About | Buy Stuff | News | Products | Rants | Search | Security
Home » News » Roundups

The Love Bug - A Retrospect

This week marks the fourth anniversary of the Love Bug aka the ILOVEYOU worm, a watershed in the online connected experience. It was an exciting time, but also a great opportunity for the world to learn something about security and engineering quality - an opportunity that was studiously ignored and has been ever since.

The world continues in a tailspin Copyright © Microsoft Corporation.


Fred Björck was working at his office late at night when he heard about the Love Bug. Fred was a PhD candidate at the Royal Institute in Stockholm, working out of the Elektrum think tank in Kista, Sweden's 'Silicon Valley' just north of town.

Fred was the one who'd put the hunt for Melissa on track. Well-known security talking head Richard Smith had been in the media about Melissa, but evidently had not found the dimes to drop down the slot. Fred contacted Smith, reminded him that MS Word documents had metadata, and the hunt was on. Together with Jonathan James, also a resident of Sweden, Fred and Smith put the FBI on track and eventually they got their man.

Fred worked all night long on the Love Bug case. Knowing instinctively where to search online for the trail, he found what he wanted by 7 AM the following morning. After calling home to his girlfriend and telling her he was finally calling it a night, Fred called the news media in the capital and made his announcement. With an attache laden with documented proof he began the short trek home on foot.

When he arrived at his own apartment stairwell, Fred was greeted by a horde of reporters standing outside his door. 'OK, it's like this', he told them. 'I've been at it all night long. I'm tired - exhausted actually. I need a shower. I need some breakfast. I need to kiss the girlfriend. I've got everything you want in this attache. Once I've had my breakfast, we'll lay the materials out on the kitchen table and invite you in. Just wait right here.'

They waited. Over an hour.

Fred went inside, kissed his girlfriend, took a shower, and sat down to breakfast. When he'd finished, they cleared the table, Fred spread his documents out, and he went and opened the door. 'There it is', he told them. 'You can't take any of it with you, but you can take notes.'

And he left them to it, refraining from commenting himself on what he'd found. Better to let them read it and draw their own conclusions, he said. When they'd got all they wanted, they thanked him and hurried back to town.


Rick Downes had been up all night too when the Love Bug story broke, and he was about to call it a night - right about when Fred finished his breakfast - when Anna Lindmarker came on the TV with a special bulletin. A Swede has just located the author of the Love Bug worm, she announced. More details to follow.

Rick was a programmer and trainer in Northern Europe and consultant at Radsoft.net, working in Stockholm on an Explorer replacement for Windows.

Rick immediately fired off emails to both C|net and Wired. Lynn Burke of Wired replied almost immediately. She got out a short wave radio and tried to find a Swedish news channel. 'But you can't speak Swedish!' Rick pointed out to her. 'Well no, but I might be able to pick up a word or two!' was Lynn's answer.

By early afternoon the destruction was brutal. A partial list of the companies and institutions that were knocked out was published at the following URL, along with a cursory analysis of the worm itself.

http://radsoft.net/news/roundups/luv/20000504,00.html

Within twenty four hours the first spin-off was in the wild: the Mother's Day ruse. And Richard Smith found his way back to the media, spouting such memorable truisms as 'web administrators should know better than to run VBS attachments from unknown sources' and the like.

By now it was also clear that Microsoft technology was behind the catastrophe. Initially hushed in the media, no doubt because of pressure from Microsoft offices, the word now began to spread. And by midday Microsoft had responded with what they called a 'patch' for the worm: all it did was notify the user that the message may contain malicious code; it didn't stop a thing.

And the official word from Redmond at the same time was:

'Delete email messages with the 'I Love You' subject line.'

Simultaneously the media began hitting Microsoft. Gartner's Michael Zboray was cited at C|net as being highly critical.

'Visual Basic script and the macros are proving to be a disaster. This is just happening over and over again. We have to get away from this hostile active content that is coming in through Word documents, Excel spreadsheets, and the browser.

'You can say a lot of things about how Java's not good, and you can say JavaScript has a lot of flaws, but the security posture from which they were designed was the right posture. The security posture from which ActiveX and VBScript were designed is the wrong posture.'

http://news.com.com/2100-1001-240135.html

Gary McGraw of Reliable Software Technologies put it this way:

'At Microsoft, they always go for more functionality over security. That's what the marketplace wants, because the marketplace isn't very educated about security. It's easy to sell products that aren't perfect to people who are ignorant.'

Microsoft defended their weak position much the same way AnalogX traditionally defends his Proxy - the settings are there, it's just that people don't use them - but people weren't satisfied with such an approach. And as C|net pointed out:

'One problem is Outlook's extensive dependence on Visual Basic and the ways hackers can exploit it. Another is the ease with which scripts can manipulate Outlook's address book and also affect the operating system regardless of other security measures, such as password protection.'

What they're all talking about here is that although Java and JavaScript have strict rules about obtaining access to the local machine (the latter cannot at all) Microsoft's products had no such limitations whatsoever, and it was possible with the aid of a simple script to wreak destruction for billions.

http://news.com.com/2100-1001-240184.html

An hour later, F-Secure published a 'how-to' on turning off VBScript.

http://f-secure.com/virus-info/u-vbs/uninstall-vbs.html

An hour and a half after that, Radsoft published the first run-through of the worm code itself.

http://radsoft.net/news/roundups/luv/luv_src.html

At the same time, on the late evening news, Fred Björck appeared and gave a complete low-down on the worm and its author. It was at this time the story about the worm author being a German in Australia began to circulate. Rick contacted Lynn and told her what he'd seen.

Fred claimed he'd tracked the author down by tracing IPs in email letters found on Usenet. He also stated he would be turning his findings over to the FBI.

Less than two days later, the next shock hit the world. Leigh Stivers of DP Technology published a proof of concept that was capable of wiping out hard drives without even an attachment, and without Outlook ever opening the message. The world waited breathlessly for the other shoe to drop.

http://news.com.com/2100-1001-240189.html

Fourteen hours later - we're up to 14:00 UTC 8 May now - word starts leaking out that the NBI (National Bureau of Investigation) in the Philippines have made some arrests. But the information is contradictory. One story gives the culprit the name Rommel Lamores; another story calls him Reomel Ramones. But significantly the name Irene de Guzman begins to surface. Both she and her sister Jocelyn were also supposedly arrested.

And the name Jonathan James starts to turn up again. And Trend Micro starts publishing statistics of destruction.

  • 3.1 million files worldwide
  • 2.5 million in North America
  • 325,000 in Europe
  • 129,000 in Asia
  • 25,500 in Australia and New Zealand

And Fred finally gets his picture in the paper.

http://news.bbc.co.uk/1/hi/sci/tech/740623.stm

Things start to get muddled now. Fred is sitting quietly, not doing a thing. He wouldn't even comment on his own findings that first morning in his kitchen, and would later claim the entire red herring about a German in Australia was not his idea at all, but some cockamamie concoction the reporters dreamed up.

For Fred was quite confident he had his man, and that man was nowhere near Australia. He was in Manila, or the outskirts at least, at a programming institute known as 'Amaconda' - AMACC (today AMACU).

http://www.ama.edu.ph/amacollege/

Onel de Guzman was the younger brother of Irene de Guzman. He was not arrested with the others because he could not be found: he'd gone to earth. Michael Buen was with de Guzman at Amaconda. Both had been scheduled to graduate that spring - on 5 May.

Pursuant to graduation was a requirement to write a substantial programming project first submitted to the school board for approval. Always an exemplary student, Buen had submitted his project, been given approval, and gone ahead and written it with the help of a Borland compiler. Rick studied this project of his, and he was rather impressed by the tidy way Buen did his work. Later claims this project was the basis of the Love Bug were completely unfounded. Buen received top honours for his work.

http://wired.com/news/politics/0,1283,36699,00.html

Onel de Guzman's submission was turned down. He wanted to write a trojan, claiming trojans were a good way to learn about programming, to increase one's 'knowledge'. The school board didn't take kindly to the idea. de Guzman also argued that the net should be free, and that it was anything but free in the Philippines, and therefore his trojan would swipe ISP account information so other people could get online.

Onel de Guzman never made another submission. He did not graduate. But the final version of the Barok trojan took form about this time. Rick was able to get his hands on the code, thanks to Fred.

http://radsoft.net/news/roundups/luv/barok.html

Whoever had coded Barok had learned as he'd gone along. Borland was abandoned for Microsoft, then MFC bloat was ferreted out, and at the end it was a tight program indeed. And it had to be: the quicker it can be downloaded onto a target machine, the better the chances it will go unnoticed.

The parallels between Barok and Onel de Guzman's proposed research project are too numerous to be tossed aside. Without any further evidence, everything points to one person alone: Onel de Guzman.

But why would Onel suddenly release Barok into the wild? Wasn't it already there? In a sense, yes; but Barok is only a client/server mechanism - it's not a worm that is capable of self-propagation. For that to happen, a bit of scripting was needed.

So did de Guzman suddenly decide to write that script and release the Love Bug into the wild? Was he on some sort of self-destructive bent?

Onel de Guzman finally surfaced. He really had little to fear: the Philippines had no legislation against hacking. Nevertheless, he took his sister Irene and a lawyer with him to the press conference he held.

Was he the one who'd released the Love Bug into the wild? asked the reporters.

A crushed de Guzman took his time answering the question. Not intentionally, he answered at last, but perhaps inadvertently.

And that's as far as the reporters ever got. The official case was closed in August by the NBI, as there was no proof of anything and no laws were officially broken.

http://wired.com/news/politics/0,1283,38342,00.html

Soon afterward, stories circulated that both Buen and de Guzman had been offered ripe salaries by US-based security organisations. The Philippines now passed a law against hacking, but for the Love Bug and its authors, whoever they were, it was way too late.

So who wrote it? And why? And how did it get into the wild? After all, it's fairly obvious - or nearly so - that the event was an accident of some sort.

Enter Fred Björck. Way before most of this story broke, Fred had a reporter from the Washington Post on location in Manila hunting down leads not on the author, but on the sequence of events leading to the outbreak.


There was someone called Madame Bautista at Amaconda, Fred explained. She was a teacher, and evidently a hottie. Both Michael and Onel were after her, and their rivalry threatened to ruin their friendship. The entire sequence of events cannot be known, but something happened. Suddenly we see mysterious inquiries at Usenet from a Michael in the Philippines about how one goes about breaking into Hotmail accounts. Madame Bautista very definitely had a Hotmail account. Michael Buen got jealous of Onel and Bautista, broke into her Hotmail account, configured Onel's own trojan to work against him, wrote the enclosing script, and sent the message - with the sender being Madame Bautista at Hotmail - to Onel with the subject line 'I LOVE YOU'. Onel of course opened the message, and the rest is history.


A Dutchman crafted a new variant on ILOVEYOU at the turn of the year. Once again using social engineering, his worm promised pictures of a naked Anna Kournikova. Again the target was Microsoft Outlook, and again the devastation was brutal. Soon afterward, yet another attempt was made, this time using the mutant derriere of one Jennifer Lopez as the bait.

But the Love Bug was the big one, the worst Internet attack in history, causing an estimated $5.5 billion in damages.

Amaconda is today recognised as a leading IT institute.

Michael Buen graduated from Amaconda the day after the outbreak began. Both Buen and de Guzman were on their way to the US already before the outbreak, having been courted by a prominent anti-virus firm. The link below has a number of inaccuracies regarding Buen's examination project (it was absolutely not written in assembler), but otherwise is satisfactorily accurate.

http://computeruser.com/news/01/01/05/news10.html

When last anyone cared to look, de Guzman was on his way to the UK. No one knows what Buen is doing or with whom.

Madame Bautista cannot be found at AMACC (AMACU) anymore.

Anna Lindmarker has moved from news anchor to Sweden's Katie Couric, alongside Sweden's Matt Lauer, Steffo Törnquist. She's made the show a bigger success than it's ever been.

Anna's often rumoured to be carrying on a royal affair with the king of Sweden, but of late she's supposedly shacked up with the head of the national media company and was therefore forced to dump His Royal Highness.

Lynn Burke left Wired in October 2000.

Fred Björck is still at the Royal Institute; is found quite often in the news, as keynote speaker, and on the covers of magazines; and runs his own web site and business out of Stockholm.

Rick Downes presented his Explorer killer to RISKS, the London Daily Telegraph, and the world, has since abandoned the Windows platform as hopeless, and is still ranting and raving and wondering why the world didn't learn its lesson with ILOVEYOU:

Indiscriminate use of whiz-bang technology leaving corporations wide open to simple pranks, causing billions of dollars of destruction, with networks protected only by Microsoft-authorised zero administration Tastee-Freez MCPs.

Memorable Quotes

Do you think Microsoft truly failed to realize that countless users weren't educated enough to understand the ramifications of these software features? I doubt it; 5 years ago most Windows users were just beginning to learn about the Internet, and Microsoft certainly knew that. I won't speculate about the company's motives for overpowering the software, but I think it's a ridiculous practice that costs global businesses millions, if not billions of dollars in excessive administrative and educational efforts.
 - Mark Joseph Edwards

I'm thanking Byron for sharing his computer and ideas, book and time, I'm using his computer every Saturday and Sunday just to write this program. And to all GRAMMERSoft especially LIENQ, I know what the hell of hacking we are all doing but nevertheless it is still legitimate learning.
 - Michael I Buen

I think. I speak. I love. I write. I create. I design. I take photographs. I am a Leo. I drink beer. I hang out. I smoke. I play. I wish. I live. I love. I play billiards. I do lunches and dinners. I love the theater. I watch movies. I desire Brendan Fraser. I play darts. I climb mountains. I dream. I hurt. I listen. I feel. I live. This is my world.
 - Irene de Guzman

I was a Microsoft sympathizer until just this moment. I've always opposed government action in this case, confident that the market would take care of itself. Big inefficient corporations eventually collapse under their own weight, and although it looks slow to us, natural corrections are ultimately more efficient than artificial ones. I've also been sympathetic to Microsoft because I felt Gates was getting a bum rap from elite computer users. It's not his fault the majority of buyers are idiots. The ignorance of the marketplace is the real villain here. I'm not a programmer and I don't run a server, so Microsoft products do what I need done in a reasonable manner. So I have never jumped on the bash Gates bandwagon. But this, this is beyond the pale. This is the last straw. Allowing people to run Visual Basic scripts from email is dumb enough, but now Gates is using his own shitty programming as an excuse to keep the company together! This is like a boy murdering his parents and asking for pity because he's an orphan! Shameless audacity. Disgusting. 'Features' my ass.
 - Michael Duff

Surely the BBC has responsibility to the truth, to explain fully? I have just watched your lead item on BBC News 24 and then read your headline article on the web. In neither do you take the time to explain that the danger lays with those running Microsoft Windows and Outlook. No, you use the blanket term 'computers'.
 - Gary Mitchell

Does it sound reasonable to you that I can write a script to access YOUR address book? YOUR files? Can you think of ONE legitimate application for this feature?
 - Federico Heinz

Why blame a 15yo kid when the real culprit is a multi-billion dollar software company's crappy software?
 - Mike Currie

I heard some TV news this morning describe it as 'a wakeup call'. Forgot Melissa already, eh? How many wakeup calls does it take? Methinks wakeup calls now come with a snooze control.
 - /. Reader

VBS/LoveLetter and related viruses use Windows Scripting Host (WSH) to spread. By uninstalling WSH, your machine will become immune to attacks like this. However, you will not be able to use any VBS script files after doing this. Most users do not use VBS scripts for anything.
 - F-Secure Advisory

Shouldn't they be arresting someone at Microsoft?
 - /. Reader

Love Bug Update: Sasser

The irony is thick: on this the 4th anniversary of the ultimate wake-up call for Windows users, a new worm spreads and humiliates them again.

Sasser worm hits up to 1m computers [The Guardian]
A new internet worm is putting businesses at risk as staff return from the bank holiday and switch on their computers. The worm, known as Sasser, is thought to have infected between 2,000 and 1m computers so far.

Internet virus causes chaos [NEWS.com.au]
The latest computer virus sweeping the globe - the Sasser worm - has hit the Northern Territory. The Government's computer network was thrown into chaos when the worm struck yesterday morning. Dozens of businesses were also affected. About 10 per cent of the Government's 10,000 computers were put out of action. This meant 1000 public servants could not work. The rest of the Government system was drastically slowed.

Sasser infections hit Amex, others [Infoworld]
American Express Co. joined a number of U.S. universities in reporting infections from the Sasser worm on Monday and the SANS Institute's Internet Storm Center (ISC) maintained a yellow warning Tuesday despite expectations earlier in the day that the Sasser outbreak would wind down Monday, according to interviews.

Classic worm sparks worry [Newsday]
Sasser has caused little damage, since it has no payload and is merely designed to spread. What makes professionals nervous, however, is that a new and more carefully coded version has appeared every 24 hours since it was first launched.

Sasser computer worm wriggles worldwide [New Scientist]
More than a million computers around the world have been infected by the Sasser computer worm or one of its variants, according to some estimates. The first version of worm was released on 30 April, but three modified versions have appeared since, known as Sasser.B, Sasser.C and Sasser.D. The worm causes infected machines to restart continuously when a user attempts to connect to the internet. Even when not doing this the worm impairs the computer's performance.

Computer worm strikes India [Boston Herald]
The pesky worm snarled hundreds of thousands of machines worldwide yesterday in the latest virus-like outbreak to take advantage of a known flaw with the Windows operating system.

Stop Sasser in its tracks [News 24]
The Sasser internet bug was still spreading on Tuesday, but at a slower pace than seen over the weekend and experts said the outbreak would die down as soon as PC users had protected their machines against it.

Sasser computer worm causes trouble [ABC Australia]
Originally it was regarded as a relatively harmless computer virus - poorly written, and unlikely to do any serious damage. But the sasser worm - unleashed on the web last week - has been causing trouble around the world, including here in Australia. And while the company is providing a solution to its clients, it seems hackers are becoming ever faster at using the company's own information against it, and before computer users have a chance to catch up.

Q&A: The Sasser worm [BBC News]
The Sasser worm is the latest headache for Windows users. But what is it, how dangerous is it and what can you do about it?

PC users told to get their computers patched [IOL]
Computer users should check that their computers had the free protective patch that would fend off the Sasser worm causing panic throughout the world for its ability to force computers to reboot, Microsoft South Africa said on Tuesday.

Computer worm takes business toll [Financial Times]
Sasser, the latest computer worm that can travel direct from the internet via a vulnerability in Microsoft Windows software, disrupted a number of businesses early this week as it spread worldwide. Anti-virus software manufacturer Symantec upgraded its threat rating of the Sasser worm to 4 on a scale where 5 represents very severe, as the number of reported infections increased after the weekend. The worm is considered one of theĉmost serious to be reported since the blaster wormĉattacked millions of Windows PCs in August last year.

Sasser worm rips through Internet [Reuters UK]
The rapidly evolving Sasser computer worm is tearing across the Internet disrupting corporate and home computer systems and stoking fears of more potent outbreaks to come. First detected over the weekend, the worm has already infected, by some estimates, over one million PCs and knocked out computer systems at banks, transport reservation systems and at European Commission offices. Unlike previous Internet worms, Sasser infects vulnerable PCs without any action by the user like opening attachments, allowing it to spread very quickly.

Factbox - Five major viruses on the Internet [Forbes]
The fast-spreading Sasser computer worm infected hundreds of thousands of PCs globally, on Tuesday, disrupting banking and other businesses in one of the biggest virus-like attacks on the Internet.

Sasser virus causes havoc in computers [ITV]
A computer worm has struck a million computers, taking advantage of a flaw with the Windows operating system.

About | Buy | News | Products | Rants | Search | Security
Copyright © Radsoft. All rights reserved.