Social aspects of the Love Bug virus

[This was originally published on SunWorld and IDG, and mirrored on]

Social aspects of the Love Bug virus
Email clients and operating systems must better protect the end user

The latest and not-so-greatest computer virus — the Love Bug — was no isolated event, and because of the widespread damage it caused and the media coverage it generated, it serves as an excellent example to illustrate several points. Here, noted security specialist Brian Martin dishes the dirt on antivirus companies, the government’s preventive measures, cyber detectives, and the guesswork involved in estimating billion-dollar damages. (3,500 words)

Sometime on May 4, 2000, several antivirus companies, security professionals, and unwitting email users discovered what has now been labeled the Love Bug virus. Within hours, it had spread to just about every continent and had wormed its way into tens of thousands of companies. Hours later every antivirus company in existence scrambled to claim credit for discovering the virus and for being the first to provide a cure. Most Internet users believe those companies were on top of events and deserved credit. But from security veterans of past virus incidents, a deep collective sigh could be heard.

The Love Bug’s ability to automatically mail itself to everyone in an infected user’s Microsoft Outlook address book made it particularly nasty. Those who save every email message they receive, or who have business contacts at a wide number of companies, provided the virus with a perfect opportunity to spread like wildfire. The effectiveness of this replication method lies in who knows whom. Doug Thompson, who writes a column called “The Rant” for Capital Hill Blue, came out with a great piece that threw blame at a familiar face and also outlined the fundamental problem.

Former Congressman Fred Grandy was one of those idiots. Grandy now runs Goodwill Industries. He walked into his office on Thursday, pulled up his e-mail and clicked on the “I Love You” e-mail attachment, even though his in-box also contained a warning fro m his computer folks.

Zap. The virus went out to more than a hundred of the nation’s top CEOs, courtesy of the man whose greatest claim to fame is playing a character named “Gopher” on TV’s old “Love Boat” series.

More victims than the common cold
The rate at which the virus replicated is nothing short of amazing. It takes the work of thousands of computer users to help such a virus propagate, as can be seen in the battle fought by a New Zealand company:

New Zealand’s largest telecommunications operator Telecom said on Saturday it had deleted more than 17,000 messages carrying the “Love Bug” computer virus from its Internet service and was searching for new variations. –Reuters

… and in the preventive measures taken by the US Department of Education:

Bradshaw said that chief information officer Craig Luigart found 10,000 incoming ILOVEYOU emails queued up for recipients whose last names began with “A” or “B.” Luigart estimates that throughout the entire department, the system prevented another 100,000 to 200,000 infected emails from being sent out. All of the viruses have been rendered harmless, Bradshaw said. –Federal Computer Week

The Love Bug initially claimed an estimated 1 million computers as victims. One day later, Computer Economics, a research firm in Carlsbad, Calif., was putting the victim count closer to 45 million worldwide.

While such a virus can spread fast, it’s difficult to believe that in 24 hours the Love Bug could jump from 1 to 45 million machines, especially given the amount of press it received. The fixes that the antivirus companies provided should have slowed the virus as well.

Disparate estimates
Only two companies — and Computer Economics — provided damage estimates to the media. Their numbers were remarkably in sync with each other. During the first day of the virus’s rampage, they estimated damages to be between $1 billion and $ 2.61 billion.

Regardless of a company’s expertise, guesswork is a wild card inherent in such statistics. Considering the hundreds of millions of computers that make up the Internet, who is in a position to monitor how many machines were affected, and how much damage th at really equated to? How could two companies, or even a hundred companies, really prove that 45 million computers were infected?

According to Wired News, the virus had already infected 1 million computers by 9 a.m., with saying that damages would reach more than $1 billion.

If 1 million computers cause $1 billion in damage, the overall damage should have been close to $45 billion, yet final estimates of the damage ranged between $7 billion and $10 billion, far short of the pattern seen in the first t wo days after the virus erupted. Shortly after initial figures were released, Computer Economics came up with a new prediction: damages would grow $1 billion to $1.5 billion a day until the vi rus was eradicated.

As a side note, plugging numbers in to a simple calculation — $10 billion total damage divided by 45 million infected computers — we see that each infected computer caused an estimated $222 in damages.

Where does that kind of damage really factor in, though? One CNN article quoted an employee of a Norwegian photo agency, ScanPix, which lost some 4,500 photos. Had the Love Bug viru s struck three days earlier, photos from the Norwegian war archives would have been lost.

“Between 6,000 and 6,500 photos were deleted by the virus, and we only managed to rescue 1,500 of them. The rest seem to be lost,” ScanPix managing editor Tore Sannum told CNN Norway.

I don’t mean to be insensitive, but you won’t find me crying a river over this loss. A company that deals with such rare and valuable digital photographs shouldn’t be working on production machines connected to the rest of the networked world. To do so is to openly beg for the next disaster to smite it down and cast all its hard work aside. Companies like this further plague the rest of us because the damages caused by their sloppy practices are mixed in with more legitimate losses. The subhead to the paragraphs quoted above should twist knots in your stomach: “History Nearly Lost,” it reads. The implication is that because of this virus a small portion of our world’s history was nearly destroyed. If leaving that history unnecessarily vulnerable isn’t criminal negligence, it certainly should be.

Self-fufilling prophecy
I’m a believer in the idea that once a person starts thinking something will occur, that event is more likely to happen. People tend to act subconsciously in ways that will help effect what they predict. This notion seems to be demonstrated rather well by the damage tags surrounding the Love Bug virus. Of particular interest was the rapid growth of those figures, which were presented with no verifiable explanation. Near the end, estimates jumped from $6.7 billion to $10 billion, the original fi gure of some 20 days prior.

May 4 —CNN reports that by 9 a.m. that day, more than $100 million in damage has been done and that by Monday the damage will climb as high as $1 bill ion, according to

May 5 — Analysts with Computer Economics say that by Wednesday (May 10), the total damage may reach $10 billion and climb $1 billion a day.

May 9 — Computer Economics analysts say that damage caused by the virus has reached the $5 billion mark and could total $10 billion.

May 10 — Computer Economics says that the Love Bug and its copycats have caused $6.7 billion in damages.

At this point Computer Economics’ own figures don’t always agree with each other. On May 5 they say that by May 10 the damage could reach $10 billion, yet they’re quoted on May 10 as giving a substantially lower tag. Their theory of the damage increa sing $1 billion a day is considerably off. But later down the road the $10 billion estimate creeps back into articles, as it did in one from the Associated Press, o ften with no attribution:

May 27 — “Earlier this month, the ‘Love Bug’ virus, and a later variation, reached millions of computers purportedly bearing a love letter. Estimates of the damage ranged up to $10 billion, mostly in lost work time.”

Who felt the love?
According to Federal Computer Week, the following government agencies reported being affected by the virus:

  • The army divisions Aviation-Missile Command, Redstone Arsenal, Tank-Automotive Command — Experienced “major email disruptions.
  • Central Intelligence Agency (CIA) — Reported a “handful of isolated attacks.”
  • Department of Energy (DOE) — Experienced some trouble despite each employee’s being greeted with a warning not to open unknown email.
  • House of Representatives — Told FCW that the “virus bloomed in abundance.”
  • Senate — Shut down its email system for a short time.

The Pentagon, National Security Agency (NSA), Britain’s House of Commons, and dozens more suffered incidents involving the Love Bug. It is almost unbelievable that those agencies continually deal with security breaches of all kinds. Common sense would suggest that workers who protect vital parts of our government systems (some of which contain your sensitive and private information) would be better trained. Some experts also say that those agencies shouldn’t be running software that assists destructive viruses. Perhaps most alarming is the number of reports of classified systems being struck by the Love Bug. Aren’t those supposed to be secure machines with little or no outside network access?

Making a quick buck
The more you read about this case, the more you have to wonder about the various roles people play. Companies like and Computer Economics are obviously spending time pushing their statistics on every media outlet willing to lend an ear. Oftentimes antivirus companies race to come up with a solution. Who wins and who loses is sometimes measured in hours, not days, and never mind that their products often don’t implement basic heuristic analysis of email attachments.

When new vulnerabilities are discovered in various products or operating systems, computer security firms typically benefit in one way or another. Just as security firms stay in business because of network vulnerabilities, antivirus companies stay in business because of viruses. Antivirus firms help create media attention surrounding viruses, so it should come as no surprise that after news of the fast-spreading Love Bug virus broke May 4, shares of Computer Associates, McAfee, and Network Computers rose drastically.

Often overlooked is a group of people who profit in their own way, possibly more than the antivirus companies. For example, outlets like Wired News wrote no fewer than 14 pieces on the virus; larger companies wrote even more. One has to wonder if there aren’t too many articles about the virus, especially after reading each and every one only to find the same information and quotes from days before.

The past 12 months have seen two major viruses devastate the Internet. The first was the Melissa macro virus, which swept through corporate America and ultimately caused an estimated $80 million in damage. Millions of Internet users are collectively slapping their foreheads wondering why they didn’t learn their lesson the first time, while others are noticing a connection between Melissa and the Love Bug.

A journalist friend recently emailed a startling revelation. “I was looking for some deeper meaning in the last two major virus assaults,” he wrote. “Each one has seven letters and three vowels, and if you rearrange the letters, MELISSA and LOVE BUG spell : BIG VOLUME SALES.”

My friend was joking, but his message is disturbingly ironic. While Melissa and the Love Bug caused $80 million and $10 billion in damage, respectively, antivirus and security companies no doubt raked in the big dough.

Who wrote the virus?
When the price tag for a virus attack rolls in at anywhere over a buck seventy-five we have to find someone accountable for the damage in order to sleep at night. Within a few days of an outbreak, computer crime investigators, many of whom aren’t employed by law enforcement, begin tracking down leads that might point to the virus’s creator. As each clue is discovered a new article comes out that keeps the masses up-to-date with the investigation.

B.K. Delong was the first to point out the errata streaming forth from the media regarding different suspects and their possible involvement in the creation of the Love Bug. While some critics say that Delong’s argument consists of nothing more than nitpicky details, he makes a valid point about the state of reporting breaking news. If respected news agencies like the Associated Press, CNN, and Reuters can’t get the names, ages, and re lation of suspects correct, what else is incorrect?

We are the Men in Black
As with most events involving computer crime, a shower of criticism poured down on federal agencies and their response to the virus. But along with the usual security professionals and antigovernment types, a group of unlikely critics joined in the bashing.

According to a Yahoo Finance article, the General Accounting Office (GAO), Congress’s investigative and auditing arm, believes that the US government was poorly organized for a response. “Our audits continue to find that most [federal] agencies continue to lack the basic management framework to effectively detect, protect against, and recover from these attacks,” said Keith Rhodes, technical director for the chief GAO scientist.”

Before lambasting the government for being a few steps behind, you must qualify who “the feds” are, exactly. In this context, I think it fair to divide them into law enforcement, response teams, and other agencies. One exception to this division would be a group like the FBI’s NIPC, which both performs criminal investigations and attempts to be a response team. I covered some of the government agencies above, so here I’ll focus on response and law enforcement.

The well-known Carnegie Mellon-based Computer Emergency Response Team (CERT) provided an advisory to the public on May 4, the day the virus first appeared. FedCIRC followed up shortly afterward by distributing a reprinted CERT advisory. While FedCIRC apparently couldn’t offer more information, it was at least able to distribute the notice to more Internet users. The FBI’s National Infrastructure Protection Center (NIPC) was able to draft one paragraph on the day the virus began. The paragraph suggested deleting mail with the subject “ILOVEYOU” and concluded by saying that antivirus companies were working to solve the problem.

While we can’t expect those response teams to know everything about every breaking incident, the NIPC was sorely lacking in its response. Common sense should have told its staff that the virus would quickly mutate beyond the subject of ILOVEYOU. Generic recommendations of filtering rules or other precautions should have been the least of what they offered to struggling system administrators. Twelve hours and 10 million computers later they finally came through.

Law enforcement agents still haven’t convicted anyone of authoring and releasing the virus. As of May 19, investigators with the Philippine NBI are still compiling evidence against Reonel Ramones, who has been preliminarily charged with the crime. Ramones denies the charges and insists his is a case of mistaken identity. Also implicated is Ramones’s classmate and quasi-coworker Michael Buen, who claims that some 40 people were involved in writing the virus.

Placing the blame
If a single virus can bring the networked world to its knees for a few days, we have deeper seated and more fundamental problems than finding and convicting the perpetrators of an offense. Because of the simplicity with which they could be infected (by me rely clicking on an email attachment), many computer users pointed a finger at Microsoft. The virus was effective because it targeted Microsoft’s Outlook email client, which has possibly the largest installed base in the world. Microsoft quickly denied the allegations of software weakness.

According to Scott Culp, the program manager for Microsoft’s Security Response Center, “There isn’t a security vulnerability in Outlook involved in this at all.” He added, “The issue here isn’t scripting; it’s the social phenomenon of virus writing.”

Social phenomenon or not, Microsoft Outlook certainly assisted users in infecting themselves with this virus and its subsequent mutations. An article in the Industry Standard refuted Culp’s claims and explained why Microsoft should share in the blame:

The Love Bug took advantage of a feature in Windows called Windows Scripting Host, which allows users to automate routine tasks. The virus’ author created a Visual Basic script that was directed to send itself to all recipients in a user’s Microsoft Outlook address book and then delete image files and hide audio files.

The Scripting Host is not the only Windows feature that invites hackers. Other flaws include Outlook’s automation feature, which allows external programs to command the application remotely. Security experts say such features should be disabled by default .

“The bottom line is that very few people need [the Scripting Host], and yet it’s turned on by default,” says Richard M. Smith, a security expert and Internet consultant based in Brookline, Mass. “Windows Scripting Host [is] almost like the Virus Scripting Host.”

Such well-founded comments led Microsoft to change its stance on the role of its products in the spread of viruses. Rather than blame it on a “social phenomenon,” one Microsoft manager stepped into the spotlight to let everyone know the company was addressing customer concerns.

“Given the fact that Love Bug was a global economic event, we need to do our part and take pretty decisive steps here, and we think this will eradicate this class of viruses,” Tom Bailey, Microsoft’s group product manager for Office, said in an interview.

“We always try to strike a balance between the openness of the product and security,” Bailey said.

“We’ve tried to be reactive to this thing, like antivirus software writers are. What we are trying to do going forward is to take a more proactive response to this,” he said. –Wired News

Like the antivirus companies, Microsoft apparently didn’t learn its lesson from the Melissa incident. Rather than use the less damaging but highly publicized virus as a gentle nudge to implement more antivirus features in its software, Microsoft stayed in the ring to take a few more blows. Now, it throws the towel in.

One method of determining Microsoft’s culpability might be to examine several virus incidents. When viruses are created, which products or operating platforms give them a ride into the wild? The answer is clear, says Will Rodger of USA Today:

More than 45,000 viruses infect PCs running the Windows operating system worldwide…. Hundreds more viruses appear each year, requiring armies of antivirus programmers to isolate and kill the offending bugs.

By contrast, perhaps 35 viruses have been written for the Macintosh and four or five for the Unix-based computers that run most Web sites, says Eugene Spafford, director of the Computer Operations, Audit and Security Technology lab at Purdue University.

Put simply, the last two big viruses were not Internet viruses. They, like virtually every virus that has made headlines in the last 10 years, were Windows viruses.

While many of us are neither users nor supporters of Microsoft, it would be unfair to place all the blame on that company. Yes, Microsoft helped create a faster and more efficient vehicle for viruses, but in the end the blame still lies with each person w ho opted to test-drive the vehicle. Together, they made a great team and share responsibility.

The best excuse yet
Just as you thought the Department of Justice v. Microsoft battle had crawled into the shadows, out pops Bill Gates with a truly magnificent piece of drivel. In the losing battle against the DOJ, Gates now claims that breaking apart the monopoly would harm the computer industry because it would strip them of their power to protect customers against viruses such as the Love Bug.

According to Gates:

The DOJ scheme also effectively imposes a ban of up to 10 years on the addition of any significant new end-user features to Windows. New features must be provided on an a la carte basis and priced separately to computer manufacturers. Provisions like these would kill innovation in the OS — and impair the livelihoods of the tens of thousands of independent software developers who depend on constant innovation in the OS to make their products more attractive. Updates to Windows and Office technologies that could, for example, protect against attacks such as the Love Bug virus would also be much harder for computer users to obtain.

As pointed out earlier, Microsoft failed to react to the Melissa virus. Unknown to most people is that the company also failed to react to dozens of other worms and thousands of other viruses. Each and every time a virus comes down the wire Microsoft has a chance to implement new features or methods of protection. In every case before the Love Bug, Microsoft has failed to take appropriate action. Despite this, Gates now claims that a Microsoft breakup would hinder it from reacting in the future.

Lessons learned
I would like to be able to say with confidence that we’ve all learned a number of lessons and that the next virus will be barely a blip on the computer security radar. It would be nice to see more email clients and operating systems come up with more protection for the end user. Despite Melissa and the Love Bug tearing through the Internet and showing us twice that we have some lessons to learn, we’re still vulnerable in the two areas that the Love Bug used to propagate itself: shoddy, insecure software a nd human nature.

Securing your network; Your startup’s survival depends on it

[This was originally published on IBM Developer Works and is mirrored on]

Collecting customer demographics is good, and collecting payments online is good. But it isn’t good if this information is stolen from your company’s computers. Brian Martin examines how — and how often — this really happens, and what you can do to prevent it.

In the last twelve months, over one million consumers have been the victims of personal information theft. These ordinary Web surfers have found their credit card numbers and personal information have been surreptitiously stolen from e-commerce Web sites where they conducted business. Each incident has seen anywhere from a few hundred to a few hundred thousand cards leaked out to unauthorized persons. In some cases, the once-private information found its way onto public Web pages for anyone to see. Here are a few sites that experienced credit card theft in recent months:

Table 1. Sites from which credit card numbers
have been stolen recently

SiteCards Stolen
Promobility/Ltamedia   26,000
CD Universe300,000
7 Retailers 25,000
RealNames 10,000+
Thai E-Shop  5,000

(See Resources for sources for these figures.)

Other shops inadvertently expose consumer information above and beyond credit card numbers: revealed its customers’ billing and e-mail addresses, FAO Schwarz leaked consumer e-mail addresses and telephone numbers, and Northwest Airlines leaked both credit card and other personal information over the Web. (See Resources.)

In some cases the culprits were teenagers with a message that e-commerce is not safe, as with the recent Curador case (see Resources). Along with their rant about the evils of business on the Web came pilfered credit cards. Hung out on public Web pages for everyone to see.

Having this information pilfered would have been bad enough: the adverse media publicity turned it into a public relations nightmare — with a company just like yours at the center of it.

For the average net user who just had their credit card number dumped into the lap of a fifteen year old known on the Internet as “0wn j00”, this is a hassle that typically takes ten minutes to resolve on the phone. This assumes that the customer is aware of the intrusion and theft of information. (Most cases of credit card information theft are not reported to the customers, even if the information is known to be compromised.)

I recently became aware that my own credit card had fallen in the hands of computer intruders, leading me to call Mastercard. Hitting the option to “report a stolen credit card,” I was shocked when the friendly operator asked me if the theft occurred via the Internet. The fact that they ask this question first, as if they assume that is where the theft occurred startled me. Ten minutes later I had a new card number issued and I was ready to Web surf for more music and DVDs.

With fraud protection on all major credit cards, the end user is not liable for fraudulent purchases totaling more than $50. A ten-minute phone call will get your card number re-issued and your account flagged to watch for suspicious activity, alleviating you of future fraudulent purchases. With that in mind, it is easy to determine who really suffers over these information theft incidents.

Everyone must cough up some dough
The costs for reacting to and managing information theft incidents fall to the company with lax security as well as to the credit card companies. And the major credit card companies do not let this slide. Major credit card companies already categorize online retailers as “high-risk,” and, in recent months, Mastercard and Visa have announced measures that are not favorable to smaller online retailers (see Resources).

Given the nature of Americans and the frequency of lawsuits, it is probably only a matter of time before some angry net users file suit against insecure companies responsible for leaking out their private information. When a purchase is made on a business Web site, it is assumed that the transaction is secure. If a corner store were to hang all of their credit card receipts in the window, you can imagine the outcry and lawsuits that would result. This is effectively what some Web sites do with client information. Rather than voluntarily hang it in the window, they leave it in places that are almost as easy to find.

Don’t think you won’t be targeted
Being a nobody on the Internet is not going to save you. A new breed of attackers don’t even know your company name until after they break in. Utilizing intrusion programs that scan thousands of machines in minutes, they seek out a vulnerable server. To them, the machine may have a designation of “” and be completely meaningless — until they break into the machine. Once compromised, these attackers will then see who it belongs to and act accordingly. A large percentage of public Web defacements are committed against arbitrary companies regardless of who they are, or how big their network is. (See Resources for a link to the Attrition mirror, which chronicles Web defacements.)

Simply having an Internet presence puts you in the line of fire. Because of this, you must not think of being attacked as a “what if” scenario. It is more appropriate to think of it as a “when it happens” event. When your corporate network is attacked, will it be able to repel the miscreants? If they manage to compromise your systems, what information is there to be pillaged and shared with the world? How will your customers react if their personal information and credit cards are shared with millions of people? A single incident involving information theft can devastate a company’s reputation and integrity. By planning ahead and incorporating good security from the start, companies have the power to avoid these incidents.

But fixing now is expensive!
No matter how large (or small) your company may be, regardless of what financial resources may be available, paying large amounts of money to implement a secure Internet presence can be difficult to justify. The powers that be don’t understand the need to spend money on a project with no tangible results: no product in hand, no new service or abilities; just the notion that the corporate network is now “secure,” whatever that means. Ironically these same money managers don’t blink when spending a million dollars on a secure corporate building. Large fences, extra lighting, biometric access devices, controlled access vaults and safes are a given. No one in their right mind would think of building a corporate headquarters without these security mechanisms. Yet when it comes to computer network security, administrators find themselves fighting to install a $1000 firewall.

A clear pattern exists in the last five years of public computer intrusion incidents. Once a company has been virtually molested and has had articles written about it, there tends to be a followup to the original breaking news that tells how the company is throwing unbelievable amounts of effort and money at prevention. It seems that it takes an embarrassing incident and a company being raked over the coals of public opinion for the notion of computer security to be considered seriously.

Preventive network security is cheap at any price: as with an old car, a twenty dollar oil change today can save you a three thousand dollar engine rebuild tomorrow.

The consequences if you don’t
If your company reported a $1.5 million loss over the intrusion and theft of your entire client database, would you be happy? As you laugh at my absurd question, consider that is not uncommon to see such high damage tags on computer intrusions.

Table 2. Recent damage reports

Kevin Mitnick299 Million
PhoneMasters1.85 Million
Citibank10 Million+

While I am often a critic of such high figures, these are the numbers you see in the headlines after an attack. Whether the damage was really worth one million or one thousand, millions of your potential clients will often see the more dramatic figure splashed across the news.

Besides: can you afford any needless damages, to your bottom line or to your reputation, from computer intrusions? Can you afford to lose the demographic information you’ve painstakingly collected, or your trade secrets, or the credit card numbers (and the trust) of your customers?

A bit of free advice
The fact that you will be broken into or at least targeted shouldn’t discourage you in the least. It is rather easy to arm yourself with the tools and techniques needed to prevent it from happening to you.

First and foremost, show due diligence by securing your networks now, before an incident occurs. Develop a security plan that will protect both you and your customers and implement it as fast as possible. If your network already enjoys some security, this is the time to give it a thorough review and consider additional defenses. Proactive security is the single most beneficial action one can take with any corporate resource, especially computer networks.

If your company operates a Web page that takes in customer information such as name, address, and credit card, develop a system that pushes that information to a secure machine until it can be moved offline. Once a transaction occurs, there is absolutely no need to keep this sensitive information online. At that point the information serves a single negative purpose: it’s a target for computer intruders. While it is convenient for customers to revisit a Web site and not have to type in that long sixteen-digit credit card number, is it really that much of a hassle compared to the threat of the information being publicly disseminated?

Keep your customers informed. Develop a privacy policy that is prominently displayed on your corporate Web page. Let visitors know that you consider security an important aspect of business and describe the measures you have taken to ensure that their information stays private. List a point of contact should customers have questions about security. Do not promise them miracles or guarantee their information will never get out, but assure them you have taken every step to help ensure their security.

It’s that easy?
Building and maintaining a secure network is not always an easy task. With any such goal, careful planning and devoting the correct resources to the security plan make all the difference in the world. There are sure to be potholes along the way, but with proper planning from day one, you can make sure that your computers are not the victims of credit card, or personal information, theft. And your customers will thank you for it.


News sources for sites from which credit card numbers have been stolen recently (Table 1):

News sources for sites from which personal information has been stolen recently:

News sources for damage reports (Table 2):

Other resources mentioned in this article:

Related reading: