When the LoveBug worm hit 10 years ago, it was a different time when people believed admirers were really reaching out to say “I love you”, personal firewalls were turned off by default and executable attachments weren’t blocked at e-mail gateways.
Those circumstances allowed the Love Letter worm — the first Visual Basic script worm — to infect more than 50 million computers worldwide within a week, causing estimated US$5 billion to $8 billion in damages, bringing down networks by maxing out their ability to fire off e-mails and causing painstaking disinfection of affected machines.
At the time, unleashing the worm wasn’t even a crime in the Philippines, where Reomel Ramones and Onel de Guzman created and then sent it off.
ILOVEYOU wasn’t the first mass-mailing worm, but it was unique in that it knew no limits, says Roger Thompson, chief research officer for security vendor AVG. Melissa, the first such malicious attachment, sent copies of itself to just the first 50 entries in e-mail address books. ILOVEYOU sent it to all of them and kept on sending. “It didn’t know when to shut up,” Thompson says.
The attack was a wildly successful case of social engineering, sending people a malicious attachment via the hijacked e-mail address of someone the victims knew. The worm arrived as an e-mail attachment, subject line: ILOVEYOU. Because it was from someone known and trusted, people opened the attachment.
Opening it triggered a script that invaded e-mail address books and forwarded the same infected e-mail to every address in them, thereby propagating the worm. In its early hours the worm also connected to four Web sites that downloaded further malware that allowed attackers to steal passwords. Those sites were rapidly shut down. Today, with dispersed and shifting command-and-control servers used by attackers, that shutdown would be more difficult.
The motive of Ramones and de Guzman was just to see their creation work, not to profit and not to compromise data. Had that been their intent, the malware they so successfully launched could have been used to assemble a botnet that could generate a steady income.
One lesson that could have been learned from Lovebug worm was that there’s pretty much no good reason to allow an executable-file attachment through an e-mail server, Thompson says, but it took a year or more before that became an industry practice of corporate e-mail executives and ISPs.
Another lesson is that the most effective means for attacking a network is through social engineering of its human users. “There’s no patch for foolishness,” Thompson says.