Melissa virus sender helped nab hackers
David Smith was a desperate man. But he was also smart. And he knew secrets about computers that the FBI wanted.
Facing jail time, public wrath and a fortune in potential fines, the 30-year-old sender of the fast-spreading Melissa computer virus did what hundreds of criminals have done before. He agreed to go undercover.
Federal court documents unsealed at the request of The Associated Press show that for almost two years, Smith — then out on bail — worked mostly full time cruising the dark recesses of the Internet while the FBI paid his tab.
What did the FBI getâ¢ A windfall of information about malicious code senders, leading directly to two major international arrests and pre-empting other attacks, according to federal prosecutors.
What did Smith getâ¢ Just 20 months in federal prison, which was about two years less than the minimum sentencing requirement, and about 38 years less than he faced when initially charged.
“Sometimes it takes a thief to catch a thief,” said former federal prosecutor Elliot Turrini, who handled Smith’s case and agreed to the reduced sentence. “There are very few people who can walk the walk and talk the talk of a sophisticated malicious code writer. The average FBI agent with good training is not one of those people.”
About 63,000 viruses have rolled through the Internet, causing an estimated $65 billion in damage, but Smith is the only person to go to federal prison in the United States for sending one.
Investigators say virus senders are usually incredibly hard to track, operating around the world in an obscure and anonymous environment. But in 1999, the FBI, acting on tips from private computer security experts and America Online, tracked down Smith, a computer consultant from Aberdeen, N.J., just days after he unleashed Melissa.
The virus, named after a Florida stripper Smith had known, was the fastest-moving one computer security experts had ever seen. At least 100,000 personal computers were affected in the first week, according to the Computer Emergency Response Team at Carnegie Mellon University.
In the end, the virus, which spread through Microsoft Outlook e-mail, infected more than 1 million computers and caused more than $80 million in damage.
Smith, who is serving his sentence in federal prison in Fort Dix, N.J., refused interviews with the AP. His attorney did not return calls.
But Smith told the judge while pleading guilty that he did not expect the amount of damage that took place.
“When I posted the virus, I expected that any financial injury would be minor and incidental,” he said. “In fact, I included features designed to prevent substantial damage.”
According to the court records, Smith began cooperating with the FBI immediately after his arrest. Initially he was working about 18 hours a week, but at the request of the FBI he soon increased his commitment to at least 40 hours a week. In exchange, the FBI paid his rent, insurance and utilities, which totaled nearly $12,000.
His first big result came in early 2001, when Smith gave the FBI the name, home address, e-mail accounts and other Internet data for Jan DeWit, author of the so-called Anna Kournikova virus in the Netherlands. The FBI passed the information to authorities in the Netherlands. DeWit surrendered and was sentenced to probation.
Also in 2001, Smith recorded online discussions with Simon Vallor, 22, the author of the “Gokar” virus that infected Microsoft computer systems worldwide. The FBI contacted detectives in the United Kingdom, who arrested Vallor early last year. He ultimately pleaded guilty to writing three viruses and got two years in jail.
Smith helped identify a vulnerability in IBM Web server software, which the company then patched. The federal prosecutor also said Smith was working with the FBI to develop an investigative tool that could help identify an e-mail sender who was trying to mask his or her identity.
In addition to using e-mail, online mailing lists and newsgroups to communicate and learn about virus senders, Smith collected 1,745 samples of computer viruses and malicious code for the FBI, the court documents say.
Ken Dunham, a computer security expert and senior analyst at Reston, Va.-based iDefense, works undercover in the hacker world to help track virus disseminators.
“Somebody like David Smith, with his background and experience, would be able to talk to individuals and win immediate trust,” he said. “He was getting great information that the FBI wouldn’t have been able to get otherwise. They needed someone on the inside.”
But Peter Tippett, chief technologist at virus-fighter TruSecure Corp., said prosecutors may have exaggerated Smith’s contributions. Tippett said private consultants are often more resourceful and can provide much better information about tracking hackers to the FBI.
“In my book, this doesn’t add up to all that much value,” he said. “They’re giving him more credit than he deserves.”
Because so few virus senders have been convicted — Smith in the U.S., Vallor and one other in the United Kingdom, DeWit is the only one in the Netherlands — Computer Security Institute editorial director Robert Richardson said he wouldn’t be surprised if Smith is just the first of a series of virus senders who, once caught, go to work for the FBI.
“He more than sang like a canary,” Richardson said. “He was a narc.”