Attack of the killer computer virus
By DAVE GUSSOW Times Technology Editor
© St. Petersburg Times, published April 12, 1999
The Melissa computer virus fooled a lot of folks. It didn't affect as many computers as once feared. It didn't come from eastern Europe, as one expert suspected. And it wasn't created by a spammer, a junk e-mail creator, as another expert thought.
It did leave its mark, however: Melissa disrupted an undetermined number of companies, if only by costing them time and money to protect themselves against its threat. It led to the arrest of a man in New Jersey, the first case brought by a new federal law enforcement agency focusing on cybercrime. It surprised experts with the speed with which it spread, and it generated massive publicity about viruses.
Melissa is "very, very creative," said Winn Schwartau, a computer security expert in Seminole (www.infowar.com). "This is going to spawn an entire new range of (computer virus) attack."
Computer viruses are programs that can range from the benign -- sending a cartoon character or message across a computer screen at intervals -- to the destructive, wrecking data and files or making computers inoperable. Viruses normally move from file to file, while worms are viruses that replicate themselves and can move from computer to computer. A third type is known as a Trojan horse, because it can appear to be a benign program and actually be destructive.
E-mail with the heading "important message"' spread Melissa like a chain letter. It then caused affected computers to send 50 infected messages, and the volume of e-mail slowed some systems to a crawl. It affected those who use Microsoft Word and Outlook 98 e-mail software.
While Melissa was relatively harmless and software to detect and disable it was available soon after its discovery, its potential worries some.
"What Melissa did was show that you could do a massive denial-of-service attack through a distribution mechanism affecting an individual (with a desktop program) and not a server," which normally would be attacked first, said Schwartau. He had incorrectly thought it originated in eastern Europe, a hotbed for computer viruses.
Computer viruses are not new. One of the first major attacks in the United States occurred in 1988 with a virus created by a Cornell University graduate student. It jammed more than 6,000 computers across the country, shutting down some networks on what was then a much smaller national computer network.
Now, the growth of the Internet, e-mail and a flood of home computers means the potential to hit even more businesses, government agencies and individuals, many unprepared to handle viruses.
Reflecting that growth, the CERT (Computer Emergency Response Team) Coordination Center at Carnegie Mellon University in Pittsburgh, created after the 1988 virus, handled more than 4,900 incidents last year, according to spokesman Bill Pollak. In 1996, CERT had 2,387 incidents and 3,281 in 1997. It doesn't keep a breakdown of whether an incident is a virus, a computer intrusion or an attempted intrusion. And the numbers don't reflect how many computers were affected. Melissa, for example, was counted as a single incident.
"One of the single largest underlying challenges we have in the security business today is the mentality that it's going to happen to someone else," said George Lucas, senior product manager at Fortress Technologies (www.fortresstech.com), a network security company in Tampa.
"Viruses are uncommon enough to the everyday user that no one stops to consider that their network or their personal system could literally be disintegrated by a hostile strain of virus," he said.
Part of the problem, Lucas said, is that the computers and the Internet are relatively new to many people and businesses, so they don't know about all potential threats.
On the brighter side, Fortress business development manager Howard Myers said the fast industry response and the ability to shut down Melissa quickly showed a maturation in handling such incidents.
"It's high risk out there, so I do not want to put a positive spin on where we are," Myers said. "One thing that can make it safer . . . is being properly paranoid . . . so you do not get surprised."
The public also shouldn't necessarily get a sense of comfort from the fast arrest of David L. Smith of New Jersey, accused of writing Melissa. Schwartau says such investigations are difficult and time-consuming for law enforcement, and, just as authorities learned new things in their work on this case, virus writers will react and come up with new tactics.
"The FBI is not going to track down every virus," Schwartau said. "Law enforcement would like to be seen as the great cybercops out to protect America. The reality is they have limited resources, with manpower only now coming online."
Not everyone was persuaded that Melissa posed the threat to computer security that officials painted. Rob Rosenberger, Web master of the Computer Virus Myths page (www.kumite.com/myths/), sees it as another in a string of overhyped virus alerts that turned out to be much less than had been predicted -- but that helped software companies sell anti-virus protection.
"I do believe the world needs anti-virus software," Rosenberger said. "Any piece of code, if it gets in your computer, it can do anything. . . . You don't want to get infected in the first place because you don't know what it's going to do."
However, he objects to what he calls software companies' marketing, saying they amount to "immoral" scare tactics to get people to buy their products.
Rosenberger, who calls his Web efforts "a labor of anger" about such marketing, has followed viruses since 1988. His site, whose motto is Mundus vult decipi (the world wants to be deceived), has an A-Z index of viruses, and tracks some of the more famous incidents, such as the much-hyped Michelangelo virus in 1992. Despite dire predictions that March 6 would bring computer disaster, very little happened that year or any other.
Software companies, he said, foster "fear, uncertainty, doubt" about the dangers of viruses, helped by a public still learning about computing and media hype surrounding such events.
Anti-virus software, Rosenberger said, is the second line of defense for computer users. People need to practice safe computing, he said, comparing it to safe driving habits and using seat belts.
Computer users can't just install anti-virus software and forget it.
"When people get onto the computer and see that little icon that their anti-virus software is working, they feel comfortable," Rosenberger said. " "I can drive on the information superhighway, download something, and I'm protected.' "
When they find out they're not protected because they didn't update the software or check a file before they opened it, users blame everyone but themselves, Rosenberger said. Like individuals, he said, too many companies are ill-prepared to handle virus infections.
Rosenberger urges skepticism above all. On his Web site, he even encourages visitors to check his credentials before taking his word on viruses. (He incorrectly predicted a spammer created Melissa, a mistake he acknowledged in interviews and on his Web site.)
He takes the adage "beware of receiving something from someone you don't know" one step further. Be wary of receiving a file or e-mail attachment even from someone you do know. Check it before opening. That caution, he said, will help people avoid a panic reaction to something like Melissa.
"It all turns to fear real fast," he said. "This thing about viruses is really overblown."