The Internet Protocol Journal - Volume 2, No. 2

Was the Melissa Virus So Different?

Was the Melissa Virus So Different?
by Barbara Y. Fraser, Lawrence R. Rogers, and Linda H. Pesante, Software Engineering Institute, Carnegie Mellon University

Was the recent electronic mail-based Melissa virus so different from similar events in our noncyberspace lives that it merits special behavior? We don't think so. But recent events raise some interesting questions about where to draw the line in our concern about the safety of our mailbox contents.

We regularly receive samples in the mail and don't give them much thought. They run the gamut from laundry detergents to shampoos to cereals to pain relievers. How often do we rip open that sample box of sugar-coated cereal and chomp down a few handfuls as a snack? Do we question whether the labeling accurately reflects the contents of the package? And what about the shampoo samples in those convenient little bottles, just the right size for tossing into our travel bag for the next trip. We use the shampoo with no thought that it might really be hair dye that would turn our hair purple or green. Then there are the sample medications and herbal remedies. Do we use the sample, assuming that it is exactly what it seems to be, without verifying it in some way?

For many of us, these examples represent common behavior today. When we open the samples we find in our mailbox, we don't question whether someone intent on harming us has sent a product that appears to be something we would use and that seems to come from a trusted source. Rarely, if ever, would we call manufacturers and ask whether they had really sent the sample.

How different is this from our approach to the contents of our electronic mailbox? We urge people never to click on an attachment before verifying its contents or at least not until they've verified that it came from the stated sender. Surely we must make these recommendations because of malicious code in electronic mail messages. But we may be asking people to behave differently in cyberspace than they typically do in their noncyberspace life.

What are we to do then? Responsible cyberspace behavior says to trust nothing and verify everything as completely as possible. This scenario would mean that attachments added to an electronic mail messages must be analyzed before being used. To be the most effective, analyzers must be kept up-to-date with the latest information. Even then, rapidly spreading viruses like Melissa can slip under our "radar" for a while. Tools that support authentication and integrity are another building block we should use to gain trust in information that we should otherwise consider untrustworthy.

In our noncomputer lives, how do we know that the medication sample that came in the mail actually came from the attributed vendor? How do we know that the sample was not changed after it left the manufacturing point? The best we can to is to call the manufacturer and exchange some information about the sample: product numbers, packaging color, descriptions of the sample, and so on. Still, we cannot be completely sure that the product is what the packing says it is. Similarly, how do we know that the electronic mail attachment actually came from the stated sender or that it was not changed in transit?

Here cyberspace has the edge over noncyberspace. Technologies are available that help us to verify the mail sender (authentication) and the validity of the message (integrity). Alas, none of the available technologies are multivendor, interoperable, or approved or endorsed by the Internet's standardization body. These technologies are an improvement over their noncyberspace counterparts, but they are not yet mature enough or widespread enough to be as effective as they ultimately will become. Unfortunately, we need that maturity now.

Returning to our original question: Was the Melissa virus so different? Our answer is no, it was not so different from the comparable free samples we receive in our noncyberspace lives. Unfortunately, those lives are fraught with the same kind of problems, yet we accept those risks with little concern for our well being. The real answer is that both our cyberspace and noncyberspace lives need to change to reflect the challenges of our modern world.

About Melissa

The CERT CC began receiving reports of a new virus on Friday, March 26, 1999. The macro virus is activated when a user opens an infected document in Microsoft Word 97 or Word 2000 with macros enabled. The virus is then quickly spread by sending an infected document to the first 50 addresses in the victim's Microsoft Outlook address book. It also infects the Normal.dot template file, a situation which in turn causes other Word documents created using this template to be infected with the virus. If these newly infected documents are opened by a second user, the document, including the virus, will propogate, sending the docuemnt to 50 addresses in the second user's address book. The CERT CC handled over 300 reported incidents involving Melissa, affecting over 100,000 computers. This estimate is very convervative because it counts only those who contaced the CERT CC. It is believed that millions of host computers were infected. References

BARBARA FRASER is a senior member of the technical staff at the Software Engineering Institute (SEI) located at Carnegie Mellon University. She is currently working in the Networked Systems Survivability Program of the SEI and the CERT® Coordination Center. Barbara leads the team that is currently developing an adaptive security management model for networked systems that will allow organizations to adapt to technology and organization changes while maintaining an appropriate level of security in their networked systems. Her professional interests are in developing tools and techniques for improving the survivability of technologies currently deployed in the Internet. Barbara has been involved with the CERT Coordination Center since 1990. She has developed and delivered many talks and courses on Internet security and security incident response, and has worked with many organizations to help them understand and address security issues as they relate to the Internet. Barbara is currently coteaching a graduate course, "The Economics of Information Security," for the Heinz School of Public Policy at Carnegie Mellon University. Barbara is active in the security area of the Internet Engineering Task Force (IETF) and was one of the authors of RFC 1281, "Guidelines for the Secure Operation of the Internet," and RFC 2196, "Site Security Handbook." She is currently a member of the Security Area Directorate and chairs two IETF working groups (GRIP and SSH). Prior to joining the SEI, Barbara was a senior engineer at Martin Marietta Corporation (now Lockheed Martin), where she led a team of software engineers in the development of aircraft simulator software. Barbara holds a bachelor's degree in biology and an M.S. degree in computer science. E-mail: byf@cert.org

LAWRENCE R. ROGERS is a senior member of the technical staff in the Networked Systems Survivability Program at the Software Engineering Institute (SEI). The CERT Coordination Center is also a part of this program. Larry's primary focus in this group is analyzing system and network vulnerabilities and helping to transition security technology into production use. His professional interests are in the areas of the administering systems in a secure fashion and software tools and techniques for creating new systems being deployed in the Internet. Before joining the SEI, Larry worked for ten years at Princeton University, first in the Department of Computer Science on the Massive Memory Machine project, and later at the Department of Computing and Information Technology (CIT). While at CIT, Larry directed and managed the UNIX Systems Group that was charged with administering the UNIX computing facilities used for undergraduate education and campus wide services. Larry coauthored the book Advanced Programmer's Guide to UNIX Systems V with Rebecca Thomas and Jean Yates. Larry received a B.S. degree in Systems Analysis from Miami University in 1976 and an M.A. degree in Computer Engineering in 1978 from Case Western Reserve University. E-mail: lrr@cert.org

LINDA HUTZ PESANTE has been a member of the technical staff of the Software Engineering Institute (SEI) since 1987. She is currently the leader of the Information Services Team for the CERT Coordination Center and SEI Networked Systems Survivability Program. She also teaches communication skills in the Master of Software Engineering Program at Carnegie Mellon University. At the University, she is a member of the Institutional Review Board for the Protection of Human Subjects in Research. She holds a B.A. in English and M.A. in professional writing from Carnegie Mellon, and an M. Ed. from the University of Pittsburgh. She has published on the topics of technical communication, network security, and teaching writing in computer science and software engineering programs. E-mail: lrr@cert.org