Cast your mind back to the year 2000 – we were in a new world post Y2K, internet was available in homes and Whitney Houston, Faith Hill and Savage Garden were in the charts singing about love.
For me, I had just graduated and was trying to get my first job in journalism, some eight years before getting into cybersecurity. However, one thing cybersecurity-related that did grab my attention in that year was on May 4 when the world was hit by its first major cyber-attack. It was on that date that the ILOVEYOU worm hit users across the globe, and became better known as ‘Love Bug’ or ‘Love Letter.’ You could argue that the Windows email worm was not really a cyber-attack at all, but for a few days, there was a lot more love in the room.
It’s hard to believe now, but we’re close to 20 years since the impact of that worm, and for me it has stood the test of time as a great example of a media frenzy around a cybersecurity incident. It also set a benchmark for how cybersecurity issues would go on to grip the first 20 years of this century.
Love Bug was one of the changing points that shaped current security professionals and procedures. Gavin Millard, now VP of intelligence at Tenable, said that the 1990s involved lots of large virus attacks, but now you see them less, and he put this down to having better inbound defenses on email. “Look at your inbox today, you hopefully don’t get spam,” he said. “Love Bug was a visual basic script that was emailed to you, and I was an admin when it hit. I knew something was brewing as I saw systems being knocked off in Asia.
“I sent an email to the whole company that said ‘If you get an email that says ILOVEYOU delete it as it is a virus’ but by about 10am, people were clicking on it and it hit.” He later regretted this action, as he said that he could have just put an email filter on to block it.
Mark Sumner was CTO of MessageLabs in 2000. He admitted that at the time, he had seen more complex viruses, but this “sent a lightning bolt” through him as it was pivotal in the fortunes of MessageLabs. Some eight years after the incident, MessageLabs was acquired by Symantec, and Sumner admitted that back in 2000, the company was tiny whilst “externally, we were portraying ourselves as bigger than we were.” The company had moved from desktop anti-virus to a cloud-hosted solution, and as this type of virus propagated fast, “the desktop scanner was only as good as the signature.” While a small portion of users applied the update, there was a window of six to 10 hours in which people could be hit.
Like Millard, Sumner said that he could see something happening as mail queues were building, and the company would run out of capacity in a few hours unless it used more RAID data storage to deal with the growing problem.
The Love Bug – Sumner admitted that on a press call an engineer named it that, whilst others called it Love Letter, hence the multiple names – spread through all addresses in a person’s contact list, with the body of the message saying “check attached love letter coming from me.” As the file had a long name, the “.exe” was dropped, so the recipient presumed they were looking at a text file.
Its actions were to send the same file to a user’s address book, which meant it was successful in spreading. The primary damage came from the impact on mailing systems, and the time and effort spent getting rid of the infection and recovering files from backups. One report claimed that the recovery costs were between $5.5bn and $8.7bn.
So 20 years on, what have we learned from Love Bug? Sumner said that, due to the similar but less impactful Melissa virus, which hit in 1999, some companies were reasonably prepared for something like Love Bug even back in 2000. Since then, the change from Windows to Outlook as the dominant ecosystem means we will not see this type of widespread attack again.
Lotem Finkelstein, threat intelligence group manager for Check Point, said that the success of ILOVEYOU, as one of the very first mass distribution malspam campaigns, paved the way for other threat actors to reach broad audiences. “Since then, hackers improved their techniques and tactics to reach our mailboxes, evading spam filters, and convincing victims to pull the trigger of different infection chains,” as well as carefully phrasing messages that look tailored to their recipients and investing in efforts to evade spam filters.
While we may never see something so widespread, and by today’s standards so harmless again, Love Bug was a major benchmark for security. It affected businesses around the world, established a need for better preparation and immediate disaster recovery, and hit the media around the world too. Will we see it’s like again? Some may say that 2017’s WannaCry ransomware had a similar impact, so perhaps it’s best to learn from history!