This is for real people. I received this alert from SANS since I am
on a network security team at my corporation. Our mail servers came
to a screeching halt as it tried to process the tons of bulk mail. The
following will tell you all you need to know and how to resolve any
problems you may have. Act accordingly and take proper precautions.
Regards,
Rene' Glover
______________________________ Forward Header __________________________________
Subject: EXTRA: SANS Flash Report on the Melissa Virus
Author: "[EMAIL PROTECTED]" [SMTP:[EMAIL PROTECTED]] at $internet
Date: 3/29/99 4:11 PM
To: Rene Glover SD113795
From: Rob Kolstad, SANS E-mail Concierge
Re: EXTRA: SANS Flash Report on the Melissa Virus
Once or twice a year, the magnitude of a security event is great enough
to merit a SANS Flash Report. It is amazing and coincidental that it
happens in the same 24 hour period that we send out the first SANS
Newsbites.
NOTE: SANS will be changing email and web servers this week. We hope
to avoid service interruptions, but some error might creep in. Problems
to <[EMAIL PROTECTED]>.
Table of Contents:
1. What Melissa teaches us
1.1 Infection Speed
1.2 Collateral Damage
1.3 Need for Defense in Depth
2. One site's experience in cleaning up after a Melissa infestation
3. Conclusion
You will already have heard of the Melissa virus, at least from the SANS
Newsbites, and probably also from newspapers and friends, as well. An
excellent description of the virus, including how to identify it and
contain it at the host level, was developed by the Computer Emergency
Response Team at Carnegie Mellon University. This document is available
at: http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html .
The major anti-virus vendors have already released descriptions and
anti-viral signatures. URLs for NAI and Symantec are listed below:
http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp
http://www.symantec.com/avcenter/venc/data/mailissa.html
The rapid response of these organizations has been very impressive, and
your response should be equally rapid. If you have not yet taken the
steps described in the CERT advisory, follow the instructions referenced
above and get your site's virus signatures updated and the infected
machines contained and cleaned. Then read the rest of this document that
tells some of the lessons learned and also the bigger picture surrounding
the Melissa Macro virus. We discuss the implications of information
gathering viruses like Melissa, the process and impact of cleaning up
after an outbreak at a military site and finally, share a non-working
version of the code to help you understand what these viruses do.
1. What Melissa teaches us
1.1 Infection Speed
According to NAI's web site listed above, the virus was first discovered
on an "alt.sex" newsgroup and spread rapidly. On the same day the virus
was first discovered "in the wild" it caused major infections and reports
from a large number of Department of Defense and Department of Energy
sites. Many of you will probably find out today that your site has been
infected as well. This serves as a warning how fast a virus with an
unknown signature can spread. A modified, non-operative copy of the
source code is included as an appendix to this document. If you search
the listing for the string "For y = 1 To", you can see how the virus
replicated so rapidly by going through Microsoft Outlook address books
and sending itself to the first 50 entries in each book. Sections in
the code that have been the subject of news reports are marked with
comments that begin with ***.
Useful Background Information: In the March 2nd SANS First Tuesday
Intrusion Detection Web Broadcast, archived at
http://www.sans.org/webarchives.htm, Stephen Northcutt described another MS
Word Macro Virus, M97.Marker.a. Marker is an information gathering virus
which uses FTP to send the Microsoft Office registration information of
infected systems to outside organizations. Northcutt described how this
same technique would allow a prospective attack to develop an infection map
and by knowing who sends what to whom, to target future attacks.
1.2 Collateral Damage
The Melissa virus apparently does not create any other damage in the
sense of deleting, or stealing files. However, when the smoke clears,
the cost of dealing with Melissa will be measured in the millions of
dollars. It also directly affects sites' ability to send and receive
email. One network engineer, who worked at one of the first sites to
report the problem last Friday March 26, said "I knew something was
wrong before I knew what was wrong. I could feel the network going
slower and slower. As I looked into it, I found the exchange mail
servers were melting down." One of the lessons of Melissa is that a
macro virus can hit very fast and very hard. The engineer went on to
say, "As I composed the last email of the day, a message hit the Inbox
of my Microsoft Outlook email application. The subject line read:
"Important Message From [Jane Doe]". I viewed the message, and the body
read "Here is that document you asked for... don't show anyone else ;-)"
Attached was a Microsoft Word document titled "list1.doc".
"Although I hadn't requested any documents from [Jane Doe], I was
expecting a couple of them from other people. It wasn't inconceivable
to think that she had become involved, even though I didn't know who
she was. I double-clicked on the Word document. A pop-up window appeared,
warning me that a macro was contained in the document, and that macros
can potentially be dangerous. I knew that... :-) So, I shut down the
Word application, and checked the document with several of the virus
detection packages that I had. Everything appeared clean."
"Since this was from someone in my organization, apparently a trusted
source, I went ahead and opened the document with the macros enabled.
In less than a second, a duplicate of the message had hit my mailbox,
this time with my name attached. I hit the power-off button on my
computer, but it was late. The payload had been delivered. My name
was now attached to a file containing pornographic web sites, and an
apparent username and password for each site. Moments later, duplicate
messages from others who had made the same mistake began to appear."
"At this point I knew we, as an organization, were in trouble. This
virus (or worm) was snowballing fast, too fast. I immediately called
our information systems security manager, only to find that his phone
was already busy. I left a voicemail detailing my appraisal of the
situation, and my fear that this incident could get serious... very
quickly. What I didn't know was that I was too late, it was already
*very* serious."
1.3 Need for Defense in Depth
Though Melissa is primarily spread by e-mail, passing an infected floppy
disk works just as well to move the virus to a new system, possibly even
a new organization. If there was ever any doubt about whether we need
to take virus countermeasures seriously, that time is past. We recommend
virus scanning at the firewall, on servers, and on the desktop systems
as well as physical entry points for magnetic media for sites that want
to avoid the kind of punch Melissa exhibited.
2. One site's experience in cleaning up after a Melissa infestation
Here's a first-person description of the process one site used to clean
up after being hit by Melissa.
"As soon as we discovered the virus late Friday afternoon, we disconnected
our servers (all SMTP relays and Exchange servers at our Internet
connection) from the network until we could contain the infection. This
happened at approximately 1800 hours Friday.
"System administrators for both corporate and departmental Exchange
servers worked through Friday night and well into Saturday. Many returned
Saturday and again on Sunday to complete the isolation and cleanup. They
cleaned up the Exchange servers with updated anti-viral signatures as
soon as they were available. The corporate servers and one departmental
server were ready to come back on-line late Sunday. We left IMS (Internet
Mail Service) disabled until we could contain (filter) email at the SMTP
server.
"Our version of sendmail is one removed from the latest and filter
updates provided by the author would not work on our version. We resorted
to getting the word out for ALL users to update the AV signatures and
refrain from sending Word docs until any with macros had been identified
as coming from trusted sources. The administrator for the SMTP relay
host downloaded a trial version of InterScan VirusWall from TrendMicro.
For more info, see: http://www.antivirus.com/products/isvw/index.htm
"The clean-up picture would have been much bleaker if we hadn't had so many
things in our favor:
* System administrators were still at work when the problem started
(approximately 1640 on Friday).
* Most of the users were gone for the weekend (and didn't compound the
problem by manually sending additional copies of the infected document).
* All of the system administrators involved in the clean up had been trained
in incident handling based on the SANS' Incident Handling Step by Step
approach.
* The person who needed to make key decisions was trained in incident
response and had already begun carrying a cell phone.
* Base commanders recognized the expertise that was in use and supported
the Incident Handling team by not directing what needed to be done (at
least so far)."
Note: The stages of incident handling are: preparation, identification,
containment, eradication, and follow-up. The URLs at the beginning of
this document can help you with identification and eradication. Your
organization may need to consider email server down time in order to
achieve containment. You may also want to consider setting up non-email
communication channels for your organization. If you do not know how
to build a telephone call tree, look for a "soccer mom". They know how
to spread important information very efficiently. In this way, if you
do suffer an email meltdown, you can still get important information,
such as where to acquire the latest anti-virus software, to your users.
3. Conclusion
Because Melissa exploits one of the most valuable benefits of the net
-- the ability to share documents -- to propagate and to multiply itself,
it will affect far more people far more quickly than earlier viruses.
The silver lining in this cloud is that a relatively benign virus like
Melissa is a low-cost way of gaining user awareness. That same mechanism
can be used by a more malicious attacker to make private information
public and to destroy large amounts of important data. It makes sense
for you to use this opportunity to establish three capabilities if you
have not already done so:
(1) user responsibility and active involvement in protecting their
systems
(2) an incident handling capability (Order Incident Handling Step-by-Step
from the SANS bookstore www.sans.org if you don't already have a roadmap)
(3) user awareness of what to look for, whom to call, and what to say
when they call about a security threat.
In addition, we at SANS want to hear your experiences and the lessons
you learned in responding to Melissa. Please send your Melissa-related
tips, tricks, techniques, experiences and lessons learned to [EMAIL PROTECTED]
with Melissa in the subject line. This type of sharing can help all
sites be in a better position to respond the next time an event like
this occurs.
Appendix: Melissa Source Code
NOTE: Several errors have been introduced into this copy of the code as
a safety measure. It will not run in this form. We hope the code we
changed will not overly impact your opportunity to understand how the
software works, but we could not be responsible for furthering the spread
of the live version of Melissa. Text comments have been inserted at
the "famous" locations preceded by three asterisks "***"
---------------------------- Forwarded with Changes ---------------------------
From: "[EMAIL PROTECTED]" [SMTP:[EMAIL PROTECTED]] at $internet
Date: 3/29/99 4:11PM -0800
To: RGLOVER at LW3A
Subject: EXTRA: SANS Flash Report on the Melissa Virus
-------------------------------------------------------------------------------
