e-v-mail |
|
 (home page) Hoax du Jour tips on protecting yourself against "Melissa"
Microsoft: Microsoft Knowledge Base:
Got a question? Try |
Back to The Word Macro Spam 'Bot(Cont'd.) March 31, 1999 On the Trail of a Culprit
As predicted, the news media are running away with themselves. (See the CNN Interactive "in-depth report" by John Christensen, above.) George Smith (The Crypt Newsletter) found the New York Times asserting that, though there was no evidence, there was THE POSSIBILITY that "Melissa" might launch its attacks from mail clients other than Outlook. That's about as reasonable as asserting, "I have no evidence that there is a Santa Claus, but I suspect that he's probably living right up there on the North Pole." Uh-huh. CNET reported on Monday that Network Associates Inc. (NAI) had tracked the original posting of LIST.DOC to the alt.sex newsgroup from an America Online (AOL) address:
True to form, the NAI spokesman contended that this virus writer "was very clever." Well, of course. No antivirus developer or information security consultant wants to openly ADMIT that the Internet is being severely threatened by some boob with a second-hand copy of VBA for Dummies, right?? I agree with NAI, on this one. The writer was certainly clever enough ... to change the computer's time to falsify the "creation date" to a predetermined time just before the file was "inserted" Friday morning. By Tuesday morning, WIRED NEWS had identified that the boob, er, very clever writer, was an AOL user in Washington. (Perhaps it was a mistake when Trend Micro pinpointed the "launch point" in Western Europe?)
Poor Scott. In a CNET article later Tuesday, he expressed bewilderment at how his account was openly fingered as the source ... apparently without anyone even checking with him. "'I am a little jarred about the lack of security that AOL has in place, and am now going to close my AOL account,' Scott Steinmetz said in an email. ... 'I am not the creator of the virus, nor did I have any part in the distribution of the virus,' Steinmetz said." For their part, AOL was able to comment on his account,... before refusing to comment. "'We are aggressively looking into it,' said AOL spokeswoman Wendy Goldberg. 'There are a number of variables that need to be further investigated before we can make a determination about whether it was an unwitting propagation.'" If Goldberg's name sounds familar, in reference to a disclosure of a private account, it's no coincidence. Wendy was the regular spokesperson in the debacle in January, 1998, when the online service had allegedly disclosed the identity of SCPO Timothy McVeigh to a Navy investigator, in violation of AOL's own privacy policies. AOL came out smelling bad on that one. As reported by Janet Kornblum, "To complicate matters, last night AOL canceled McVeigh's account, accusing him of writing chain letters, said his mother, Teri McVeigh." The supposed chain letters appeared to be his e-mail writing campaign to gain support for being tarred and feathered by the Navy based on information acquired illegally from AOL. Cancel his account? It's the worst thing they could do. (Ahem. Last year, SCPO Tim McVeigh. This year, Scott Steinmetz. Does anyone at AOL remember Richard Jewell?)
|
'Melissa'
mutates, becomes resistant to patch
|
It bears noting that "the patch" that Sendmail.com provides does little more than filter on the SAME SUBJECT LINE that was initially reported last Friday. Easy setup, easy obsolescence.
Rough translation: Eric and his Sendmail gang provide a patch with a guaranteed effective lifetime of maybe 2 hours [virus hackers would immediately change the e-mail characteristics to fly under the radar of the patch in no time]. Virus writers see this, and change the e-mail, not to "keep the sendmail patch from detecting," but simply to avoid detection. Later [Monday morning], infected users send out various [infected] documents in new, unique e-mail, which of course are likewise not detected by the sendmail patch.
Now, I should think that a golden rule of sensible technical journalism is NEVER, EVER refer to the software as an entity. Programs (viruses) are NOT organisms. HAL-9000 was a fictional construct. The idea of a macro virus "mutating," like the HIV virus, is absurd. (No joke: a news piece early this week compared "Melissa" to AIDS.) A macro virus can no sooner mutate than I can turn myself into a chocolate milkshake.
More likely, explained George Smith, is that anonymous twiddlers will play with the macro, or the e-mail containing the contagious Word file. Again, EASY.
There's nothing stopping 100 wanna-be's from re-sending "Melissa" in different messages. There's nothing "clever" about it, folks.
For myself, I don't doubt that once a user's NORMAL.DOT Word template has been infected, subsequent Word files are infected. The same user can e-mail an infected document, in all new messages, all day long.
Here's how our hypothetical pal "Eliza" might easily be struck by someone she trusts. Notice that NOTHING here looks like what the press have described as a likely "Melissa" message:
SUBJ: Wednesday meeting: proposalMs. Doolittle, here's the consulting spec for your meeting Wednesday. Keep it simple. Stick to business, weather and everyone's health. If you make any last minute changes, e-mail me the revision by COB Friday. Best of luck. <<Higgins Proposal.DOC>> Pickering |
(If you can't stand the suspense, jump ahead to see what Eliza might send out after reading Pickering's message.)
Stay tuned, folks. This can only get better. Rob Rosenberger (Computer Virus Myths home page) recommended making popcorn. Me, I'm ordering pizza and cola, and stocking up on extra batteries for my Skepticism Meter.
April 1, 1999
Well folks, the unthinkable occurred. I was struck by "Melissa."
At around 10:30 AM PT, as I was returning to my desk at our Northern California software development company, my alphamnemonic pager went off. Beeeeep! "Dick," an account executive in our Chicago office, had sent an "Important message." "Here is that document you asked for ... dont' show anyone else. ;-)." I thought it was a joke. (It IS April Fool's day.)
I took two steps. Beeeeep! I pulled my pager out of its holster -- Beeeeep! Beeeeep! I had 2, then 3, more messages.
Sure enough, it was a classic "Melissa" spam, which had gone out to the first fifty addresses in each of Dick's contact lists, mostly company-wide distribution lists like "!WW CEO Staff." Somehow his huge distribution list of distribution lists included "Pager David Spalding." Seconds later, our Marketing VP sent a copy, to the same global lists. Then a QA specialist in Development. ... By the time I'd walked 100' to my desktop system, I had 6-7 messages crammed into my pager.
If you understand how "Melissa" works, then you can imagine that within a minute of Dick innocently opening an infected Word document, his system had spammed most of the company, half a dozen people had opened the message, and opened his Word file expecting it to be urgent news. As I had performed all the preventative measures that I recommended on March 29, I opened the document with impunity and found that it wasn't urgent, but it sure was important. It was the infected document that a customer had mailed to Dick, an in-depth contract proposal.
I predicted that "Melissa" would change form a little bit, and this particular cycle of spam proved it. Dick's spam DIDN'T contain a document called LIST.DOC, nor any URLs to porn sites. The infected "carrier" which delivered the macro virus was a customer's document.
You can imagine the embarrassment.
If other companies are like our little firm, there are a lot of embarrassed business people around. Our IT department sent messages to EVERYONE early Monday, specifying how to upgrade both Word (with the Word 97 Template Macro security patch), and our standard antivirus software. (In this week alone, my AV software has quite admirably caught, captured, and eliminated both the Happy99.EXE Trojan (infected with the W32/Ska virus), and documents carrying "W97m/Melissa.")
Dick and others identified themselves as those who HADN'T taken the pill, and DIDN'T heed the warnings against suspect Word documents. In a way, "Melissa" serves the purpose of tagging those who are not keeping up to date on safe computing issues that are making headlines. Not exactly a "career-enhancing reputation" to earn. I can envision a corporate downsizer asking, "Where's that list from the 'Melissa' crisis in March?"
I e-mailed Dick directly to jab a pesky finger in his chest, and suggest ways in which he could GENTLY advise his "contact" of his calamity. When he called me, he was aghast, and amused. Turns out, a client with one of Dick's biggest accounts had called him up during lunch.
Meanwhile, back in Novato, David Spalding is walking past the office kitchen when his pager goes off.... Beeeeep! |
Returning again to our hypothetical pal Eliza, if she had opened the message that Pickering sent her earlier, she would almost instantly send out the following:
SUBJ: Important Message From e.doolittleHere is that document you asked for ... don't show anyone else ;-) <<Higgins Proposal.DOC>> |
And there you have it. "Melissa" is reborn in a new document which has nothing to do with adult web sites. Arguments that Melissa could be used as "viral marketing" tend to dissipate unless the marketing information were inserted directly in the e-mail message (and some enticement ensured that the Word file will be opened).
Is the week out yet? Has someone reported that "Melissa" is an "e-mail
virus" yet?
April 2, 1999
Saved by the bell. On Monday, I predicted that someone, somewhere, would confuse "Melissa" (a Word macro virus that is spread chiefly via e-mail) with "Good Times" (a hoax that purported that an e-mail message contained a virus). As someone told George Smith (The Crypt Newsletter), the story about the virus IS the virus. It's true about "Good Times," and it's true about "Melissa." When I found myself with a dozen copies of "Melissa"-infected files, I couldn't help but take precautions, and then OPEN IT (in Word Viewer). I know, I've been discouraging everybody and his kid sister from doing that, but I succumbed to "infectious curiosity," and took a peek. As I said, I was struck by "Melissa."
Researching today's news, I found the following paragraphs from Reuters that would seem to parrot the modus operandi of "Good Times." (Emphasis has been added.)
Melissa
tracked to user name 'Sky Roket'
|
I'm not sure that I want to touch the vague inaccuracy of the second paragraph, but I include it here to indicate how far afield Reuters has gone. "Melissa" uses the VBA macro language built into Microsoft Office, not Microsoft Windows, to launch an attack from Word and Outlook. "Millions of computers using Windows" don't necessarily have Office installed.
Anyway, I don't think there's any mistaking the fudge factor in the first paragraph. As we've learned together, class, the virus is contained in a Word file, and can only be unleashed by opening that file. And we have also learned that the virus uses Outlook (only) to send messages, not any "online address book." (Federal Computer Week (IDG) also promoted this ambiguity.) Many careless writers and editors have omitted this detail. I all but guarantee that someone has misinterpreted this as a result.
Do you think that Reuters has confused "Melissa" with the old "Good Times" hoax? You tell me.
In other news, the New Jersey authorities, and the FBI, oh and AOL, too, think they've caught their man. As reported by CNN, MSNBC, Wired News and others, David L. Smith was apprehended and charged with interfering with and conspiring to interfere with public communications, theft of computer services, wrongful access to computer systems, and being an all-around Bad User of the Internet. He stands to spend 40 years in prison, and pay up to $480,000 in fines.
Can you say "Computer Fraud and Abuse Act of 1988?" (Please refer to O'Reilly's COMPUTER SECURITY BASICS (left), also known as "O'Reilly's Yellow Book.")
Reportedly, the information that helped track him down was provided by a lawyer for AOL. That's not news, since it was determined earlier this week that the initial posting to an alt.sex newsgroup came from an appropriated AOL account; AOL was able to provide data that help Federal and state investigators nail the activity down to Smith's phone line.
He used his own phone line? This is a "very clever virus writer," [Sal Viveros, Network Associates] but he used his own car for the getaway??
Let's review this week's big scoops from software vendors, though. Trend Micro reported that the post initially came from Western Europe. Apparently not. Richard Smith of Phar Lap Software (no relation, I presume), who has previously answered the call as a volunteer hunter of virus writers, asserted that the Globally Unique Identifier (GUID) imbedded in the Word file pointed to virus writer VicodinES as the culprit. Apparently not. As reported in MSN, "Christopher Bubb, deputy attorney general, said investigators did not use GUIDs the unique identifiers embedded in every Word document, to track down Smith."
[Later news reports confirmed that authorities were able to compare the GUID from "Melissa" with Smith's recovered computer, with positive results.]
(Coincidentally, Smith made news less than a month ago when he discovered an intriguing security vulnerability in Office documents, Global User IDs based on each computer's unique network adapter (NIC) address. The NIC addresses were found documented in the Windows Registry, Office documents (the GUID), and may have been collected by Microsoft during online product registration. The media attention led to Microsoft offering several patches and utilities, including the "Office 97 Unique Identifier Removal Tool.")
In all, as usual, no surprise, many of the claims and contentions made by the antivirus software vendors have become clear hyperbole and salesmanship. Again. Did any of it work?
I'll give you three guesses, and the first two DON'T COUNT.
By the by, the "Melissa" virus was apparently named after a topless
dancer that Smith knew in Florida. Think she's flattered?
April 5, 1999
George Smith (The Crypt Newsletter) has been issuing some high-value reality checks on the continuing soap opera that surrounded last week's virus outbreak. In an insightful article on his site about the hunt for "Melissa's" author, he delves ever deeper into Richard Smith's (no relation) claims that the unique GUID found in the original Word file provided damning evidence of "Melissa's" parentage.
Since Smith announced to the world that Office applications were inserting GUIDs into Office documents, Microsoft released two patches, one for preventing this from happening to new documents, and another for removing the GUID from existing files. A complete discussion (with the patches) of the issue is on Microsoft's web site, signed by Yusuf Mehdi, Director of Windows Marketing.
I have to ask the obvious question. Since these patches are widely and publicly available, just how hard is it for a "very clever virus writer," like VicodinES, or David Smith (according to authorities), to remove the GUID at will? Knowing HOW the GUID is created (derived from a Registry entry), couldn't a reasonably smart virus writer create a file with a FAKE GUID? Crypt Newsletter reader Nic Brown seems to think so....
I side with The Crypt that cute little privacy hacks are no substitute for good, old-fashioned police legwork.
In other news (watching), Rob Rosenberger (Computer Virus Myths home page) found a ZDNET audio broadcast interview with a ZDNN reporter, apparently the best authority on Smith's arrest that could be found on short notice. The interview contained this quaint little quote:
Rob
Lemos, ZDNN: Melissa Arrest
|
Presuming that Mr. Lemos knows what he's talking about, I guess this confirms that if you're a "very clever virus writer," then the first thing you do after you download VicodinES' kit, is become a teenager.
August 1, 2001
It's been two years since David Smith was apprehended and convicted of writing and distributing the W97m/Melissa virus. How's he doing?
Well, not bad actually. He still has not been sentenced. As the first virus writer who was caught and convicted of laying waste to the Internet as a prank (a gross exaggeration for comedic effect, I hope you see), you'd think the Federal government would make an example of him. Nope. He's still walking around.
Justice Mysteriously delayed for 'Melissa' Author
|
His sentencing is currently scheduled for September 1, 2001. The Register reported that there appear to be no actions on Smith's attorneys to account for the delay in sentencing. The New Jersey US Attorney's office wouldn't discuss the matter. Smith's lawyer wouldn't return phone calls. Smith himself declined comment.
The Register proposed two possibilities for this seeming lack of justice, swift and fair. One, the actual amount of damage created by Smith cannot be determined. Rob Rosenberger of Vmyths.com regularly takes the antivirus software industry, and the media, to task for publishing grossly inflated "damages" figures apparently conjured up out of thin air, or stale office coffee.
Although Smith admitted responsibility to over $80 MILLION in damages, he's not bound to that, and authorities have not been able to prescribe sufficient metrics to determine how much (or how little) damage he really did in order to proceed with sentencing.
The Register's second proposed explanation is that Smith is cooperating with the authorities on other investigations (subsequent virus epidemics?). Such collaboration would be in confidence, and the sealed nature of court documents indicates that he's working with prosecutors. Smith has no known association with criminals, so it's possible that he's working with the NIPC on other virus problems. I wasn't impressed with Smith's ingenuity (he was caught pretty darn quick, wasn't he?), so I wonder just what good he's doing.
As The Register points out, Smith is the only Web-era virus writer to have been prosecuted. The fact that he's still at large, waiting for sentencing, is a joke.
(Suzy Seraphine-Kimel tipped me to this initially; thank you, ma'am.)
