How They Caught Him
By Chris Taylor
Like so much in life, it began with sex. Alt.sex, to be precise, a Usenet newsgroup devoted to erotica. This is where the computer virus called Melissa was, in geek terminology, released "in the wild." Named after a topless dancer in Florida, where "her" alleged author once lived, the virus was unremarkable except for her speed. Experts had never seen anything spread so fast. People trusted Melissa; she arrived disguised as an e-mail from a friend or colleague. In a matter of days, she was replicating herself all over cyberspace--from Berlin to Beijing, from the U.S. Marine Corps to the office of Republican Congressman Jim Talent--causing shutdowns in more than 300 computer networks. Worse still, her freely available source code soon spawned copycat viruses, like Papa and Mad Cow. Suddenly, Melissa wasn't sexy, crazy or even cool anymore. She was a menace to wired society.
And so a manhunt was launched for her creator, an investigation that came to a climax with the arrest of David L. Smith, 30, in Eatontown, N.J. Smith had been tracked down in about as many hours as it took Melissa to make it around the world. The fact that a suspected virus writer got caught was unusual enough. Even stranger were the bedfellows who beat a path to his door: a Boston software entrepreneur, a Swedish student, a deputy state attorney general, the nation's largest Internet service provider, a whole passel of antivirus experts and the FBI. What these sleuths found, and where they found it, may become a blueprint for nabbing future digital delinquents.
It happened like this. Just after 7 a.m. on the last Friday of March, a file called "Passcodes 3-26-99" appeared on alt.sex. On the surface, it seemed to be nothing more than a list of passwords for porn sites. But within hours, alarm bells began to ring. An automatic virus detector spotted Melissa, noting that she entered via e-mail from skyroket@aol.com The FBI enlisted America Online techies and scrambled their cybersabotage squads. Meanwhile, patrons of alt.comp.virus a newsgroup where virus writers and hunters hang out, morphed into virtual Baker Street irregulars.
From his apartment in Brookline, Mass., Richard M. Smith (no relation), president of Phar Lap Software, explored other viruses posted from the same e-mail account. In Stockholm, computer-science grad Fredrik Bjorck suggested that Melissa's code bore a strong resemblance to the work of a virus writer called VicodinES. When he heard that, Smith says, "I jumped all over it." He went to Vicodin's website and downloaded the virus tool kits he found there. Pulling files apart, he found names embedded in the source code. One of them appeared three times: David L. Smith.
AOL soon confirmed what Richard Smith already suspected: that someone had hijacked skyroket@aol.com's account. (The real owner, Scott Steinmetz of Lynnwood, Wash., squeezed a good 15 min. of fame out of the mix-up.) The culprit, AOL discovered, had logged on from New Jersey. A high-tech FBI-police unit there narrowed the possibilities still further. "Eventually," says deputy attorney general Christopher Bubb, "we were able to trace it back to the specific telephone that was being used." It belonged to David Smith.
State police picked Smith up last Thursday night at his brother's house. It was 72 hours since they'd been contacted by AOL, five days after Richard Smith contacted the FBI and a little less than a week since Melissa was posted. David Smith was released on $100,000 bail, and is scheduled to be arraigned this week. If convicted, he is expected to face about seven years in jail.
But the forces of law and order have already made a powerful point. Time was when virus writers were able to act with impunity and bask in the glow of hacker fame. Now the same technology that allowed their work to spread so freely is being used to catch them. The irony was not lost on Spanska, creator of the Happy99 virus. "The perfect virus writer should not communicate with nobody," he wrote last week. He plans to disconnect his e-mail for a while and "think a little." The Melissa case should give him and his pals plenty of food for thought.
--With reporting by William Dowell/Trenton and Elaine Shannon/Washington
With reporting by William Dowell/Trenton and Elaine Shannon/Washington