Lessons to Be Learned from Melissa

Each virus that exhibits new replication or destructive capabilities teaches IT professionals and the software industry a few new lessons. The Melissa virus was no exception.

Unlike most viruses, one of the most effective tools to control the proliferation of Melissa turned out to be the mass media. I happened to catch a morning NPR news segment on my way to work that mentioned the virus. Sure enough, a Melissa-generated message was waiting for me when I arrived at the office.

Our company was among the lucky: The virus didn’t successfully make it onto any of our machines. We were spared having our e-mail system disabled for who knows how long.

Those who were infected with this virus are still lucky – Melissa wasn’t designed to intentionally destroy data or cause security problems by exporting proprietary or confidential information from a system to the first 50 names in your address book. But the efforts required to eradicate Melissa still caused serious outages of service for numerous companies.

Even PC-competent companies like Microsoft and Intel were not spared. Microsoft, for example, was forced to close down its gateways to the outside world for a time due to the Melissa virus.

Some industry observers quickly blamed Microsoft for its macro technology as being core to the problem. That accusation misses the real problem. While the Office macro is a powerful application platform that has enabled a lot of macro viruses to flourish, the reality is that the next virus could well be an EXE file or rogue Active X Control. The bottom line is that if you’re going to let something from an unknown source run on your system, you’re opening yourself to potential risk. Being able to swap executables and macros is a powerful, valuable capability -- the problem is managing them.

Here are some of the lessons to be learned from this incident:

  • The ante has been upped for macro virus propagation. Melissa has the capability to replicate at close to 50n [[superscript "n"]] power. At that rate, worldwide propagation can occur in a couple of days. Chances are good that the next major virus will adopt this technique or will use other techniques to dramatically increase the speed of widespread infection.
  • Anti-virus software remains a weak line of defense against unknown viruses. As long as anti-virus software can’t identify a virus before you realize you were infected, it’s always going to be patch and catch up technology. Melissa proved that if a virus can proliferate fast enough, there is an opportunity to infect many machines before defensive actions can be put into place.
  • The stakes have been raised for virus authors. With the relatively fast arrest of a suspect in New Jersey, virus authors are now on alert that authorities have become more competent at tracking down guilty parties, especially those who are sloppy about covering their tracks. This, however, won’t be a deterrent if perpetrators are located in countries that have little interest in cooperating with the international community.
  • Computer literacy and education will help, but ultimately, there must be other mechanisms in place to prevent virus proliferation. Even the most PC-savvy companies in the industry had problems with Melissa, so user competence is simply not a good-enough solution alone.

The good news is that Microsoft is introducing the capability of digitally signing Office 2000 macros, which will provide a way to set a confidence level that a macro must deliver before a system might execute it. Other Office 2000 enhancements include a new anti-virus API to improve the integration of anti-virus products into Office 2000.

The bad news is that, like most Microsoft product enhancements, you’re going to have to upgrade your software to get these improvements. Microsoft has no plans to supply certificate technology to older products, including a widely used legacy product called Office 97.