Monday, May. 15, 2000
Attack Of The Love Bug
By Lev Grossman
Anne Guepiere works in the Hong Kong office of a large U.S. company that would prefer to remain nameless. At about 4 o'clock last Thursday, she received an e-mail. It seemed innocuous enough. The subject line read ILOVEYOU. With it came an attached document labeled LOVE-LETTER-FOR-YOU.TXT.VBS. How nice. Just a couple of clicks, and her curiosity would be satisfied.
Too late. "I didn't even read the 'ILOVEYOU' part," recalls Guepiere, whom history would record as, if not Patient Zero, then surely one of the earliest victims in a global pandemic. "Only when I opened [the attachment] did I realize there was a problem." Indeed, it was a bigger problem than anybody, probably even its mischievous creator, could have imagined as computers everywhere tumbled like so many dominoes. Once again that scourge of the Internet age--a computer virus--had struck. Silently, lethally, without even a hint of a warning fever, it raced around the world at light speed, clogging communications and bringing both commerce and politics to a halt.
Because of its implicit, fatally attractive message--Oh, just give me a glance, I bear friendly tidings from a loving admirer!--headline writers immediately (and irresistibly) nicknamed it the Love Bug. But there was nothing lovable about it. Before it spent itself--in its first incarnation, it was truly a 24-hour virus--it would affect tens of millions of computers, eventually ring up a toll as high as $10 billion in lost work hours and reopen troubling questions about the safety and security of our vital electronic lifelines. By almost any measure, it was the most damaging virus ever, with at least three times the byte--as more than one punster put it--of Melissa, last year's electronic femme fatale. This was not so much because of its ingenuity, says Finnish computer-virus hunter Mikko Hypponen, whose team was among the first to capture the bug's digital DNA, but because of its blinding speed, spreading around the world in a hypersonic two hours (vs. six for Melissa).
Suspicion fell quickly on a possible culprit in the Philippines, in part because the virus' eight pages of computer code contained a tantalizing word: Barok. A search of virus registries quickly revealed that it was the name of a so-called Trojan horse, a stealthy software program that filches passwords, written by a Filipino hacker last year. Still, the transparency of this clue suggested that the word might have been inserted as a deliberate smoke screen to fool the computer sleuths. By week's end, the work of investigators was further complicated by the appearance of a number of copycat viruses, created either by others or by the Love Bug's author.
Like a real Asian influenza, the virus first emerged in Hong Kong. From there it sped westward with the sun, lying silently in wait in corporate e-mail accounts until unsuspecting office denizens punched in, logged on and double-clicked on the file. Shufiyan Shukur, managing editor of an online news service in Malaysia, was infected when he got an e-mail from a friend in Hong Kong. He knew this guy liked practical jokes but clicked it open anyway. Too late. Twenty minutes later, he laments, "our internal-security people sent out a warning about this virus."
But worse was yet to come. On the other side of the world, in the offices of the German newspaper Abendblatt in Hamburg, system administrators watched in horror as the virus gobbled up 2,000 digital photographs in their picture archive. In Belgium ATMS were disabled, leaving citizens cashless. In Paris cosmetics maker L'Oreal shut down its e-mail servers, as did businesses throughout the Continent. As much as 70% of the computers in Germany, the Netherlands and Sweden were laid low. The companies affected made up a Who's Who of industry and finance, including Ford, Siemens, Silicon Graphics and Fidelity Investments. Even Microsoft, whose software was the Love Bug's special target, got so badly battered that it finally severed outside e-mail links at its Redmond, Wash., headquarters.
Governments, too, felt the pain. In London, Parliament shut down its servers before the Love Bug's assault. "This affectionate greeting," intoned Commons leader Margaret Beckett, "contains a virus which has immobilized the House's internal communication system."
The Yanks didn't do any better. On Capitol Hill, crippled e-mail systems forced an atypical silence in the halls of Congress, as well as some unusual scrambling. Arriving early on a day dominated by the death of John Cardinal O'Connor, New York Congressman Joseph Crowley's press secretary, Josh Straka, logged on to his computer only to unleash the bug. He spent the rest of the day manually faxing press releases. "My stress level was through the roof," he says.
The bug infected 80% of all federal agencies, including both the Defense and State departments, leaving them temporarily out of e-mail contact with their far-flung outposts. Though Pentagon spokesman Ken Bacon insisted there were other lines of secure communications available, the virus corrupted no fewer than four classified, internal Defense Department e-mail systems.
At the White House, which only a few days earlier had wrangled with Republicans over whether it intentionally destroyed e-mail messages, spokesman Joe Lockhart claimed it had escaped unscathed. President Clinton, in any case, wouldn't have noticed anything. Unlike his cybernaut Vice President, Al Gore, whose campaign was largely unaffected, Clinton rarely reads his e-mail. Still, before rushing off to a retreat in Pennsylvania with Senate Democrats, he vowed to reporters to keep working to protect the nation's growing dependence on electronic interconnectivity from "disruptive forces." George Bush was less fortunate. At his Dallas headquarters, external e-mail servers were shut down for more than a day, forcing aides to work the phones and fax machines.
In New York City's financial district, the bug hit early risers especially hard. "If I had been here a few minutes later, nothing would have happened," says Vincent Cecolini, an editor for the RIA Group, a publisher of financial books. By the time his company's computer technicians arrived, they found 2,000 corrupted messages in his Out box and spent the rest of the day wrestling with the damage. "I was terrorized," says Cecolini. "My stomach was in knots." Old Westbury, N.Y., businessman Kamal Dandona's experience was even more nightmarish. Organizer of a major Bombay film industry-awards show to be held this month in Uniondale, N.Y., Dandona lost posters, press releases and digital photos of every major Hindi film star--all gobbled up by the virus.
Fiendishly created, the Love Bug strikes with a one-two punch. Once you've clicked open that fatal attachment and activated its deadly code, the virus either erases or moves a wide range of data files. It singles out in particular so-called jpgs and MP3s--digital pictures and music--and, like a natural virus, replaces them with identical copies of itself. Then, if it finds the Microsoft Outlook Express e-mail program on your computer, it raids the program's address book and sends copies of itself to everyone on that list. (The more innocent Melissa grabbed only the first 50 names.) Technically, this two-pronged approach makes the Love Bug both a virus and a worm; it's a virus because it breeds on a host computer's hard drive and a worm because it also reproduces over a network.
As these replicated messages spread, they created monumental jams, slowing Internet traffic to a crawl. And they quickly attracted the attention of virus hunters. At the F-Secure headquarters just outside Helsinki, Hypponen's team first got word of the virus at 9:41 a.m. local time, seven hours ahead of the Eastern U.S. That was when Bulgarian-born Katrin Tocheva, one of the few women in the tight-knit antiviral community, opened an e-mail containing a sample of the ILOVEYOU attachment and a warning from their Norwegian field office; a U.S. client's European network had been hit and needed help. She alerted the rest of the staff, who went immediately into emergency mode.
At ICSA.net a Pennsylvania computer-security company, chief scientist Peter Tippett was also getting warnings from his European offices. By 4 a.m., he began rounding up his 15-person antivirus SWAT team. Because of the stiff competition among antivirus-software makers, others were mobilizing too. "Our Leyden team in Holland was up and awake and began the initial research," says Ron Moritz, chief technology officer of Symantec, one of the antiviral Big Three (the other two are McAfee and Computer Associates).
Their first challenge: nailing the bug's digital fingerprint. "Every virus, every attack has a unique pattern, a unique set of bits," says Moritz. "Once you know what that is, you can then identify it each and every time it comes in." The second challenge: identifying the perpetrator. Clues weren't hard to find. Embedded in the virus' code--or blueprint--were the alias "spyder," an e-mail address and the words "Manila,Philippines." The code also yielded a short sentence in broken English that provided at least the shadow of a motive: "i hate go to school." Was the world facing a cyber-Columbine? By 4:30 a.m. Eastern time, the virus fighters had linked the Love Bug to a website hosted by Sky Internet, an Internet service provider based in Quezon, the Philippines. They persuaded the ISP to close down the site, but the Love Bug kept on spreading.
The feds were moving as well. By 11 a.m., the National Infrastructure Protection Center, an FBI-based group created to defend against cyberattacks on crucial public and private networks, posted a virus alert on its Web page. Meanwhile, nipc was assessing the extent of the damage at home, and the FBI launched a massive criminal investigation. Under the Computer Fraud and Abuse Act of 1986, the Love Bug's author could face a penalty of as much as five years behind bars and a $250,000 fine.
The major antivirus firms quickly posted antidotes--software to neutralize the bug--on their websites, but they were too late to prevent widespread chaos. Desperate for a cure, victims deluged the sites, making them all but inaccessible. McAfee received requests for help from 10,000 affected companies on the first day of the outbreak alone.
Alerted by their overseas offices, most multinationals escaped the Love Bug's full embrace. Tipped off by colleagues in England and Germany, computer-security personnel at AT&T's operations hub in New Jersey reported for duty by 6 a.m. to block the virus. Within hours, some 100 desktop machines were already infected, and technicians had to ditch more than 2 million infected e-mail messages. By contrast, colleges and universities, strongholds of Linux and Macintosh computer systems rather than the targeted Microsoft Windows, got off comparatively lightly.
The consensus among computer-security experts is that the Love Bug is the biggest virus outbreak in history--"by at least threefold," says ICSA.net's Tippett. Agrees McAfee president and CEO Gene Hodges: "It's clear at this point that this is the most damaging and the most widespread virus outbreak ever." Symantec's Moritz is more cautious, conceding that it is No. 1 in numbers and rate of spread, but for sheer destructiveness he prefers last year's Explore.Zip, an especially vindictive virus designed to destroy Microsoft Word, Excel and Powerpoint files.
The extraordinary efficacy of the Love Bug was caused partly by its timing, striking as it did on a busy weekday morning, but also by its seductiveness. It was a minor masterpiece of what hackers like to call "social engineering"--in other words, manipulating the rubes. Few of the lonely hearts among cubicle dwellers could resist its siren song. (This reporter couldn't--and paid the price in lost files.)
From a technical standpoint, the Love Bug is not radically new. Hijacking your e-mail address, for example, has been done--most notably by Melissa. The difference this time was a mix of shrewdness and ruthlessness. While Melissa sent out its tainted e-mails one by one, sometimes overloading the very server that was supposed to distribute them, the Love Bug spewed them as a single batch--and it didn't stop at the first 50 names.
And if you happened to enter a computer chat room--looking for kindred spirits in cyberland--it passed copies of itself as well to everybody out there. (Imagine how receptive patrons of a singles chat room would be to a poisoned "love letter.") Nor would you have been protected if your computer was part of a so-called local area network, or lan. The Love Bug would leap that barrier like some hyperactive flea. And there's more. If you were surfing with Internet Explorer, it would reset your home page to a website in the Philippines, from which it would download a second virus--this one designed to round up all those treasured passwords on your hard drive and ship them off to an e-mail address, also in the Philippines. Fortunately, that contaminated site was shut down early Thursday morning once virus hunters spotted it.
The drama wasn't over yet. By Thursday night, more than a day after its first appearance, the Love Bug began to mutate. Either the creator or, more likely, other members of the virus-writing clan started editing the virus and reintroducing it to the Internet with some new, tilted spins. One version had the subject line "FWD: Joke." Another was written in Lithuanian. One, more devious, bore the subject header "Mother's Day Order Confirmation"--posing as an e-mail receipt for a credit-card transaction for flowers or a gift for Mom. Perhaps most diabolical of all was the version titled "Dangerous Virus Warning," with an attached file that cleansed the system of the Love Bug but substituted an equally dangerous one of its own.
As the initial outbreak cooled down by midday Friday, the search for its author heated up. Filipino virus hunters, working in cooperation with the FBI and local authorities, determined that the virus had originally been released from two e-mail addresses, spyder@super.net.ph and mailme@super.net.ph both belonging to Supernet, an ISP based in Manila. The identity behind the two accounts proved difficult to trace--the perpetrator had used a series of faked and stolen e-mail addresses and anonymous, prepaid Internet-access cards.
By late Saturday, authorities had targeted two suspects: a 23-year-old Filipino student attending Amable Mendoza Aguiluz Computer College and living in the Pandacan district of Manila; and a twentysomething German exchange student living in Australia, known variously on the Internet as Michael and Mikael.
It is tempting to romanticize virus makers as brilliant, rogue hackers in the cyberpunk tradition of William Gibson's science fiction. Experts agree, though, that the Love Bug is at best the work of a resourceful plagiarist. "It isn't like you have to be a genius," says Tippett. "This is just a guy who's been connected to the virus community for a while. He took pieces from three or four viruses that came out this year and glommed them together."
Even if the authorities catch up with "spyder," and administrators succeed in mopping up the Love Bug and all its evil progeny, what kind of future is there for an Internet so fragile that a cobbled-together program can bring it to its knees? It is painfully obvious that the present network lacks any built-in immune system to defend it against malicious infections. Emmanuel Goldstein, founder of the legendary hacker journal 2600, stresses that better technology is the answer--not passing more laws or throwing more hackers in prison. "Melissa should have protected us from this," he said at a 2600 gathering Friday night. "Catching the guy doesn't prevent hackers. All the legislation in the world will not stop a 12-year-old in Thailand from doing this."
Clearly, the Internet is still not ready for prime time. "Without architectural improvements," warns Jeff Carpenter of the CERT Coordination Center, a federally funded computer-security group affiliated with Carnegie Mellon University, "we will see this again." The next time could be worse. Imagine what a well-designed Love Bug could do when we have become even more dependent on computer networks and those networks are wireless. An Internet outage could keep us not only from sending e-mail but also from gassing up the car or depositing our paychecks. Warns Symantec vice president Steve Cullen: "We're only fractionally connected right now. The possibility for virus attacks will become exponentially greater in the wireless future."
The medium may be new, but human nature hasn't changed: whatever firewalls and antidotes the virus hunters come up with, virus writers will always find a way around them. As veteran hacker Goldstein puts it, "If your system can be knocked out, assume it will be."
What last week's attack teaches us is that if we want to become a connected society, it is not enough to defend our own backyard (i.e., our own PC). We have to clean up the streets and build an Internet in which it is safe for us to stay as intimately linked as we clearly want to be.
--Reported by Maryanne Murray Buechner/Helsinki, Massimo Calabresi, Elaine Shannon and Mark Thompson/ Washington, David Jackson/Los Angeles, Eric Roston, Wilson Rothman and Jyoti Thottam/New York, Nelly Sindayen/Manila, Ursula Sautter/Bonn and Wendy Kan/Hong Kong
With reporting by Maryanne Murray Buechner/Helsinki, Massimo Calabresi, Elaine Shannon and Mark Thompson/Washington, David Jackson/Los Angeles, Eric Roston, Wilson Rothman and Jyoti Thottam/New York, Nelly Sindayen/Manila, Ursula Sautter/Bonn and Wendy Kan/Hong Kong