Originally: http://www.sunworld.com/sunworldonline/swol-06-2000/swol-06-lovebug_p.html
Originally: http://www.idg.net/go.cgi?id=275049


Social aspects of the Love Bug virus

Email clients and operating systems must better protect the end user

Summary
The latest and not-so-greatest computer virus -- the Love Bug -- was no isolated event, and because of the widespread damage it caused and the media coverage it generated, it serves as an excellent example to illustrate several points. Here, noted securit y specialist Brian Martin dishes the dirt on antivirus companies, the government's preventive measures, cyber detectives, and the guesswork involved in estimating billion-dollar damages. (3,500 words)
By Brian Martin


Sometime on May 4, 2000, several antivirus companies, security professionals, and unwitting email users discovered what has now been labeled the Love Bug virus. Within hours, it had spread to just about every continent and had wormed its way into tens of thousands of companies. Hours later every antivirus company in existence scrambled to claim credit for discovering the virus and for being the first to provide a cure. Most I nternet users believe those companies were on top of events and deserved credit. But from security veterans of past virus incidents, a deep collective sigh could be heard.

The Love Bug's ability to automatically mail itself to everyone in an infected user's Microsoft Outlook address book made it particularly nasty. Those who save every email message they receive, or who have business contacts at a wide number of companies, provided the virus with a perfect opportunity to spread like wildfire. The effectiveness of this replication method lies in who knows whom. Doug Thompson, who writes a column called "The Rant" for Capital Hill Blue, came out with a great piece that threw blame at a familiar face and also outlined the fundamental problem.

Former Congressman Fred Grandy was one of those idiots. Grandy now runs Goodwill Industries. He walked into his office on Thursday, pulled up his e-mail and clicked on the "I Love You" e-mail attachment, even though his in-box also contained a warning fro m his computer folks.

Zap. The virus went out to more than a hundred of the nation's top CEOs, courtesy of the man whose greatest claim to fame is playing a character named "Gopher" on TV's old "Love Boat" series.

More victims than the common cold
The rate at which the virus replicated is nothing short of amazing. It takes the work of thousands of computer users to help such a virus propagate, as can be seen in the battle fought by a New Zealand company:

New Zealand's largest telecommunications operator Telecom said on Saturday it had deleted more than 17,000 messages carrying the "Love Bug" computer virus from its Internet service and was searching for new variations. --Reuters

... and in the preventive measures taken by the US Department of Education:

Bradshaw said that chief information officer Craig Luigart found 10,000 incoming ILOVEYOU emails queued up for recipients whose last names began with "A" or "B." Luigart estimates that throughout the entire department, the system prevented another 100,000 to 200,000 infected emails from being sent out. All of the viruses have been rendered harmless, Bradshaw said. --Federal Computer Week

The Love Bug initially claimed an estimated 1 million computers as victims. One day later, Computer Economics, a research firm in Carlsbad, Calif., was putting the victim count closer to 45 million worldwide.

While such a virus can spread fast, it's difficult to believe that in 24 hours the Love Bug could jump from 1 to 45 million machines, especially given the amount of press it received. The fixes that the antivirus companies provided should have slowed the virus as well.

Disparate estimates
Only two companies -- ICSA.net and Computer Economics -- provided damage estimates to the media. Their numbers were remarkably in sync with each other. During the first day of the virus's rampage, they estimated damages to be between $1 billion and $ 2.61 billion.

Regardless of a company's expertise, guesswork is a wild card inherent in such statistics. Considering the hundreds of millions of computers that make up the Internet, who is in a position to monitor how many machines were affected, and how much damage th at really equated to? How could two companies, or even a hundred companies, really prove that 45 million computers were infected?

According to Wired News, the virus had already infected 1 million computers by 9 a.m., with ICSA.net saying that damages would reach more than $1 billion.

If 1 million computers cause $1 billion in damage, the overall damage should have been close to $45 billion, yet final estimates of the damage ranged between $7 billion and $10 billion, far short of the pattern seen in the first t wo days after the virus erupted. Shortly after initial figures were released, Computer Economics came up with a new prediction: damages would grow $1 billion to $1.5 billion a day until the vi rus was eradicated.

As a side note, plugging numbers in to a simple calculation -- $10 billion total damage divided by 45 million infected computers -- we see that each infected computer caused an estimated $222 in damages.

Where does that kind of damage really factor in, though? One CNN article quoted an employee of a Norwegian photo agency, ScanPix, which lost some 4,500 photos. Had the Love Bug viru s struck three days earlier, photos from the Norwegian war archives would have been lost.

"Between 6,000 and 6,500 photos were deleted by the virus, and we only managed to rescue 1,500 of them. The rest seem to be lost," ScanPix managing editor Tore Sannum told CNN Norway.

I don't mean to be insensitive, but you won't find me crying a river over this loss. A company that deals with such rare and valuable digital photographs shouldn't be working on production machines connected to the rest of the networked world. To do so is to openly beg for the next disaster to smite it down and cast all its hard work aside. Companies like this further plague the rest of us because the damages caused by their sloppy practices are mixed in with more legitimate losses. The subhead to the par agraphs quoted above should twist knots in your stomach: "History Nearly Lost," it reads. The implication is that because of this virus a small portion of our world's history was nearly destroyed. If leaving that history unnecessarily vulnerable isn't cri minal negligence, it certainly should be.

Self-fufilling prophecy
I'm a believer in the idea that once a person starts thinking something will occur, that event is more likely to happen. People tend to act subconsciously in ways that will help effect what they predict. This notion seems to be demonstrated rather well by the damage tags surrounding the Love Bug virus. Of particular interest was the rapid growth of those figures, which were presented with no verifiable explanation. Near the end, estimates jumped from $6.7 billion to $10 billion, the original fi gure of some 20 days prior.

May 4 --CNN reports that by 9 a.m. that day, more than $100 million in damage has been done and that by Monday the damage will climb as high as $1 bill ion, according to ICSA.net.

May 5 -- Analysts with Computer Economics say that by Wednesday (May 10), the total damage may reach $10 billion and climb $1 billion a day.

May 9 -- Computer Economics analysts say that damage caused by the virus has reached the $5 billion mark and could total $10 billion.

May 10 -- Computer Economics says that the Love Bug and its copycats have caused $6.7 billion in damages.

At this point Computer Economics' own figures don't always agree with each other. On May 5 they say that by May 10 the damage could reach $10 billion, yet they're quoted on May 10 as giving a substantially lower tag. Their theory of the damage increa sing $1 billion a day is considerably off. But later down the road the $10 billion estimate creeps back into articles, as it did in one from the Associated Press, o ften with no attribution:

May 27 -- "Earlier this month, the 'Love Bug' virus, and a later variation, reached millions of computers purportedly bearing a love letter. Estimates of the damage ranged up to $10 billion, mostly in lost work time."

Who felt the love?
According to Federal Computer Week, the following government agencies reported being affected by the virus:

The Pentagon, National Security Agency (NSA), Britain's House of Commons, and dozens more suffered incidents involving the Love Bug. It is almost unbelievable that those agencies continually deal with security breaches of all kinds. Common sense would sug gest that workers who protect vital parts of our government systems (some of which contain your sensitive and private information) would be better trained. Some experts also say that those agencies shouldn't be running software that assists destr uctive viruses. Perhaps most alarming is the number of reports of classified systems being struck by the Love Bug. Aren't those supposed to be secure machines with little or no outside network access?

Making a quick buck
The more you read about this case, the more you have to wonder about the various roles people play. Companies like ICSA.net and Computer Economics are obviously spending time pushing their statistics on every media outlet willing to lend an ear. Oftentime s antivirus companies race to come up with a solution. Who wins and who loses is sometimes measured in hours, not days, and never mind that their products often don't implement basic heuristic analysis of email attachments.

When new vulnerabilities are discovered in various products or operating systems, computer security firms typically benefit in one way or another. Just as security firms stay in business because of network vulnerabilities, antivirus companies stay in busi ness because of viruses. Antivirus firms help create media attention surrounding viruses, so it should come as no surprise that after news of the fast-spreading Love Bug virus broke May 4, shares of Computer Associates, McAfee, and Network Computers rose drastically.

Often overlooked is a group of people who profit in their own way, possibly more than the antivirus companies. For example, outlets like Wired News wrote no fewer than 14 pieces on the virus; larger companies wrote even more. One has to wonder if there ar en't too many articles about the virus, especially after reading each and every one only to find the same information and quotes from days before.

The past 12 months have seen two major viruses devastate the Internet. The first was the Melissa macro virus, which swept through corporate America and ultimately caused an estimated $80 million in damage. Millions of Internet users are collectively slapping their foreheads wondering why they didn't learn their lesson the first time, while others are noticing a connection between Melissa and the Love Bug.

A journalist friend recently emailed a startling revelation. "I was looking for some deeper meaning in the last two major virus assaults," he wrote. "Each one has seven letters and three vowels, and if you rearrange the letters, MELISSA and LOVE BUG spell : BIG VOLUME SALES."

My friend was joking, but his message is disturbingly ironic. While Melissa and the Love Bug caused $80 million and $10 billion in damage, respectively, antivirus and security companies no doubt raked in the big dough.

Who wrote the virus?
When the price tag for a virus attack rolls in at anywhere over a buck seventy-five we have to find someone accountable for the damage in order to sleep at night. Within a few days of an outbreak, computer crime investigators, many of whom aren't employed by law enforcement, begin tracking down leads that might point to the virus's creator. As each clue is discovered a new article comes out that keeps the masses up-to-date with the investigation.

B.K. Delong was the first to point out the errata streaming forth from the media regarding different suspects and their possible involvement in the creation of the Love Bug. While some critics say that Delong's argument consists of nothing more than nitpicky details, he makes a valid point about the state of reporting breaking news. If respected news agencies like the Associated Press, CNN, and Reuters can't get the names, ages, and re lation of suspects correct, what else is incorrect?

We are the Men in Black
As with most events involving computer crime, a shower of criticism poured down on federal agencies and their response to the virus. But along with the usual security professionals and antigovernment types, a group of unlikely critics joined in the bashin g.

According to a Yahoo Finance article, the General Accounting Office (GAO), Congress's investigative and auditing arm, believes that the US government was poorly organized for a response. "Our audits con tinue to find that most [federal] agencies continue to lack the basic management framework to effectively detect, protect against, and recover from these attacks," said Keith Rhodes, technical director for the chief GAO scientist."

Before lambasting the government for being a few steps behind, you must qualify who "the feds" are, exactly. In this context, I think it fair to divide them into law enforcement, response teams, and other agencies. One exception to this division would be a group like the FBI's NIPC, which both performs criminal investigations and attempts to be a response team. I covered some of the government agencies above, so here I'll focus on response and law enforcement.

The well-known Carnegie Mellon-based Computer Emergency Response Team (CERT) provided an advisory to the public on May 4, the day the virus first appeared. FedCIRC followed up shortly afterward by distributing a reprinted CERT advisory. While FedCIRC apparently couldn't offer more information, it was at least able to distribute the notice to more Internet users. The FBI's National Infrastructure Protection Center (NIPC) was able to draft one paragraph on the day the virus began. The paragraph suggested deleting mail with the subject "ILOVEYOU" and concluded by saying that antivirus companies were working to solve the problem.

While we can't expect those response teams to know everything about every breaking incident, the NIPC was sorely lacking in its response. Common sense should have told its staff that the virus would quickly mutate beyond the subject of ILOVEYOU. Generic r ecommendations of filtering rules or other precautions should have been the least of what they offered to struggling system administrators. Twelve hours and 10 million computers later they finally came through.

Law enforcement agents still haven't convicted anyone of authoring and releasing the virus. As of May 19, investigators with the Philippine NBI are still compiling evidence against Reonel Ramones, who has been preliminarily charged with the crime. Ramones denies the charges and insists his is a case of mistaken identity. Also implicated is Ramones's classmate and quasi-coworker Michael Buen, who claims that some 40 people were involved in writing the virus.

Placing the blame
If a single virus can bring the networked world to its knees for a few days, we have deeper seated and more fundamental problems than finding and convicting the perpetrators of an offense. Because of the simplicity with which they could be infected (by me rely clicking on an email attachment), many computer users pointed a finger at Microsoft. The virus was effective because it targeted Microsoft's Outlook email client, which has possibly the largest installed base in the world. Microsoft quickly denied th e allegations of software weakness.

According to Scott Culp, the program manager for Microsoft's Security Response Center, "There isn't a security vulnerability in Outlook involved in this at all." He added, "The issue here isn't scripting; it's the social phenomenon of virus writing."

Social phenomenon or not, Microsoft Outlook certainly assisted users in infecting themselves with this virus and its subsequent mutations. An article in the Industry Standard refuted Culp's claims and explained why Microsoft should share in the blame:

The Love Bug took advantage of a feature in Windows called Windows Scripting Host, which allows users to automate routine tasks. The virus' author created a Visual Basic script that was directed to send itself to all recipients in a user's Microsoft Outlo ok address book and then delete image files and hide audio files.

The Scripting Host is not the only Windows feature that invites hackers. Other flaws include Outlook's automation feature, which allows external programs to command the application remotely. Security experts say such features should be disabled by default .

"The bottom line is that very few people need [the Scripting Host], and yet it's turned on by default," says Richard M. Smith, a security expert and Internet consultant based in Brookline, Mass. "Windows Scripting Host [is] almost like the Virus Scripting Host."

Such well-founded comments led Microsoft to change its stance on the role of its products in the spread of viruses. Rather than blame it on a "social phenomenon," one Microsoft manager stepped into the spotlight to let everyone know the company was addres sing customer concerns.

"Given the fact that Love Bug was a global economic event, we need to do our part and take pretty decisive steps here, and we think this will eradicate this class of viruses," Tom Bailey, Microsoft's group product manager for Office, said in an interview.

"We always try to strike a balance between the openness of the product and security," Bailey said.

"We've tried to be reactive to this thing, like antivirus software writers are. What we are trying to do going forward is to take a more proactive response to this," he said. --Wired News

Like the antivirus companies, Microsoft apparently didn't learn its lesson from the Melissa incident. Rather than use the less damaging but highly publicized virus as a gentle nudge to implement more antivirus features in its software, Microsoft stayed in the ring to take a few more blows. Now, it throws the towel in.

One method of determining Microsoft's culpability might be to examine several virus incidents. When viruses are created, which products or operating platforms give them a ride into the wild? The answer is clear, says Will Rodger of USA Today:

More than 45,000 viruses infect PCs running the Windows operating system worldwide.... Hundreds more viruses appear each year, requiring armies of antivirus programmers to isolate and kill the offending bugs.

By contrast, perhaps 35 viruses have been written for the Macintosh and four or five for the Unix-based computers that run most Web sites, says Eugene Spafford, director of the Computer Operations, Audit and Security Technology lab at Purdue University.

Put simply, the last two big viruses were not Internet viruses. They, like virtually every virus that has made headlines in the last 10 years, were Windows viruses.

While many of us are neither users nor supporters of Microsoft, it would be unfair to place all the blame on that company. Yes, Microsoft helped create a faster and more efficient vehicle for viruses, but in the end the blame still lies with each person w ho opted to test-drive the vehicle. Together, they made a great team and share responsibility.

The best excuse yet
Just as you thought the Department of Justice v. Microsoft battle had crawled into the shadows, out pops Bill Gates with a truly magnificent piece of drivel. In the los ing battle against the DOJ, Gates now claims that breaking apart the monopoly would harm the computer industry because it would strip them of their power to protect customers against viruses such as the Love Bug.

According to Gates:

The DOJ scheme also effectively imposes a ban of up to 10 years on the addition of any significant new end-user features to Windows. New features must be provided on an a la carte basis and priced separately to computer manufacturers. Provisions like thes e would kill innovation in the OS -- and impair the livelihoods of the tens of thousands of independent software developers who depend on constant innovation in the OS to make their products more attractive. Updates to Windows and Office technologies that could, for example, protect against attacks such as the Love Bug virus would also be much harder for computer users to obtain.

As pointed out earlier, Microsoft failed to react to the Melissa virus. Unknown to most people is that the company also failed to react to dozens of other worms and thousands of other viruses. Each and every time a virus comes down the wire Microsoft has a chance to implement new features or methods of protection. In every case before the Love Bug, Microsoft has failed to take appropriate action. Despite this, Gates now claims that a Microsoft breakup would hinder it from reacting in the future.

Lessons learned
I would like to be able to say with confidence that we've all learned a number of lessons and that the next virus will be barely a blip on the computer security radar. It would be nice to see more email clients and operating systems come up with more prot ection for the end user. Despite Melissa and the Love Bug tearing through the Internet and showing us twice that we have some lessons to learn, we're still vulnerable in the two areas that the Love Bug used to propagate itself: shoddy, insecure software a nd human nature.




Brian Martin has been involved in computers since the early 1980s. His experience spans from first-generation home computers to large-scale servers powering the most current business applications today. Work ing in the computer security industry for the past five years, he has provided security audit and penetration assessment for foreign banks, Fortune 500 companies, and the Department of Defense, among others. He has provided training and consultation for t he Federal Bureau of Investigation, Defense Criminal Investigative Services, and the National Security Agency. In recent months, Brian's articles focusing on security issues have been widely circulated on the Internet, corporate newsletters, and print mag azines.