Category Archives: VBS/Loveletter

Breaking up is never easy…LoveBug, the day after.

The LoveBug/Loveletter/Iloveyou worm (much more geekishly called VBS/Loveletter.a@mm by, well, AV geeks) has become one of those legendary events in malware history. The fact that 10 years on we’re still writing about it. Not only that, but many of us will remember exactly where we were and what we were doing when we first heard about it – in fact many more might remember it than were actually there :).

Still, I remember exactly where I was – I was in Reading, at Microsoft headquarters attending a security seminar and my Blackberry (one of the very early ones, with a greyscale LCD screen), started to go off regularly. I grabbed the next train back to Dorset, got into work, and spent the next ten hours ensuring that nothing bad was going to happen on our network. Many other people have written about their memories of the day – 10 years ago yesterday – including Graham Cluley and Mikko Hypponen, and indeed our own David Harley, and I’ve nothing to add to that. You see – we were using Lotus Notes (~shudder~) and not one single system got infected – although we did get a tremendous amount of email, which very quickly got blocked once we knew the attachment name. No, I remember the Loveletter for what happened 10 years ago TODAY, the 5th of May. And, it is a tale I felt worth sharing, about how even good information about one situation is not necessarily applicable across the board.

Although they were not directly under my responsibility, my team had involvement with the IT systems of all the schools across Dorset, and while none of the systems we were responsible for were affected by Loveletter, this was not true of other systems within the schools, which were under supervision of the school’s own IT personnel. On the morning of the 5th of May, I sent out a message to everyone on our network to the effect that “Our network was not affected by the VBS/Loveletter worm, and no damage resulted from any mails that were opened within our network, but we request that you remain vigilant and avoid opening attachments that are not work related. We also suggest that you install an Anti-virus product at home, and ensure that any mails with the subject “ILOVEYOU” are deleted without being opened” This was the very last time I ever sent out such a message, not because it was incorrect, but because the information ended up being spread outside of our organisation – particularly in schools, where I’m sure people felt they were being helpful by forwarding my email – at which point I got several very angry phonecalls and emails abusing me for my lack of intelligence. The reason? The information was only true of our organisation, and those whose networks DID end up getting affected (Loveletter also deleted .jpg/jpeg images) were angry that I so downplayed the risks of the worm while they were watching it eat through all the images on their servers and workstations. In fact, many of the schools were running Microsoft Exchange and Outlook, and once their systems were infected, many pupils lost work.

This highlights the fact that information is often specific, it isn’t necessarily relevant to all situations. Think of it like fire extinguishers; they have specific uses on specific types of fires – don’t go spraying a water extinguisher onto an electrical or fat fire, you will get burned.

User education is often very difficult, and one of the reasons it is so is that there are so many variables, so many different ways that things can go wrong. In a way the Loveletter worm was one of the first Phishing attacks – it combined clever social engineering with malicious code to steal passwords. David Harley and I have written fairly extensively on Phishing, including examining whether the sort of ‘anti-phishing’ quizzes we’ve seen on some security sites are actually of any use. As far as I’m concerned, the jury is still out – there’s far too little common sense, too much irrelevant information, and it takes (literally) a lifetime to become a security expert; you can’t expect people to learn in five minutes.

As David mentioned yesterday, AVIEN was formed out of the need for non-vendors working in the AV industry to get fast and accurate information about spreading threats – I was glad to find that the instances where such information got so wildly misconstrued as in my Loveletter incident were few and far between. AVIEN also has its 10th birthday this year – more of that later in the year.

As an aside, I later applied for a job at one of the schools that had been affected, imagine how my heart sank when my interviewer turned out to be one of the people who had written me an angry email…no, I didn’t get the job! Anyway, it’s all water under the bridge, and since it is the 5th of May, my greetings to all my Mexican/Southern Californian friends, who will no doubt be regretting their today’s activities tomorrow morning.

Andrew Lee CISSP
AVIEN CEO / CTO K7 Computing

The Real Lovebug

I don’t think I’ve ever seen “Kramer versus Kramer”, but I did actually read the novel by Avery Corman, a long, long time ago. And I have a vague recollection of Ted Kramer saying something to his wife Joanna about the birth of their son, and of her responding that she doesn’t remember Ted having been there. Hold that thought…

Suddenly, there’s a whole rash of anti-malware vendors reminiscing about VBS/Loveletter, which is, in epidemiological terms anyway, ten years old today. There’s a massive amount of information about what it actually did, of course, complete with copious screenshots, so I won’t waste time reproducing that information – I doubt if you’ll be faced with a Lovebug infection at this stage in the game.  There is even a certain amount of discussion about which company “discovered” it.

As someone who works for an anti-malware vendor, I have nothing to say about that: I was certainly very active in the anti-virus field by that time, but I didn’t work for a vendor. In fact, I was working in security systems administration for a medical research charity, so I didn’t get a vendor’s eye view of the drama, but very much the customer view.

I do know how I became introduced to the Love Bug, because I included a note about it in the case study Rob Slade and I included in a book we wrote in 2001 called “Viruses Revealed”. One of our end users reported receiving an attachment containing gibberish – Outlook wasn’t in common use on that site, and other clients couldn’t interpret the code. The Helpdesk analyst who picked up the call realized that “gibberish” might well denote program code, and passed it on to me. And, in fact, the most cursory inspection of the code indicated that it was clearly meant to be infective, so I passed a copy straight to the vendor from whom my company was licensing AV at the time.

No, I’m not claiming to be patient zero: by that time, I was starting to see mail from other corporate AV specialists – that is, people specializing in malware management but not working in the anti-virus industry – seeing the same malcode. What I wasn’t seeing at that time was information from the industry.

That was a little before the birth of AVIEN (the result of a meeting at the 2000 Virus Bulletin conference later that year), but I remember talking to several of the same people who later exchanged information on other malware outbreaks on AVIEN lists. These less formal exchanges of information and opinions during the first phase of the Loveletter epidemic were immensely valuable as we all evolved strategies suited to our particular environments for dealing with the threat (and the waves of copycat malware that quickly followed), while we waited for signatures from our vendors of choice. Unfortunately, I don’t have access to those emails anymore, but I used an AVIEN mailing list to ask some of those who were there at the time what they remembered.

Some remember risking life, limb and speeding tickets trying to get to the office  in order to take hands-on remediative action. Ken Bechtel remembers getting 12 messages on his pager and three phone calls before he’d even left home, and subsequently, he says, “I remember 36 out of 48 hours of work blocking vbs at the PMDF, and creating a custom SMS script to create a special named DIRECTORY to prevent a file from being dropped.”

Mike Blanchard was due at a training session that morning, but was similarly pounded by pager messages and phone calls and had to turn around en route and get to the office. (He actually received a ticket for turning around in someone’s driveway, but successfully fought the case because of the nature of the emergency.)

Thankfully, I was already at work, so there was no risk of my being charged with running too fast on a London Underground station…

So to all those industry professionals I’m now immensely proud to call colleagues, I’d like to say thank you for all your help over the years, and not least for the excellent job you did ten years ago in producing updates for Lovebug and the wave of semi-clones that followed.

But as far as Lovebug is concerned, I don’t remember you being at the birth. 🙂

David Harley FBCS CITP CISSP
AVIEN Chief Operations Officer