Welcome Guest. | Log In| Register | Membership Benefits

April 26, 1999

What I Learned From Melissa

By Jason Levitt

"I knew something was wrong before I knew what was wrong. I could feel the network going slower and slower. As I looked into it, I found the [Microsoft] Exchange mail servers were melting down."
--A network engineer describing the effects of the Melissa virus at his company (source: SANS Flash report on the Melissa virus)

"...I'm calling on the virus writers of the world to wreck it all, so that we can throw it all away, back up a few decades, and start over."
--Phil Agre, associate professor of information studies at UCLA, expressing his desire for a new, secure, operating system (source: Red Rock Eater News Service).

s much as I agree that most modern operating systems are inherently insecure, I can't imagine that even the most devastating viral attack could get corporate America to demand a new, secure operating system built from the ground up. (CIH, also known as the "Chernobyl" virus and capable of causing some signficant data loss, is a step in that direction, but it still isn't dangerous enough. ) Yet, that's exactly what is needed. The unleashing late last month of the Melissa virus is more proof that security failures in the computing infrastructure are becoming accepted as an inevitable occurrence. I'm still expecting a security apocalypse, but I'd prefer to see a new operating-system architecture that's based on sound security principles. Meanwhile, the fallout from Melissa, or perhaps the lack of fallout, has me wondering how much infrastructure corporate IT departments are willing to put in place in an attempt to thwart online attackers, and how long it will be before someone creates an attack that moves as fast as Melissa but also does some serious and lasting damage.

Ho-Hum, Another Virus
There were several anxious moments as system administrators, the FBI, and other concerned parties tracked the origins of Melissa, found a suspect, and sifted through the E-mail mess left behind. In the end, companies updated their virus-protection software and life went on. Pretty boring, eh? Security break-ins just aren't the big-ticket item they were back when the "Morris Worm" of 1988 made headlines and was instrumental in the creation of the Computer Emergency Response Team Coordination Center.

Perhaps it was the perfunctory nature of the Melissa virus that gave it such limited shelf life in the media, despite the devastating speed with which it spread. After all, Microsoft Office macro viruses have been around ever since you could do something interesting with programmable Office macros.

Melissa, though, is perhaps more casual and scarier than previous macros. That's because Melissa uses mostly well-documented Visual Basic for Applications code and fully exploits the object models Microsoft designed to make Office a programmable suite of tools. Office macros can access other Office applications' object model, as well as some system services such as the Windows Registry. Example source code and explanations that you can use to nurture your inner virus hacker can be found online at Microsoft's Office Developer Forum, and in handy books such as O'Reilly and Associates' "Learning Word Programming," "Inside the Windows 95 Registry," and "VB and VBA In A Nutshell."

So, the Melissa author didn't use a "back door" or exploit bugs or holes in the programming infrastructure (or maybe the author knew about a few documented ones like this). In fact, the author very neatly went through the front door. Yes, Melissa is just a nice bit of programming and easy enough for a bright 13-year-old to duplicate, which is apparent from all the derivative, but uninteresting, viruses that followed ("Mad Cow," "Papa," "Marauder," "Syndicate," etc.). Furthermore, Melissa isn't an indecipherable application or a piece of code that's lurking somewhere on an Internet server. It's an interpreted script residing on your desktop and, if you were one of the lucky ones to receive a copy, you can even peruse its straightforward source code with just a few simple mouse clicks--compliments of Microsoft. (With an infected document loaded, you merely launch your Visual Basic editor, Tools->Macro->VisualBasicEditor, to see the Melissa source code. If your Tools->Macro selection is grayed out, go to Tools->Customize and add the Visual Basic floating toolbar )

Show Me The Money
Melissa hit the Internet some time around March 25, and spent several days afterward bringing business E-mail servers to their knees. Updates to antivirus programs, combined with some software consciousness raising (don't run macros until you've looked at the document--duh!), have kept Melissa and her derivatives in check, but the official Microsoft "solution" to Melissa is to wait for Office 2000 to be released--and buy it. Microsoft's new macro-signing technology is part of Office 2000. In Office 2000, you'll be able to sign any macros you create and an IT administrator can globally set Office 2000 desktops so that only properly signed macros are executed. While smaller companies can get by with pointing their desktops at an appropriate certificate authority, such as VeriSign, many larger companies will need to implement some public key infrastructure--probably a certificate server and possibly Lightweight Directory Access Protocol servers that store and maintain certificates for their employees. There will be some serious IT money thrown at PKI in the next few years, and Microsoft appears fully committed to it. It's certainly easier, and much more profitable, than reengineering the Windows operating system from scratch. Don't get me wrong--even with a new, secure operating system, PKI would still be the preferred method of personal identification on the Internet. But layering the complexity of PKI on top of insecure operating systems is just inviting security disasters. Those disasters will, in turn, help sell more infrastructure and patches.

This Is the End
Far from calling on virus writers to launch the "killer" app, I'd rather see a concerted effort by operating-system vendors to make serious, low-level, security improvements in their products. This would almost certainly break most existing applications, but it would be worth it. A new operating system, possibly developed as an open-source project, seems like the best bet for a new platform. In the meantime, I'll keep waiting for that security apocalypse.

AuthorITies Archive

Send Us Your Feedback

Top of the Page


Karyl Scott: Enterprise View Karyl will explore the business and technology issues surrounding enterprise systems.		Stuart J. Johnston: Redmond Watch As our eyes and ears in Redmond, Stuart gives his perspective on the latest events at Microsoft.		Charles Pelton: Eye On IT Charles explores IT management issues and strategies that business and technology managers must face.		Sean Gallagher: The Bleeding Edge From his vantage point of managing editor of InformationWeeek Labs, Sean will explore the impact of new technologies on the evolving world of electronic business.