James D. Stallardblog

For the purposes of this text, we define Spyware as any item of software that installs itself silently, or that you wouldn't want if someone explained what it does in detail. This of course includes General Malware, Keyloggers, Adware, Trojans and other unwanted hitchikers on your computer. Viruses and Worms are well covered elsewhere, so we will leave those out.

Most Spyware is "semi-legitimate". It has been installed with your consent (yes, really!) and does nothing more than collect information about your browsing habits and return them to the interested party. While this undoubtably invades your privacy, it is not something we have to panic about quite yet.

However, an increasing amount of this Malware is being used for downright criminal purposes. Typically used for gathering personal data (credit cards are the obvious choice), an installed item of Spyware can quickly gather enough information to allow the recipient to easily clone your identity and really mess your life up. Currently available information suggests that a relatively unsophisticated identity theft (and resulting credit fraud) can take a year to expunge from your credit record. During that time you will have difficulty getting credit of any kind, including contract mobile phones, mortgages, credit cards, personal loans and even some utility services among many other services that involve credit checks.

Increasingly, Malware is being used to "drop" commercially available software onto your machine. For instance, there are a number of well known trojans that drop a cut-down version of a commercial session logger. The commercial session logger is a 100% legitimate tool marketed at parents to enable them track their children's online habits and companies to track their employee's computer use. The author of the Malware has shanghai'd the commercial software into service as a criminal tool. Using the commercial session logger a criminal will be able to view all your online banking passwords and gain access to your entire online life.

Most modern Spyware/Malware is installed over a browser session. Typically, the unsuspecting user will wish to get to a portion of a website that is unavailable unless a download is accepted. In some cases, the download is installed silently without ever notifying the user that they are at risk. Regardless, curiosity often over-rides caution and the download is accepted. Many downloads actually include a long and complex license agreement that includes a clause allowing the publishers to install software on your computer without further reference to you! Once you accept the license agreement the Malware can be installed legally, and they pretty much own your computer.

A few points to note:
If the Spyware/Malware has been installed with your consent, there is no legal redress against the publisher UNLESS they use the information collected for criminal purposes. You have to be able to prove criminal intent or action.

If the Spyware has been installed with your consent then it is technically illegal (in the UK and USA) for another firm (such as an anti-Spyware software publisher) to remove it. Claria (formerly Gator) sued anti-Spyware company PC Pitstop on the grounds that their Adware/Spyware is legitimately installed software. New.net sued another anti-Spyware company Lavasoft in US Federal Court. Claria and WhenU have both allegedly threatened leading Spyware researchers with further lawsuits. (Source: ZDNet News: December 1, 2003 and May 24, 2005)

It is interesting to note that Microsoft is now in the anti-Spyware game, having bought Giant. It is likely to be impossible for the likes of Claria and WhenU to sue Microsoft and win – which may create a future precedent in US law making a raft of Spyware/Malware illegal.

AOL owned company advertising.com has been recently responsible for tricking users into installing Adware that came packaged with a tool to block Spyware. (Source: Mediaweek August 3, 2005)

While over 90% of companies have excellent antivirus tools installed, only a tiny fraction of firms have any kind of anti-Spyware policy or protection beyond simply telling users not to download things. Remember, your anti-virus tool will not protect you from most Spyware/Malware (as of August 2005) and given the legal implications of removing Spyware/Malware it is not surprising that the anti-virus vendors have been slow to step into the breach.

It is thought that up to 30% of the computers at a given company will be infected with some sort of Spyware. This Spyware is not only collecting information about browsing habits or identity theft, but also about your Company and its clients. It could be downloading your confidential documents to an unknown internet site whose owners are then selling them to your competitors or the press. Finally, it could be participating in co-ordinated attacks against another company, making you liable for damages.

So, once you have assimilated these unpleasant facts, go and create an anti-Spyware strategy and install some tools to find out how compromised you really are.

Before I write my own personal thoughts, I wanted to extend my sincerest condolences to the people, their families and friends affected by the London Tube and Bus bombings of 7th July 2005.

The first I heard of the bombings was from the support staff at MTV who normally start around 9am. They told stories of being kicked out of the tube and being forced to walk into work, arriving late and confused. Shortly afterwards there was a muffled thud, rather like a thunderclap which we now know was a Bus exploding in Tavistock Place.

Televisions all over the office were switched on and the surreal reports from Sky news were digested.

Mobile phones started misbehaving and no one could call me direct all day, instead they got diverted to voicemail and I was called back by 121 a few minutes later.

At this point (around 10:30am) no one was seriously believing it was anything other than a terrorist attack. I called national rail at 11:30 and asked about services from the main line stations "in the light of this mornings attacks" only to be told that it "was not an attack, but a power surge and all stations were closed for the duration". Odd when every news report and website was lambasting Islamic Fundamentalists as the culprits. I found out later that "a power surge" was the standard term London Underground use for a major incident to reduce the panic.

I was impressed at how quickly the Muslim Association of Britain condemned the attacks, and I truly hope that the Muslim community in the UK will not suffer as a result of the actions of a misguided few. Their condemnation was not just about distancing themselves from the terrorists, but also a powerful show of solidarity with the victims - some of whom were Muslims themselves.

Just think how different the world would be if George Dubya hadn't gone into Afghanistan en mass, but simply surgically and anonymously removed the heads of the regime and its terrorist dependants. Everyone understands the reasons why states sponsored assassination is a bad thing, but...

I left the MTV offices at 1pm and walked from Oxford Circus to Earls Court where I met two very helpful chaps (Kevin and Nick) who not only allowed me to share their cab heading west, but got me to Slough and then on to Bracknell where I met up with my wife and went home. It took me 4 hours to get home and I consider myself very lucky to have made it home at all that night.

One month later and there has been a second, failed attack and the security services are out in full swing. I notice that the Met has started stopping and searching Asian youths with rucksacks and while the liberal in me says it's not fair, it is nevertheless a fact that we are not in danger from white, litle old ladies with shopping carts.

I am pleased (or rather depressed) to report that the Dilbert Principle is alive and well, and disfunctioning to the detriment of all. Herewith, and example of management thinking that is positively elegant in it's dumbness.

Management decide they want a SAN. They decide this without really understanding what a SAN is, but that's ok, because they have people who do and they can take their advice. Or not.

What should happen is this:

The Engineers decide that more storage is needed now, and will be needed over the next 4 years. They investigate a solution that will service current and future needs and will be compatible with the future direction of the corpate IT infrastructure. The SAN will be large, resilient, fast and easy to manage/expand. Most importantly, it will be compliant with and manageable by the company's prevalent windows infrastructure.

What actually happened was this:

The Managers decided that more storage was needed as the Engineers were placing unfair restrictions on the amount of disk-space they were allowed to use for MP3s and their personal porn collection. They looked in an industry newspaper and picked the SAN vendor with the largest advert. The SAN vendor (unable to believe it's luck) promptly invited the Managers to a golfing weekend and the sale was made.

Never mind that the Engineers declared that the proposed solution could not be supported. Never mind that that the new solution took 18 months to install, is not large enough to support current requirements and will not be expanded because the cost per MB is several times what was expected. Never mind that it is only compatible with Windows 2000 and that the servers attached to it cannot be properly, or upgraded to Windows 2003. Never mind that it is piteously slow and unreliable and there wasn't enough money in the budget to cluster the NAS front end. Never mind that it cost several times what it should have cost and doesn't achieve any of its objectives. Never mind that it requires a vendor engineer to attend site if it ever needs rebooting and and 2 working days of twiddling to return it to service after a power-down.

Genius.

The problem with purchasing a lame duck is that you are stuck with it for years. The people in charge of the decision will never admit that they bought the wrong product and the vendor doesn't care, because they have the sale AND a fat support contract. What's worse is the fact that because the original problem wasn't solved, the Engineers have to come up with ever-more creative ways of maximising the available disk space on operational systems to try and spread the load around the LAN and the Managers still have nowhere to store their MP3s and porn.

Oh, the power of the golf course decision.

DHCP is perhaps one of the most ubiquitous, yet misunderstood (or perhaps under-utilised) of all infrastructure components. Most companies spread over more than one site have a DHCP server per site and as a result, this can easily grow into a mass of dozens of DHCP servers, with different settings, and no way of centrally managing them in terms of configuration.

There are commericial solutions out there that will provide a highly distributed, yet centralled managed DHCP solution (QIP is an example), but these are not cheap and are not as widely used as the free service provided with the Windows Operating systems.

With this scenario, the real problems come during an Active Directory upgrade/migration or during a re-ip of the internal network.

Active Directory upgrade/migration
When moving from a Windows NT4 based domain (or indeed anything other than Windows 2000/2003 Active Directory domain) DHCP Servers must be known and authorised as soon as the domain is available. If this is not done, DHCP Servers running Windows 2000 or later will stop issuing DHCP addresses to DHCP Clients as soon as they join the domain. This feature was put into to combat the problem of rogue DHCP Servers on the domain, and while it is useful, a DHCP server does not have to be running Windows, or on the Domain in order to cause havoc.

When Active Directory is implemented, it is likely that the DNS Domain Name will change (DHCP Option 015), meaning that each DHCP must be altered and every statically assigned IP Address must also be visited and changed accordingly.

Many companies have grown by acquisition or rapid expansion and it is easy to lose track of where all the DHCP Servers reside. With this in mind, we have yet another reason why an audit of all locations is vital to the success of any Active Directory project.

Re-IP of the internal network
When the internal network is re-ip'd, several problems come to light concerning DHCP Servers:

1. The DHCP Servers themselves have to change their IP Address.
2. The DNS, WINS, DNS Domain Name and any other settings/services given out with DHCP may also change.
3. The new IP Addresses of the DHCP Servers must be Authorised on the Domain (if it is an Active Directory Domain), and the old addresses removed.
4. A number of machines (including printers, comms kit, etc) will have static IP Addresses, and will have to be visited individually to change their address.
5. The corresponding reverse lookup zones will require configuration on the internal DNS Servers.

There are other issues, but these the ones we are interested in for the purposes of this article.

Alternative Solution?
At this point, the idea of maintaining many multiple DHCP Servers seems a little ridiculous, as well as an increasing burden on the support teams. It is therefore a good idea to consolidate the solution into 2 centralised DHCP Servers and an Active Directory upgrade/migration or a re-ip of the internal network are both excellent (and cost efficient) opportunities to perform the work.

The overall solution works as follows:
2 DHCP Servers are built, physically separated to mitigate building outage. Each server hosts ALL of the available IP Addresses for every Scope, but one server has the first half of the Scope excluded and the other Server the second half excluded (to ensure neither server can give out duplicate IPs). As many of the machines with static IPs as possible are changed to DHCP addresses and the IPs reserved on BOTH DHCP Servers for ALL statically assigned IPs.

This solution vastly reduces the impact of a re-ip and makes it very simple to make infrastructure changes later on. The number of statically assigned addresses that need to be changed by hand reduces significantly, while the rest can be managed centrally as MAC Address Reservations. Finally and most importantly there is a single, central database (albeit spread across 2 physical servers) of all assigned IPs that is guaranteed to be accurate and is easily maintainable.

Typically, a medium to large company has a great many subnets, and the scopes governing these subnets are configured at many DHCP Servers. I have prepared a spreadsheet that consolidates up to 1000 individual scopes onto 2 DHCP servers. The current version of this spreadsheet contains over 50,000 formulae and drives a VBScript program that configures both DHCP Servers, with all the Scopes, their Scope Options and all the reservations in a few minutes.

This solution provides (and has been proven!) that either DHCP Server can be down for AT LEAST half the lease time (default 8 days) without detriment to the environment. It is therefore assumed that a total outage of a DHCP Server can be recovered/restored in 4 days - something that even the busiest sysadmin can easily achieve.

I have published an article on the design of the solution (now deployed at 3 clients totalling 200 sites and over 330 subnets) at http://www.leafgrove.com/articles.asp?id=3 and I welcome your comments on this blog, and the article.

The only fly in the ointment is the fact that DHCP Databases cannot be replicated, so the MAC Address reservations must be configured individually on each server. The alternative to this is a clustered DHCP solution, but the technology needed to physically separate the cluster nodes is expensive and perhaps not fully mature. I would be very interested to hear from anyone who has successfully managed to get DHCP databases to replicate MAC Address reservations tables.

The Melissa virus, also known as WM/Melissa or W97.Melissa is a Microsoft Word Macro Virus. It has recently been heavily reported in the media due to one of its primary distribution method. Melissa probably originated from an infected document placed on a public USENET server. The document purported to contain passwords to pornographic web sites and therefore was eagerly download. The Virus infected these users them and passed itself on via email. This is the reason it has spread so quickly.

The Virus is written in Microsoft Visual Basic for Applications, and for this reason it is extremely widespread. Most of the worlds companies are using Microsoft software and this virus has hit the larger organizations the hardest. The fact is, it is not the virus’s payload that is causing the problem but its major method of reproduction – I refer to it here as the mail bomb.

When Microsoft Word starts, it first opens an initial template file, by default called NORMAL.DOT. This template file resides, by default in the TEMPLATES directory of your Microsoft Office installation. The file contains your default Word settings, including any standard macros that you may use.

Melissa traps the ‘On Open’ event in Microsoft Word. This event is called every time a file is opened, including NORMAL.DOT. An unsuspecting user opens an infected document from any source and the virus swings into action.

The following happens each time an infected document is opened:
1. Melissa first switches off any error messages that may be produced
• This is done so you do not suspect anything is wrong, should the virus fail one of its actions.

2. Melissa checks the security level of Word 2000
• If the security level entry exists, ie if you have Word 2000 installed, then your protection is removed by setting macro virus security to its lowest level.
• The virus also disables the macro security option on your Word 2000 menus, thereby stopping you from altering your security settings from their lowest level.
• The virus disables the macro option on your Word 97 menus, thereby stopping you from deleting the virus from the current document or even verifying that you are infected.
• The virus disables the prompts that are displayed concerning file conversions, macro virus protection and saving your normal template. This is done so you do not suspect anything is wrong by receiving an odd prompt while it is propagating itself in the background.

3. Melissa instantiates an Outlook object, an email object, and a MAPI object.
• It requires each of these objects to send the email.

4. Melissa now checks for its registry key
• An infected machine contains the key: HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa? With the value of: "... by Kwyjibo"

5. If the registry key does not exist then Melissa attempts email distribution.
• The virus tests to see if its Outlook object is Microsoft Outlook.
• If your default MAPI client is other than Outlook or you do not have Outlook installed then the virus will fail its email distribution attempt, but you will not receive an error message due to step 1.

6. Melissa logs on to your default profile
• VBA may expose your Exchange password here. In most NT/Exchange installations your exchange password is also your NT logon password. - this has not been tested.

7. Melissa then finds the first address list in your address book
• In a typical Enterprise Exchange installation there maybe a number of Exchange servers dotted around the world all replicating their databases to each other, each server database could contain many address lists.

8. The virus grabs the first 50 addresses in the current address list and adds these to a recipient list for its mail bomb.
• Each entry in the address list could in its own right be a mailing list, containing more addresses.

9. The virus builds the rest of the email
• The Subject Line is: “Important Message From " followed by the username that Word was installed with, usually your or your company’s name.
• The Body is: "Here is that document you asked for ... don't show anyone else "
• The email is completed with the current document as an attachment. Theoretically this document could be anything, not just the original advert for porn site passwords – this has not been tested.
10. Melissa then moves to your next address list and cycles through steps 8 and 9 until all address lists have been sampled.
• In a typical Enterprise Exchange installation there maybe a considerable number of address lists each contributing 50 addresses to the mail bomb

11. The virus then logs off your Outlook Profile

12. Melissa then sets the registry key mentioned in step 4 so that the current victim does not send any more mail bombs.
• The rest of the virus code is concerned with the second method of propagation and the payload.

13. The virus checks for its existence in the active document and checks that the code module is called Melissa.
• Hence the name of the virus itself.
• If the code module is named other than Melissa then its name is changed.

14. The virus checks for its existence in the default template and checks that the code module is called Melissa.
• If the code module is named other than Melissa then its name is changed.
• If the active document does not contain the code module then the code is copied in line by line.
• If the default template does not contain the code module then the code is copied in line by line.
• Many macro viruses simply overwrite the default template with an infected version, thus losing the default settings and alerting the user, Melissa adds to the default template, making an infection harder to spot.

When a new document is created from the default template, the filename (unless altered in the template) defaults to “DocumentN” where N is the number of new documents created since Word was last started.
The virus is clever enough to recognise that a filename containing the word “Document” probably has not been saved. The virus will not save this document until you give it a filename. However if the document has been saved than the virus saves the file now containing itself. The virus also sets the “Document Saved” flag to true so that if you didn’t modify your document yourself you are not alerted with a “Save Changes” message when you close it.

• There are some comments in the virus containing the following text:

WORD/Melissa written by Kwyjibo
Works in both Word 2000 and Word 97
Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
Word -> Email | Word 97 <--> Word 2000 ... it's a new age!

15. The last thing the virus does is set the condition for the deployment of the payload.
• If the number of the current day is the same as the number of the current minute then following text is inserted into the current active document:

“Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here.”

• The message is a quote from Bart Simpson from The Simpsons it refers to a scrabble game he was playing against Lisa Simpson.
• The attributed author's name (Kwyjibo) is the word Bart used to get the high score mentioned in the payload message.

Issues concerning infection
1. The email is sent using the current user profile. The issue of profiles is thorny for virus removal as NT Server and Workstation keep users registry settings, Word documents, templates and other files separated from each user. Therefore any cleanup of this and indeed other Viruses will have to take into consideration the fact that a complete set of infected files could be sitting in a dormant user profile just waiting to be opened, starting the whole process off again. Not only that, but the registry entry is made and checked on the HKEY_CURRENT_USER branch. Therefore the next user who logs on to that machine could set the mail bomb off again. The mail bomb is delivered once per user NOT once per computer.
2. The virus logs on to your default Outlook profile and seems to have no problem with passwords. If the profile password is exposed, then in many cases so is the NT login password, as the two are often synchronised in a NT/Exchange installation. – This has not been tested.
3. The reason the virus has spread so fast is down to its primary propagation mechanism, the mail bomb. Consider 1 infected user who has at least 50 entries in his address list. Consider each of the fifty users he unwitting sent infected email to, also have at least 50 entries in their address lists, and so on. After 2 cycles there are 2500 infections after 3 cycles there are 125000 infections. After 10 cycles there are 97,656,250,000,000,000 possible infections.
4. By far the biggest problems caused by Melissa are the amounts of email being sent. Consider again the Enterprise Exchange installation with many sites and servers in each site. The sheer volume of email with attachments was simply maxing out the bandwidth available for inter-site communications. Thus effectively halting all inter-site communications until the email has all been passed. The costs for one medium sized corporate have been reliably estimated at £5 million sterling for this one virus alone.
5. If the registry key exists then the virus will not mail bomb, thus if a user inserts the key correctly by hand, then the virus will not mail bomb, should the user become infected at a later date. This will not however protect the user from variants that test for a different registry key.
6. Resetting of the Word 2000 Macro Virus Protection key in the registry will at least warn a user that there is a macro in the current document, and give them the option of disabling macros. The virus does not modify the Word 97 Macro Virus Protection key in the registry.
7. It would be relatively simple to modify this virus to be polymorphic. IE. The virus would slightly modify its code upon each infection, making detection, removal and protection far more difficult. This type of virus represents a major threat to the business community who are relying on Microsoft Word, Outlook and Exchange. More must be done to reduce the risk so that Anti-Virus companies are not constantly playing catchup. A suggestion has been made to me that the VBA functionality could be optionally switched off in future versions of Microsoft Office Products, thus allowing Systems Administrators the ability to remove the threat at a stroke from most of the users.