Lessons of the Love Bug

Onel de Guzman has been accused of causing between $8-10 billion worth of damage worldwide. As the alleged brains behind the Love...

Onel de Guzman has been accused of causing between $8-10 billion worth of damage worldwide. As the alleged brains behind the Love Bug virus, how did this failed graduate beat the world’s finest anti-virus software vendors?

Love's outbreak

After the last major virus outbreak (Melissa), anti-virus companies were keen to stress how quick they were to react to the problem. Patches were issued, the loophole that Melissa exploited had been plugged and all was well with the world. Virus writers kept producing programs that were caught by system software defences and the issue of a major, business-crippling virus faded from the newspaper columns.

On the morning of 4 May, servers within Philippine businesses started reporting spurious email traffic. Virus detection software, at this point, had not detected any unusual activity and, as such, allowed thousands of emails to be generated by each infected user. With the global time delay, most of Europe and the US were finished for the day. The virus propagated each time a user opened an infected email. Like the Melissa outbreak, every person in the address book received a copy of the virus, with the "I Love You" enticement.

As business came online, message servers full of love letters containing the virus triggered a European wave. When the first alert went out in the morning, many managers decided to suspend email services. The more cautious decided to pull web access due to workers with Hotmail accounts infecting the network.

This was a wise course of action, as the payload of the virus that was thought to be simply deleting JPEG and MP3 files was, in fact, much more serious. A few users reported that after email services had been blocked, messages were being generated by some systems containing the users' hostnames, IP addresses, and remote access and cache passwords. These emails were being directed to an email address in the Philippines belonging to an individual named Bartok.

The virus, when activated, changes several key Windows system files and deletes or renames image and audio files. The virus spreading in a corporate environment caused mail servers to seize up as each user, mailed every other user, who, in turn, passed it on again. With the prospect of a Trojan horse on the system, potentially passing on passwords and login details to hackers, many businesses simply pulled the plug on the network and called in teams to scan and repair infected machines.

The cost of the virus has been estimated at as much as $10 billion worldwide, a figure reached by accounting for lost working time, cost of overtime for IT staff and damage to data systems.

Love taking hold

The Love bug came out of the blue for many. The virus used the Visual Basic (VB) language, which, with the shipping of Internet Explorer 5.0, embedded the VB scripting engine inside Windows. With this in place, the virus effectively bypassed virus-scanning software. The notion that this outbreak came as a surprise is a slight untruth. In fact, many of the most respected anti-virus experts had discussed the possibility of such an attack at conventions such as EICAR and ComSpec.

Friðrik Skúlason has been at the forefront of anti-virus research. His F-Prot anti-virus software is one of the most widely used in the world and was the only recorded package to detect and block the Melissa virus before it was identified.

Late last year, in an exclusive interview with ITNETWORK.COM, Skúlason warned of the possibilities of another such attack. "Mobile code (Java, Activex, Visual Basic Script [VBS]) offers a interesting challenge to virus writers. There are several loopholes that writers can exploit. In Java, Sun is closing loopholes while Microsoft seems to be doing everything possible to help these writers."

Considering that the Love Bug virus was enabled via the embedded VBS runtime library installed with IE5, Skúlason is critical of the operating system manufacturer. "They don't care or seem to realise about the security implications,"he continues."In fact, they have never been very concerned - look at the vulnerabilities within Outlook and IIS."

Skúlason also has the distinction of being the inventor of heuristic detection, but even F-Prot was unable to detect the Love Bug. Major anti-virus manufacturer, Symantec, faired as well as any other vendor, but still failed to block the initial infection. Eric Chien, chief researcher at Symantec's Anti-Virus Research Centre, explains.

"With viruses, we can look at files and look at their characteristics. If they do things like opening other files, copying themselves to other files or attempting to format your drive, for example, then we can identify them as viruses. This is called a heuristic. However, no anti-virus product had heuristics created for VBScript. There are literally hundreds of platforms/languages that viruses can be written in, and to create a heuristic for each is time consuming and the return on investment in detection rate is low. Thus, we create heuristics for the greatest threats. For example, we have heuristics for macro viruses which still account for 70 per cent of the viruses in the world."

"Return on investment" is the key phrase here. Creating heuristic tools for every conceivable virus threat would be incredibly expensive and time-consuming, probably beyond the scope of any single anti-virus company. In the ultra-competitive world of anti-virus software, placing an extra £100 per user, per year could be unacceptable to both vendor and customer alike.

Love causes problems

The most important question is: what could the diligent IT manager have done to protect his computer systems? The good news for those taking the flak is: not a lot. Due to the speedy propagation of the Love Bug and the lack of software able to diagnose its activities through heuristics, only the ultra-paranoid would have been able to screen for a threat coming in via VBS. Users of products such as Lotus Notes, DOS, Unix and Mac operating systems avoided the virus' effects, but this was only because those mail clients were not targeted by the virus writer. Thin client systems also reported very few ill-effects from the love-bug virus, due to the lack of local email applications or VBS runtime libraries.

Protecting against the next inevitable virus wave is the key. Technical manager Ian McManus, from Panda Software, a new but innovative player in the anti-virus market, offers sound advice. "If an infection is detected, it is important to isolate your network and shut down your mail server as quickly as possible. As well as anti-virus software, a strict anti-virus policy should be in place, which includes firm instruction to all employees that they must not open unsolicited email attachments. Protection is a combination of a good anti-virus software product, user education, patches and fixes." McManus agrees that creating heuristic scanning for every possible threat "...would be impractical and cause a unacceptable level of false alerts."

As for the next round of virus attacks, the security hole exploited by VBS has not been satisfactorily solved. Simply blocking out VBS attachments leads to a dangerous precedent - that of reducing the pace of Internet innovation. Considering that Activex, Java, CorelSCRIPT, XML and several emerging scripting languages can all theoretically carry viruses means that a solution needs to be found that protects as opposed to merely blocking the benefits of mobile code and smart emails. The cost of anti-virus software may have to increase to provide the funding to create heuristic tools to protect against the new wave of threats.

Security infrastructures, like PKI, may offer a closed loop preventing viruses from entering systems. PKI uses a system of certificates and authentication tools to guarantee that the sender of a message is a trusted source and that the message has been sent intentionally as opposed to the consequence of a virus. Specialist mobile code software producers, like Finjan and Security7, are pushing their wares heavily on the back of the Love Bug. As specialists in protecting against mobile code, they add extra protection. However, both PKI and specialist mobile code software is not a complete solution and can be very expensive to implement in addition to the current anti-virus software.

Don't take candy from strangers

The likelihood is that protecting against viruses is going to become increasingly more complex as the Internet becomes increasingly more feature-rich and operating systems begin to automate many of the functions which currently require human interaction. Even devices previously thought to be immune from viruses are now potential targets. At the time of writing, the first mobile phone viruses have been reported and with WAP, Bluetooth and broadband about to saturate the market, the next virus outbreak may affect more than just desktop computer users.

A last word from Symantec's Eric Chien, "The weak link will always be the human. The [Love Bug] virus spread not because of a technological advancement in virus writing, but more because of social engineering. Who doesn't like to get a love letter? We need to again use the same common sense we do on the street when we are online. It is about just following our mother's advice of not taking candy from strangers."

Will Garside

lovevirussol Will garside 09/06/00 18:08

Read more on Antivirus, firewall and IDS products