spreading itself over networks, and the Internet in particular. Boot sector viruses spread through floppy disks. I once worked on a large testing project that got slowed considerably by an outbreak of the Stoned virus, the most famous of boot sector viruses. Unpleasant, but surmountable with some systematic good practice. Macro viruses such as Wazzu spread by infecting other Office documents on the same system, typically by infecting the AutoOpen macro or other such Office facilities. File viruses such as Chernobyl infected other EXEs they found on the system.

These classes of malware still exist in the world, but they were largely undone through a variety of factors: one was detection by anti-virus software. Some changes in Office itself made macro viruses harder to write successfully, and of course floppy disks became less common. But the real difference is that they were out-competed by new, much more powerful malware types that could spread through more dynamic means.

Melissa wasn’t enough to induce Microsoft to change the all-too-permissive behaviour of its programs. It wasn’t until after the ILoveYou worm almost a year later that Microsoft released the Outlook Email Security Update which blocks the basic Outlook VBA model of mail worms. And Bill Gates’s memo about security to Microsoft employees didn’t come until early 2002.

No less than spam, mail worms turned SMTP, one of the most important protocols on the Internet, into an untrustworthy mess. There have been efforts through standards bodies and private initiatives to fix it, but it’s basically in tatters, a victim of design errors and the likes of David L. Smith, author of Melissa.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.