NEWS AT SEI
This article was originally published in News at SEI on: June 1, 1999
The previous column in this series discussed the need for all organizations to be prepared to prevent and respond to computer security incidents. It pointed out that even having good security measures in place would not prevent your organization from suffering computer security incidents and explained the need for you to be proactive about detecting and responding to incidents. Soon after this column was published in the March 1999 issue of news@sei, a Microsoft Word macro virus named "Melissa" was released on the Internet.
In this issue of the column, I am joined by Katherine Fithen of the CERT® Coordination Center (CERT®/CC). We will discuss how well the Internet community was prepared to respond to the Melissa virus and how the Internet community can better prepare for similar or even more damaging events in the future.
The Melissa Word macro virus
The operation of the Melissa Word macro virus and the techniques to prevent it are well-documented. If you would like to learn more, visit our Web site and read our advisory at http://www.cert.org/advisories/
CA-99-04-Melissa-Macro-Virus.html, and the frequently asked questions (FAQ) document at http://www.cert.org/tech_tips/Melissa_FAQ.html.
What was different about the Melissa virus?
Macro viruses first came on the scene in 1995, so it’s reasonable to ask how the Melissa virus was so different from previous viruses that it merited worldwide media attention and a hearing in the U.S. House of Representatives. The creator of the Melissa virus may or may not have realized its potential impact, but three unique aspects made it especially virulent:
- its speed of propagation
- the fact that it could be received from a known or trusted source
- its potential to disclose sensitive information
Speed of propagation
Unlike a worm, which is self-replicating, the Melissa virus like many viruses requires human action to propagate and cause new infections. However, previous macro viruses propagated by users who unknowingly triggered executable code usually resulted in the virus spreading to other files on the user’s system or to other users one at a time. So, how could the Melissa virus spread so rapidly?
If triggered, the Melissa virus spreads rapidly by attempting to mail itself to the first 50 entries in every Microsoft Outlook MAPI address book available on the user’s computer. The potential scaling of the virus was greater than 50 to 1 because some users have access to multiple address books. This means that if any of the first 50 entries in the address books were mailing lists, the virus would send itself to all the recipients of those mailing lists! This unique propagation strategy, coupled with the fact that Microsoft Word and Outlook are widely used by organizations on the Internet, meant that the Melissa virus had a vast base of agents already installed to support its propagation.
Many organizations have mailing list aliases named "all" that reach every staff member. One large commercial organization that uses Microsoft Outlook reported that its organization-wide mailing lists were the first listings in many of its staff members’ address books. As a result the virus spread to every individual in the organization. Another site reported 32,000 copies of mail messages containing the Melissa virus spreading through its systems within 45 minutes!
Received from a known or trusted source
Many Internet users are wary about opening files or executing attachments from a person they do not know. This has resulted from a growing awareness among users of the threat and impact of viruses. The proliferation of spam and of unsolicited commercial email (i.e., the electronic equivalent of "junk mail") also has made users aware of potential threats lurking in email attachments.
Many of us use electronic address books to store frequently used email addresses. Because the Melissa virus infected attachments sent from the user’s email account to recipients who likely knew and trusted the sender, the recipients were much less likely to suspect the message attachment contained a virus. The subject line and message text of an infected email message instructed the recipient to open the attached Microsoft Word document. Many users opened the document because they recognized the sender’s name and believed that it was intentionally sent. However, neither party realized that the message contained the Melissa virus.
Potential to disclose sensitive information
The Melissa virus infects the Microsoft Word Normal.dot template. All Word documents use this template by default, so every document later created using this template will also become infected and be subsequently sent to the first 50 address book entries as described above. Needless to say, this hurt some businesses by leaking documents containing sensitive information.
What was the extent of the damage?
The aspects described above gave the Melissa virus the capacity to spread rapidly and wreak havoc. But it was not as bad as it could have been, and it did not disrupt networked computer operations on the scale anticipated. Why not? Three factors helped to limit the spread of the Melissa virus: timing, effective response, and the role of the media.
In the United States, the virus was released on the afternoon of Friday, March 26, 1999. Because of the time zones, people in many other parts of the world had already left work for the weekend. In the U.S., many people leave work early on Fridays, and many universities in the U.S. were on spring break; so a large number of students and staff were on vacation. It was also the weekend before Easter, which starts a popular vacation period for many Europeans. Therefore, for a virus that requires human intervention to support its propagation, the timing significantly limited its effective spread.
Many organizations used this timing to their advantage to combat the virus. They asked their information technology (IT) staff to work through the weekend, disconnected their computers from the network, and began to clean their systems, update their virus scanners, and implement other preventive methods.
Through coordination and cooperation, the international incident response community, the anti-virus vendors, and the media played major roles in limiting the spread and impact of the Melissa virus. The CERT/CC played a pivotal role in this response.
A brief timeline of events tells the story that unfolded and illustrates the contribution of the CERT/CC. The timeline covers the period from the Melissa virus release on Friday, March 26, through the response efforts over the following weekend.
The CERT/CC was alerted to the existence of the Melissa virus when it received its first incident report from an insurance company at 2:00 p.m. A second report came in at 3:30 p.m. from a member of FIRST (Forum of Incident Response and Security Teams; see http://www.first.org). By 5:00 p.m., the CERT/CC had received five reports and had started analyzing a copy of the virus. Another FIRST member shared a brief analysis of the virus around 6:00 p.m. and by 7:00 p.m., realizing the seriousness of the threat from the Melissa virus, the CERT/CC recalled staff to the office.
By midnight, CERT/CC staffers completed a thorough analysis of the Melissa virus and wrote the initial CERT advisory on the virus. The advisory was released at 5:30 a.m. on March 27. CERT/CC staff members were also working to reach many groups within the anti-virus community. They did this to ensure that the virus analysis was complete and that details from as many anti-virus vendors as possible could be included in the CERT advisory on the Melissa virus. The anti-virus community has a long history of collaboration and prompt response. This approach facilitates its response as it shares virus exploits and analyses to ensure that each vendor can implement its own identification and eradication techniques.
CERT advisories reach a vast number of system and network administrators on the Internet. But given the timing of the virus release and of the advisory, there was concern that many people would be enjoying their weekend and would be oblivious to the growing threat from the Melissa virus. So the CERT/CC contacted the media to further alert the world to the potential impact of the virus and to recovery strategies.
The role of the media
Many incident response and security teams are wary of working with the media as part of their incident response strategy. Internet security topics greatly interest the media, but unless the quality of the reporting of these events is high, there is always a possibility that the technical information reported could be incorrect and that the coverage might do more harm than good.
In the case of the Melissa virus, though, the media reported the story accurately and effectively. This good reporting dramatically increased the world’s awareness of the threat and the availability of appropriate countermeasures. The media coverage reached many system and network administrators responsible for IT system security, and many computer users began to understand the urgency of the situation as they learned about the virus over the weekend. Accurate news coverage provided users with the information that they needed to return to work and begin recovery and mitigation strategies. This greatly helped prevent further spread of the virus.
The effect of the widespread media coverage is evident from the CERT/CC’s Web site statistics. Within the first 7 hours of the release of the Melissa advisory, it was downloaded 30,000 times from the CERT/CC Web site. After media coverage of the Melissa virus, the advisory was downloaded an additional 188,000 times the following Monday and 160,000 times Tuesday.
Can we respond more effectively next time?
As the Internet has grown, a smaller percentage of its users remember the Internet worm incident of 1988 that resulted in much of the Internet being completely unavailable. There was no infrastructure in place to respond to the worm, and it became the impetus behind the formation of the CERT/CC. (For more information, see ftp://coast.cs.purdue.edu/pub/doc/morris_worm/FAQ). Similarly, the Melissa virus incident serves to remind the Internet community of the potential for threats and the need to be better prepared to handle them.
A lucky combination of factors helped limit the Melissa virus’s damage, and the overall response from the current response infrastructure was excellent. However, the Internet is still vulnerable to far greater threats than the Melissa virus.
Although the volume of email traffic that the Melissa virus generated resulted in a denial of service (i.e., an organization being unable to process email or access computer networks) for some, its impact could have been far worse. This would have been the case if the Melissa virus did as much damage as a virus like the CIH virus (see http://www.cert.org/incident_notes/IN-99-03.html). Viruses of this caliber completely destroy data and can render systems inoperable. A worse situation could also be caused by a virus that has a more stealthy approach or does not require a human action to propagate it.
If the Melissa virus had been released on a Monday rather than a Friday, it would have spread much more rapidly and the response community would have been under even greater pressure to respond quickly. The scale of the Melissa virus incident as reported to the CERT/CC was more than 300 organizations and 100,000 hosts. However, this was not as widespread an incident as it might have been. The CERT/CC has received reports about automated scans of Internet hosts where tens of thousands of systems are probed.
Although the Melissa virus posed a threat to many individual organizations and users, it posed far less of a threat to the overall Internet infrastructure. Unlike the Internet worm incident in 1988, the Internet was available as a communications medium to facilitate the response to the Melissa virus incident. If in the next big security incident the Internet is not available, the response community could still cooperate with the media to share information about the threat and the appropriate response (although even the media relies greatly on the Internet). However, if the Internet is not available because of a severe security event, it would be extremely difficult to analyze the technical cause of the problem, or to make countermeasures and patches available for downloading. Much of the analysis and coordination in response to the Melissa virus relied on the Internet infrastructure as a communications channel. This included the ability to share exploits, analysis, vendor communications, and advisories.
Sites used the Internet not only as a communications medium to pull down the CERT advisory but also to download updates for their virus scanners. If the Internet had not been available, access to those virus scanner updates would have been far more problematic.
Future viruses and other security events could occur on a much greater scale and cause more damage to the Internet community than the Melissa virus. We must continue to be aware of potential threats and continue to prepare for the potential disruption. Many organizations and response teams will evaluate their response to the Melissa virus and use the lessons learned to evaluate their readiness to respond to future threats. We encourage you to review your contingency and information technology security plans to ensure that you and your organization are better prepared for the next event.
About the authors
Moira J. West-Brown is a senior member of the technical staff within the CERT® Coordination Center, based at the SEI, where she leads a group responsible for facilitating and assisting the formation of new computer security incident response teams (CSIRTs) around the globe.
Before coming to the CERT®/CC in 1991, West-Brown had extensive experience in system administration, software development and user support/liaison, gained at a variety of companies ranging from academic institutions and industrial software consultancies to government-funded research programs. She is an active figure in the international CSIRT community and has developed a variety of tutorial and workshop materials focusing mainly on operational and collaborative CSIRT issues. She was elected to the Forum of Incident Response and Security Teams Steering Committee in 1995 and is currently the Steering Committee Chair. She holds a first-class bachelor's degree in computational science from the University of Hull, UK.
Katherine Fithenis the manager for the CERT Coordination Center. She has been a member of the CERT/CC since March 1992. The CERT Coordination Center provides technical assistance to Internet sites that have computer security issues or concerns, or that have experienced a computer security compromise. Prior to joining the CERT/CC, she was a user consultant for PREPnet, the regional network service provider for the state of Pennsylvania. Fithen has earned a bachelor’s degree in retail management, a master’s degree in personnel management, and a master’s degree in information science.