Onel de Guzman has been accused of causing between $8-10 billion
worth of damage worldwide. As the alleged brains behind the Love
Bug virus, how did this failed graduate beat the world’s finest
anti-virus software vendors?
Love's outbreak
After the last major virus outbreak (Melissa), anti-virus companies
were keen to stress how quick they were to react to the problem.
Patches were issued, the loophole that Melissa exploited had been
plugged and all was well with the world. Virus writers kept
producing programs that were caught by system software defences and
the issue of a major, business-crippling virus faded from the
newspaper columns.On the morning of 4 May, servers within
Philippine businesses started reporting spurious email traffic.
Virus detection software, at this point, had not detected any
unusual activity and, as such, allowed thousands of emails to be
generated by each infected user. With the global time delay, most
of Europe and the US were finished for the day. The virus
propagated each time a user opened an infected email. Like the
Melissa outbreak, every person in the address book received a copy
of the virus, with the "I Love You" enticement.As business came
online, message servers full of love letters containing the virus
triggered a European wave. When the first alert went out in the
morning, many managers decided to suspend email services. The more
cautious decided to pull web access due to workers with Hotmail
accounts infecting the network.This was a wise course of action, as
the payload of the virus that was thought to be simply deleting
JPEG and MP3 files was, in fact, much more serious. A few users
reported that after email services had been blocked, messages were
being generated by some systems containing the users' hostnames, IP
addresses, and remote access and cache passwords. These emails were
being directed to an email address in the Philippines belonging to
an individual named Bartok.The virus, when activated, changes
several key Windows system files and deletes or renames image and
audio files. The virus spreading in a corporate environment caused
mail servers to seize up as each user, mailed every other user,
who, in turn, passed it on again. With the prospect of a Trojan
horse on the system, potentially passing on passwords and login
details to hackers, many businesses simply pulled the plug on the
network and called in teams to scan and repair infected machines.
The cost of the virus has been estimated at as much as $10 billion
worldwide, a figure reached by accounting for lost working time,
cost of overtime for IT staff and damage to data systems.
Love
taking holdThe Love bug came out of the blue for many. The
virus used the Visual Basic (VB) language, which, with the shipping
of Internet Explorer 5.0, embedded the VB scripting engine inside
Windows. With this in place, the virus effectively bypassed
virus-scanning software. The notion that this outbreak came as a
surprise is a slight untruth. In fact, many of the most respected
anti-virus experts had discussed the possibility of such an attack
at conventions such as EICAR and ComSpec.Friðrik Skúlason has been
at the forefront of anti-virus research. His F-Prot anti-virus
software is one of the most widely used in the world and was the
only recorded package to detect and block the Melissa virus before
it was identified.Late last year, in an exclusive interview with
ITNETWORK.COM, Skúlason warned of the possibilities of another such
attack. "Mobile code (Java, Activex, Visual Basic Script [VBS])
offers a interesting challenge to virus writers. There are several
loopholes that writers can exploit. In Java, Sun is closing
loopholes while Microsoft seems to be doing everything possible to
help these writers."Considering that the Love Bug virus was enabled
via the embedded VBS runtime library installed with IE5, Skúlason
is critical of the operating system manufacturer. "They don't care
or seem to realise about the security implications,"he
continues."In fact, they have never been very concerned - look at
the vulnerabilities within Outlook and IIS."Skúlason also has the
distinction of being the inventor of heuristic detection, but even
F-Prot was unable to detect the Love Bug. Major anti-virus
manufacturer, Symantec, faired as well as any other vendor, but
still failed to block the initial infection. Eric Chien, chief
researcher at Symantec's Anti-Virus Research Centre, explains."With
viruses, we can look at files and look at their characteristics. If
they do things like opening other files, copying themselves to
other files or attempting to format your drive, for example, then
we can identify them as viruses. This is called a heuristic.
However, no anti-virus product had heuristics created for VBScript.
There are literally hundreds of platforms/languages that viruses
can be written in, and to create a heuristic for each is time
consuming and the return on investment in detection rate is low.
Thus, we create heuristics for the greatest threats. For example,
we have heuristics for macro viruses which still account for 70 per
cent of the viruses in the world.""Return on investment" is the key
phrase here. Creating heuristic tools for every conceivable virus
threat would be incredibly expensive and time-consuming, probably
beyond the scope of any single anti-virus company. In the
ultra-competitive world of anti-virus software, placing an extra
£100 per user, per year could be unacceptable to both vendor and
customer alike.
Love causes problemsThe most important
question is: what could the diligent IT manager have done to
protect his computer systems? The good news for those taking the
flak is: not a lot. Due to the speedy propagation of the Love Bug
and the lack of software able to diagnose its activities through
heuristics, only the ultra-paranoid would have been able to screen
for a threat coming in via VBS. Users of products such as Lotus
Notes, DOS, Unix and Mac operating systems avoided the virus'
effects, but this was only because those mail clients were not
targeted by the virus writer. Thin client systems also reported
very few ill-effects from the love-bug virus, due to the lack of
local email applications or VBS runtime libraries.Protecting
against the next inevitable virus wave is the key. Technical
manager Ian McManus, from Panda Software, a new but innovative
player in the anti-virus market, offers sound advice. "If an
infection is detected, it is important to isolate your network and
shut down your mail server as quickly as possible. As well as
anti-virus software, a strict anti-virus policy should be in place,
which includes firm instruction to all employees that they must not
open unsolicited email attachments. Protection is a combination of
a good anti-virus software product, user education, patches and
fixes." McManus agrees that creating heuristic scanning for every
possible threat "...would be impractical and cause a unacceptable
level of false alerts."As for the next round of virus attacks, the
security hole exploited by VBS has not been satisfactorily solved.
Simply blocking out VBS attachments leads to a dangerous precedent
- that of reducing the pace of Internet innovation. Considering
that Activex, Java, CorelSCRIPT, XML and several emerging scripting
languages can all theoretically carry viruses means that a solution
needs to be found that protects as opposed to merely blocking the
benefits of mobile code and smart emails. The cost of anti-virus
software may have to increase to provide the funding to create
heuristic tools to protect against the new wave of threats.
Security infrastructures, like PKI, may offer a closed loop
preventing viruses from entering systems. PKI uses a system of
certificates and authentication tools to guarantee that the sender
of a message is a trusted source and that the message has been sent
intentionally as opposed to the consequence of a virus. Specialist
mobile code software producers, like Finjan and Security7, are
pushing their wares heavily on the back of the Love Bug. As
specialists in protecting against mobile code, they add extra
protection. However, both PKI and specialist mobile code software
is not a complete solution and can be very expensive to implement
in addition to the current anti-virus software.
Don't take candy
from strangersThe likelihood is that protecting against viruses
is going to become increasingly more complex as the Internet
becomes increasingly more feature-rich and operating systems begin
to automate many of the functions which currently require human
interaction. Even devices previously thought to be immune from
viruses are now potential targets. At the time of writing, the
first mobile phone viruses have been reported and with WAP,
Bluetooth and broadband about to saturate the market, the next
virus outbreak may affect more than just desktop computer users.A
last word from Symantec's Eric Chien, "The weak link will always be
the human. The [Love Bug] virus spread not because of a
technological advancement in virus writing, but more because of
social engineering. Who doesn't like to get a love letter? We need
to again use the same common sense we do on the street when we are
online. It is about just following our mother's advice of not
taking candy from strangers."
Will Garside
lovevirussol Will garside 09/06/00 18:08