The first computer virus the FBI cared about
In honor of National Cybersecurity Month, we decided to set our sights on the first computer virus to catch the eye of the FBI. First published on Spiceworks.
On April 2, 1999, law enforcement showed up on the doorstep of David L. Smith. Putting the 30-year-old New Jersey man in handcuffs, officials charged him with developing and unleashing a fast-spreading computer virus that had wreaked havoc on computer systems around the world.
The global search for Smith ended after FBI agents and America Online officials, in cooperation with the New Jersey Attorney General’s office, finally found the author of the Melissa computer virus, a macro virus that had been distributed as an email attachment. Once opened, the macro turns off a “number of safeguards in Word 97 or Word 2000, and, if the user has the Microsoft Outlook e-mail program, causes the virus to be resent to the first 50 people in each of the user’s address books.”
The effects were disastrous. According to Investopedia, the Melissa virus was estimated to have caused as much as $1.2 billion in damages, effectively clogging email systems around the world. Victims would receive an email that contained the message, “Here is that document you asked for … don’t show anyone else.” Once opened, the Word document would start creating an Outlook object with Visual Basic code and then spread itself throughout the victim’s address book.
“In a small percentage of cases (when the day of the month equals the minute value),” TechTarget says, “a payload of text is written at the current cursor position that says: ‘Twenty-two points, plus triple-word score, plus fifty points for using all my letters. Game’s over. I’m outta here.’” The line was a quote from Bart Simpson, hinting at the somewhat benign but misconstrued intentions of Smith, who later explained that he didn’t expect or anticipate the “amount of damage that took place.” Instead, he said, he had written the virus just to see if he could.
For a man who made his way onto the FBI’s radar, Smith’s explanation of idle curiosity is striking. It would later emerge that Smith had named the virus Melissa after a stripper he had met in Florida. He asked for no money, demanded no ransom, and got nothing out of his creation except a jail sentence.
From Melissa to ransomware
As of September, the FBI reported that ransomware had cost US businesses $1 billion in 2016 — and the year wasn’t even over. That’s a huge increase over last year, when cybercrime victims payed out some $24 million to hackers. But on the whole, ransomware represents a fundamental shift in the traditional criminal paradigm.
“Back in the 1970s and the 1980s, if a criminal wanted to rob you, they’d have to mug you with a gun or a knife or something,” says security expert Andy Malone. “With ransomware, criminals can just stick a piece of malicious code somewhere and wait for the money to role in.”
And ransomware accounts for only one part of the global and illicit cybercrime industry. In 2015 alone, experts estimated that the total cost of cybercrime was $3 trillion. That’s expected to increase to $6 trillion a year by 2021.
The halcyon days of malware
There was a time when viruses were more comical than damaging. In the 1980s, malware was often playful, a prank that computer enthusiasts would play on their friends. Some strains may have had some destructive effects, but on the whole most malware creators sought to show off their skills, tease their victims, and even play games.
Compared to the 21st century malware, the malware of yesteryear seems quaint. A quick look at the Malware Museum, an internet archival center of malware collected by Mikko Hypponnen, will show you as much.
Among the many archived viruses of the ’80s and ’90s are MARINE.COM, a virus that showed victims a sailboat next to a seemingly deserted island, and COFFSHOP.COM, a virus that promoted the legalization of marijuana. Early examples of malware such as these show the countercultural roots of early computer programmers and enthusiasts.
A turning point
But what was the first piece of malware to have a significant financial impact? When, in a sense, did the modern threat of malware as a financial burden and business risk become apparent?
Answering such questions is subjective work. Consider the Brain virus, which was first launched in 1986. Written by Basit Farooq Alvi and Amjad Farooq Alvi, two brothers from Lahore, Pakistan, the virus would replace the boot sector of floppy disks on IBM PCs with the virus and display the following message:
Welcome to the Dungeon © 1986 Basie & Amends (pvt) Ltd VIRUS_SHOE RECORD V9.0 Dedicated to the dynamic memories of millions of viruses who are no longer with us today — Thanks GOODNESS!! BEWARE OF THE er..VIRUS : this program is catching program follows after these messages….$#@%$@!!
The virus would go on to tell victims to call the Alvi brothers to help remove it, listing out three separate phone numbers. The fact that two malware authors would even think about listing their own phone numbers to their victims is unheard of in today’s world.
But the Alvi brothers didn’t intend to see their virus spread. They had written it as a safeguard for heart monitoring software they had written that was being pirated. The Alvi brother had intended to use their “virus” as a tracking program to halt the spread of illicit copies of their software.
When they began receiving large numbers of calls angry computer users in the United Kingdom and the United States, they were surprised and tried to explain that they meant no harm with their “virus.” They would later tell TIME magazine their story, explaining they had been targeting copyright infringers.
One can assume that BRAIN had some sort of financial impact. But determining just what kind of impact is tricky. There are no definitive records detailing the extent of the infections and little information about how long it took to repair the damage it caused.
The road from the Morris Worm to the Melissa virus
The first malware that caused enough damage to be assigned a financial figure was the Morris worm. It was 1988 and “the Department of Defense thought the Russians were attacking.” According to Mashable, “An MIT computer called PREP was the first to be penetrated. It was Nov. 2, 1988, and the time was approximately 8 p.m. Within hours and into the following morning, an estimated 10% of all machines connected to the Internet would crash, overloaded with several copies of a mysterious program.”
Officials would later discover that a computer worm was causing computers to crash. And unlike what the Department of Defense initially thought, the worm wasn’t the work of the Soviets. It was instead the work of a 23-year-old college student at Cornell named Robert Morris who had “made a few crucial coding errors… [and accidentally] unleashed something he could not control.”
Morris originally developed the worm with the intent to figure out how big the internet was. It would exploit vulnerabilities in Unix systems and then spread to other systems. Robert’s crucial mistake, however, was that the didn’t build in fail-safes to keep the worm from infecting computers multiple times. The result was a worm that spread around and around computers connected to the internet, shutting down servers in universities, military bases, and governmental agencies.
Estimates would later put the cost of the so-called Morris worm at between $250,000 and $96 million in damages. In 1989, Clifford Stoll, one of the experts who helped fight the worm, said, “I surveyed the network, and found that two thousand computers were infected within fifteen hours. These machines were dead in the water — useless until disinfected. And removing the virus often took two days.”
The worm itself was comprised of 99 lines of code and bears the honor of being the “first of many intrusive programs that use the internet to spread,” according to the Computer History Museum. Morris would go on to be the first defendant in a federal computer crime case and would receive a $10,050 fine and 400 hours of community service. Morris holds the honor of being the first person to be convicted under the 1986 Computer Fraud and Abuse Act. The worm would also lead DARPA to create CERT, fundamentally changing the way officials viewed internet security.
And 11 years later, when the FBI knocked on the door of David L. Smith who wrote Melissa, they would rely on CERT, the same 1986 Computer Fraud and Abuse Act, as well as the precedents set in Morris’ case to convict the author of the Melissa virus.
Aaron Winston lives in Austin, TX and has written about technology, history, e-commerce and more. Currently, he works as a Content Strategist for the flexible workspace company Hana.