http://www.kumite.com/myths

Tell friends & colleagues about virus hoaxes the easy way

• You can reprint this document at no charge. See the copyright notice & distribution policies for more info.
• Learn about the author before you start taking his advice.
• Read the most current Random Thoughts
• Read the complete 1999 archives

Melissa virus

28 Mar 99

My current working theory? Search for a spammer, not a virus author. You'll probably find a spam booster rocket floating somewhere in cyberspace...

It looks like the media will go berzerk over Melissa. From MSNBC: "experts think hundreds of thousands of PCs might have been infected" in roughly 36hrs. From ZDNet: "'Melissa' could rival the Cornell Internet Worm released in 1998."

History suggests the reporting will erupt into full-scale worldwide media hysteria. History also suggests computer security stocks will rise thanks to all the valuable worldwide publicity. Grab a box of popcorn, folks -- Melissa may turn into a blockbuster. (Movie trailers will feature the long-awaited sequel to Win95.CIH hysteria, opening on 26 April.)

30 Mar 99

Research by Richard M. Smith (Phar Lap) indicates the porn sites mentioned in the original Melissa file belong to unrelated people. Also, Smith used a privacy flaw in Word documents to track down the possible virus author. The trail apparently doesn't point to a spammer, so I need to discard my hypothesis.

Now, I'd normally just discard it and get on with my efforts -- but this time I went too far. I confidently told a Detroit radio station and a St. Louis news crew we would find a spammer behind this virus. Ouch! A skeptic must hold himself to the standards he expects others to follow. I whine about people who label their assumptions as facts, you know.

Some of my critics may use this mea culpa to berate the value of my opinions. Too bad for me: that's the price I'll pay for falling off my high horse.

4 Apr 99

Have you seen the crowd riding on the coattails of this virus? Every major computer security agency published an alert. Every major news organization wrote stories. Computer security offices sent email alerts to everyone in their company. Every virus expert got involved. Every major antivirus firm got involved. Every major email server vendor got involved. FBI NIPC Director Michael Vatis got involved. New Jersey Governor Christie Todd Whitman got involved. Deputy Secretary of Defense John Hamre received briefings about Melissa and JCS Chairman Gen. Henry Shelton probably received the same briefings.

All this involvement for a mediocre computer virus by today's standard. Do you think President Clinton will chime in if Lou Cypher^[4] pulls a "Jack Ruby" on Melissa's author?

FBI rumor-mongering may make it harder for prosecutors to argue their case. Ironic, but not unexpected. Can't these guys just stick to the facts? Oh, well: I hope Mulder & Scully pursue the 8-13 other people worldwide who created Melissa variants.

Eugene Spafford, Ira Winkler, and other computer security experts got swamped with media queries after the arrest. One reporter admits he called me because he couldn't reach anyone else -- Spafford alone had at least 15 interviewers in queue. "Thank you for calling Hackers 'R Us. Our experts will give you a sound bite in the order in which your call was received." This might explain why ZDTV interviewed a ZDNews reporter.

Does CNN know if digital vigilante Lou Cypher[5] plans to kill Melissa's author?

I set aside my vacation day when I learned of the arrest. No big deal: I enjoyed the media attention. One reporter didn't know why his colleagues told him to speak with me -- after all, Melissa isn't a hoax. "Oh, it exists" I said. "Likewise, DataCrime and Michelangelo and Hare and Remote Explorer exist too." The little bulb over his head started to light up...

NEWSWIRES SAY MELISSA "infected hundreds of thousands" of computers in its first 36hrs. A Newsbytes report says it "downed as many as 300 Fortune 500 companies." Now, I can believe it generated so many emails -- but hundreds of thousands of infections? We need to ask some philosophical questions:

1. How many Fortune 500 companies suffered a genuine email catastrophe?
2. How many Fortune 500 companies shut off their email servers strictly as a precaution?
3. How many Fortune 500 computer security offices sent an email alert to everyone in the company?
4. How many of those computer security offices sent out more email about Melissa than Melissa itself sent out?
5. How many users "disinfected" their computers just by deleting an email?
6. If an administrator deleted email from the network before it reached your computer, does it mean the administrator "disinfected" your computer?

I've not yet spoken to a legit virus expert who accepts the "hundreds of thousands" estimate at face value. "It's only an assumption," admitted a source at one antivirus firm who begged for anonymity. I also hope to find someone who will back PC Week commentator David Berlind's assessment of monetary damages. "Despite the relatively benign nature of this macro virus," he wrote, "the worldwide cost of dealing with it can easily escalate into the hundreds of millions of dollars."

Does anyone know the name of Governor Whitman's supervisor? I want to find out how much overtime pay she'll get as a direct result of Melissa...

5 Apr 99

An open letter to Michael Vatis, director of the FBI National Infrastructure Protection Center

The unprecedented "manhunt" for Melissa's author seems impressive on the surface. A link to your organization's first security alert appeared on the FBI's default home page, and one news report claims you teamed up with antivirus vendor Network Associates to offer a $50,000 reward for information leading to an arrest.

However, I notice certain oddities as I study your efforts. For example, your organization existed for more than a year before issuing its first alert, yet it looks like someone wrote it in haste with little or no procedures to guide its format. The alert also includes a quote from you which appears almost political in nature. An update (also apparently written in haste) contains rumors about the virus. If your organization planned to affiliate itself with Network Associates as reported, it would set an important precedent for lucrative "corporate sponsorships."

CERT and CIAC follow certain procedures when they issue formal alerts. To the best of my knowledge, they avoid rumors, political statements, and corporate affiliations. Frankly, it looks like your organization jumped onto Melissa's coattails in large part for its "photo-op" potential.

I hope Rep. Jerry Costello (IL-12) will invite me to testify before Congress about cyber-threats. In my prepared text, I would pose this philosophical question:

"Suppose Melissa's author waited just six more days. Would the FBI launch a nationwide manhunt for a relatively non-destructive computer virus released on April Fool's Day?"

Most Sincerely,

Rob Rosenberger, webmaster
Computer Virus Myths home page
http://www.kumite.com/myths

10 May 99

Dear Mr. Rosenberger,

Thank you for your letter dated April 6, 1999, regarding our "Alert" about the "Melissa" macro virus. Letters regarding information disseminated by the National Infrastructure Protection Center (NIPC) serve as valuable indicators that we are reaching the American public who rely on computer networks for business or personal use, and also provide useful input that helps us adjust our warnings alerts, and advisories, to better serve the needs of industry and the public.

I would, however, like to address a few misperceptions in your letter. First, your letter referred to an unidentified report which claimed the FBI had joined forces with Network Associates to offer a $50,000 reward for information leading to the arrest of the perpetrator(s) in this matter. We have learned that Network Associates apparently did offer a monetary reward, but the FBI did not participate in this offer. As you know, in fast-breaking situations such as this, press reports may not be fully informed.

Second, your letter states that our Melissa alert was the first we have issued since our creation. In fact, NIPC has issued many warnings, alerts, and advisories. Some of these have been sent to government agencies and selected industry entities based on the nature of the incident or threat, and have not been relevant to the public at large. In addition, the NIPC has sent several alerts aimed at the general public when we judged the potential impact of malicious computer acts as broad based. This was the case with the Melissa macro virus. When the general public needs to be warned, our web page and the general media can play an important role in informing the American public during these fast-moving situations. Consistent with our mission, we use all appropriate vehicles to help ensure that the public understands evolving threat situations, their potential impact on computer or network operations, and preventive or response measures they may take to minimize damage or disruption. Besides helping the public when we issue an alert, we hope the public will respond with information that will help the FBI and state and local law enforcement agencies, often working together, to investigate potentially criminal dimensions of these events.

Third, your letter states that our alert appeared to be written in haste and without any procedures to guide it. In fact, though our alert was necessarily prepared with dispatch in order to contain the spread of Melissa and resulting damage, it was not written "in haste," and it was written and disseminated in accordance with established internal procedures.

Fourth, your letter asserts that the alert appears "almost political" in nature and that we seemed to "jump into Melissa's coattails" for "photo-op potential." I must respectfully but vehemently disagree. The purpose of the warning was to alert government agencies, businesses, and the public to a fast-spreading virus that could cause denial of service to e-mail servers and networks. Our warnings, disseminated by various means early on the morning of March 27th, were among the first issued by any entity. Our statements to the press on March 28th and 29th were aimed at getting word to the general public as people returned to work on Monday and opened e-mails with the potential of creating more damage. This is a core part of our mission, and is not "political" in any sense of the word.

Finally, in the process of developing alerts and other warning products, we coordinate our activities with the excellent efforts of such professional groups as CERT, CIAC, and FedCIRC. We will usually not issue an alert unless we have some unique information, special concern, or need to reach a less computer-literate audience than that which normally relies on the computer security community.

Again, thank you for your observations regarding our latest "Alert," and for your statement of support for our charter. Our goal is to pursue the NIPC mission to protect the critical national infrastructures, including keeping government, the private sector, and the American public informed of possible malicious intrusions and viruses that could seriously damage computer network operations. I hope this reply addresses your concerns and I encourage you to write me regarding any further observations or suggestions you may have on these matters.

Sincerely,

Michael A. Vatis
Director
National Infrastructure
   Protection Center

11 Aug 99

To understand how the Air Force reacted, we need to understand the "INFOCON" system. The Secretary of Defense established it along the lines of the old "DEFCON" system and the more recent "THREATCON" system. The five basic stages of INFOCON go like this:

• NORMAL means "no significant activity" -- a theoretical optimum we cannot achieve if we accept 14yr-old hackers as a national security threat.
• ALPHA means an "increased risk of attack." This includes "regional events occurring which affect U.S. interests," e.g. Kosovo. The military starts watching more closely for ping sweeps and website vulnerability probes.
• BRAVO warns of a "specific risk of attack" against a computer, a military base, or a deployed squadron. Expected threats include a "significant level of network probes, scans or activities" for reconnaissance purposes. A website hack or denial of service attack has "no impact to DoD operations."
• CHARLIE indicates five or more 14yr-old hackers joined modems to attack millions of soldiers, sailors, airmen, and marines. These attacks achieve "limited impact to DoD operations [with] minimal success, successfully counteracted." Attackers break into only a few websites which contain little or no nuclear weapons data. The military can still perform its mission.
• DELTA signifies "general attack(s)" by the Russian mafia and/or the Melissa virus. These computer intrusions would "undermine [DoD's] ability to function effectively [and would create a] significant risk of mission failure." At this point the U.S. military must retreat from a battlefield littered with damaged PCs and smoldering mousepads. Bomb disposal units will deploy the Minesweeper game to locate unexploded Pentium chips.

I mailed FOIA requests to various Air Force units asking for (1) the INFOCON status each day from 15 March to 15 April and (2) a summary reason for any changes. A simple query, right? You'll love the responses:

• HQ U.S. Air Forces in Europe: "computer users were in INFOCON Alpha for each day between 15 Mar 99 and 15 Apr 99. There was no change in the status."
• HQ Air Intelligence Agency: refused to disclose their INFOCON status. "Unauthorized disclosure of such information could reasonably be expected to cause serious damage to national security. The document is currently classified."
• 89 Comm Squadron: the presidential support unit passed the buck to HQ Air Mobility Command...
• HQ Air Mobility Command: passed the buck to U.S. Transportation Command...
• U.S. Transportation Command: refused to disclose such sensitive data, "the release of which would allow circumvention and substantially hinder the effective performance of a significant function."
• AF Office of Special Investigations: couldn't respond due to a backlog of FOIA requests. (I half-expected this.)

I really do like the idea of an INFOCON. It makes sense to standardize the military's awareness of a threat, be it missiles or terrorists or bytes. It also makes sense to separate a computer threat from, say, a personnel threat. If a deployed Marine commander asked for the current status, an Air Force advisor might tell him "sir, we're in DEFCON Normal, THREATCON Bravo, INFOCON Alpha." It conveys useful news very quickly in a standard form.

Yet to hear HQ AIA say it, INFOCON data is at least as sensitive as THREATCON data. Conclusion: an airman's Internet connection is at least as important as an airman's life. (Dreamsheet yourselves to Ramstein, guys. ASAP.)

26 Oct 99

The first piece of advice urges readers to "install anti-virus software at the Internet gateway, on servers and on clients." Utterly obvious, everyone should take this advice, many don't, we can't stress it enough, blah blah blah. "However..."

Let's remember an important point, folks. Melissa and its variants slipped past popular gateway antivirus packages. They slipped past popular email backbone antivirus packages and popular file server antivirus packages. These generic Word macro viruses also slipped past popular desktop antivirus packages which bind directly to email clients and monitor every file opened in Microsoft Word.

Until recently, experts worldwide blamed Melissa's spread on everything except this one overwhelming vulnerability. I agree you should install antivirus software on gateways and servers and workstations -- so long as you understand the obvious impact of this vulnerability.

This leads us into ZDNN's second piece of advice: "update virus definitions daily." This helps to reduce the vulnerability. Recommendations over the years went from "quarterly" updates, to "monthly" updates, to "weekly" updates, and now "daily" updates.

Think about the average Fortune 1000 firm for a moment. Do you believe the average security guru can convince an entire company to update on a weekly basis, let alone daily? Think of the LAN bandwidth it would take to support just 5,000 PCs every day. Or even every week. Now think of the Internet bandwidth antivirus firms already need just to support customer updates.

Some people claim they need a better update capability than the average large firm can handle. Oh? These people probably base their "need" on the fact they can support the need. "I require weekly updates because I can get weekly updates. I require daily updates because I can get daily updates..."

On the other hand, corporate experts find it difficult to justify faster updates. They deal constantly with employees who declare antivirus software a "nuisance" (and the Hey Macaroni! screen saver a "necessity"). Virus fighters occasionally stumble over PCs which run safely despite running for years with no antivirus software.

Few users truly need a better update capability than Fortune 1000 firms can support. Still, people demand it. The world will need a lot more Internet & Intranet bandwidth if it wants updates on a daily basis. All this, just so the entire planet can retrieve antivirus updates more often.

Face it -- we're a bunch of addicts waiting to score our next antivirus fix. We started injecting updates into our computers on a quarterly basis. Then monthly. Then weekly. Now ZDNN wants us to score a fix every day.

What next: hourly?

Ironically, many users remained vulnerable to Melissa for up to three days no matter how often they tried to update during that period. If Melissa proved anything, it proved you can't always update fast enough after the fact.

This leads us to a philosophical question: "why must we update on a regular schedule?" Do security teams update the firewall software every Sunday afternoon? Do network administrators update WinNT server device drivers every Tuesday morning?

FACE IT -- WE'RE a bunch of addicts waiting to score our next antivirus fix. It gives us a feeling of comfort, a feeling of elation, exactly like a drug. We injected updates into our computers on a quarterly basis, then monthly, then weekly. Now ZDNN wants us to score a fix every day. What next: hourly?

We need to get over our addiction. It'll take effort. First we need to overcome our psychological urge to update antivirus software after the fact. Believe me when I say we can break this obsessive-compulsive behavior.

Call it "heuristics" or "profile-based scanning" or "generic detection" or whatever. We actually can detect viruses the instant they exist. We actually can detect viruses before the fact. Don't let the addicts convince you otherwise.

"F-PROT, for example, was able to detect W97M/Melissa.A ... in its January '99 release."
-- Bruce P. Burrell, 'Virus Busters' team leader, University of Michigan

"The fact is that Sophos started with this approach years ago before we had a virus-specific product. We had (and indeed still have) a utility called Vaccine. What we found was that customers don't like generic anti-viruses. It's actually the customers who have insisted on virus specific protection rather than the [antivirus] companies."
-- Graham Cluley, Sr. Technology Consultant, Sophos

"Our product ... in fact [could detect and remove Melissa at least] four weeks before it hit."
-- "Bryan," technical support, Leprechaun Software

This leads us to ask why we got so addicted in the first place. You'll find the answer here. We can deal with the rest of ZDNN's advice whenever we finally break our obsessive-compulsive behavior...

18 Dec 99

The moral of this story? Don't let Edward F. Borden, Jr. represent you if you get caught writing viruses.

What a complete idiot! Can you believe the FBI fears people like Smith?

Suppose Smith released Melissa just six days later. Do you really think the FBI would launch a nationwide manhunt over a no-payload virus released on April Fool's Day? I ridiculed the prosecution's case with this one simple philosophical question. Taking it a bit farther, do you think NJ governor Christie Todd Whitman would ride the coattails of an April Fool's Day prank?

In the final analysis, Smith will go to prison because he released his virus six days too soon. "Premature escalation," as I like to say. What a complete idiot.

I wrote other philosophical questions related to Melissa. Look for question marks here and here if interested.

Melissa's author didn't get the benefit of my advice, but Microsoft will. Two words, Bill: "sue him." No joke. Take Smith to small claims court for phone calls and other miscellaneous expenses.

Why small claims court? Contrary to initial press reports, Redmond's security team walked away from Melissa with scratches. They could sue for millions only by trumping up the charges. Microsoft can force the media to face this fact if they slapp Smith for a few hundred bucks.

Can you imagine if Gates showed up for the post-trial press interview? "I wanted to dock employees whose PCs got infected. I also thought about suing everyone who emailed us a Melissa attachment. Unfortunately, the world still rewards users whose PCs get infected. So I told my lawyers to go after Smith instead." Boy, I hope Judge Judy arbitrates it.

Memo to Smith: complete idiots deserve to get railroaded. Give your cellmate a kiss for me.

Smith got railroaded by photo-op hounds and he'll get a rimjob at his sentence hearing. I couldn't care less -- a complete idiot deserves everything he gets. In fact, I hope the judge bars Smith for life from government contracts.

Bon voyage, dude. Give your cellmate a kiss for me.

SMITH REMAINS FREE on bail until his sentencing date. I just might fly to New Jersey in May for a ringside seat.

Can you believe Smith landed a computer job while on bail? News sites splashed his smiling mugshot all over the Internet, yet no one ever pegged him at Rutgers University Foundation:

A spokeswoman said that when it hired him [in September], the foundation did not recognize Smith as the suspected author of the virus... He went about his work quietly and unrecognized for two months, trouble-shooting computers in offices on Rutgers' New Brunswick campus.

He quit on Dec. 3, a week before his court appearance, citing personal reasons. 'Now we know what they were,' Rutgers spokeswoman Pamela Blake said.

We might see Smith someday in an American Express commercial. "Hi, do you know me? My computer virus caused over $80 million in damages..."

Still, Smith gets something very important out of all this: notoriety. We can at least rejoice because Michelangelo's author remains anonymous to this day. (How would you like it if the whole world knew you by reputation yet nobody knew your name?) Heck, Michelangelo's author might still work at Rutger's for all we know.

Smith never realized he would earn a footnote in history, but we'll forget this. We'll also forget he accidentally exposed serious flaws in antivirus software and email infrastructure security. A complete idiot who named 105 lines of Word macro code for a strip dancer? Bah. Clueless pundits in the future will recall Smith as "a gifted mage who nearly destroyed the Internet on a whim."