A decade on from the ILOVEYOU bug

By Mark Ward
Technology correspondent, BBC News


For Paul Fletcher, manager of Star Labs security, 4 May 2000 started like any other day. By the end of the day nothing would ever be the same again.

He got to work around 0830GMT and, as he did every day, checked how many viruses Star Labs' e-mail filtering service had snagged overnight.

Updated hourly, on a busy night it stopped 40 or 50 pieces of malware.

"That day it was showing more than 100 and I thought that was kind of interesting," said Mr Fletcher.

At 0900GMT he watched as the counter flipped over to 450: more than Star Labs usually caught in a day.

He changed the counter to update every 10 minutes and watched as the total started to climb. By the end of the day it had caught more than 13,000.

Millions hit

All around the world, security researchers were waking up to the scale of the problem confronting them.

It all started in the Philippines many hours earlier when 24-year-old Onel De Guzman released a virus that he had proposed creating as part of his undergraduate thesis.

The key part of the virus was not any technical trick but the wording of the subject line - ILOVEYOU - and its attachment LOVE-LETTER-FOR-YOU.

Few could resist opening the attachment which kicked off the attack code that then plundered their e-mail address list and sent itself to every name it found.

In 2000, many people did not have any security software and even those that did only updated the signatures of known viruses once a month.

Simon Heron, manager of security firm Network Box, remembers he was at a meeting on the day to discuss security with a client.

He said: "We were in a room with four programmers and a guy burst in shouting 'Don't open any e-mail from me!"

"That was their alerting system," he said.

With defences so scant, pretty much everyone that opened up the attachment was infected. In all about 45 million Windows PCs were thought to have been hit on 4-5 May.

Despite being traced via an alias he left in the virus, Mr De Guzman was never charged with a crime. At the time he released the malware, the Philippines had no laws criminalising malicious use of computers.

Mikko Hypponen, head of research at F-Secure, remembers the day well.

"I remember working on the case all day from 09:41, when it started, until midnight, then going to bed only to be woken up at 3am by calls from the USA," he said.

Mr Hypponen remembers coming off a conference call with other security firms and the various national Computer Emergency Response Teams to see that lots of other people had called.

"When I hung up my phone and looked at the screen, it showed that I had received and missed 40+ phone calls during that 30-minute conference call," he said. "All those calls were coming in from partners, vendors and media.

"Everybody wanted to know what was happening and how to fight the outbreak," he told the BBC.

Crime wave

Unfortunately, combating the LoveBug was hard.

Big companies were hit the hardest. The virus kicked off a tsunami of e-mail within and between companies so their mail servers crashed under the load.

The anti-virus companies released a fix around 1000GMT but few could get hold of it because so many people were trying to download it at the same time.

"It was very difficult to clean up," said Mr Fletcher. "It took a lot more effort to clean up and people were not very used to that then, no-one was really used to doing back-ups."

The LoveBug did more than just cause a problem in early May, ten years ago.

Prior to its release, viruses were written by teenagers for kicks. Similarly spam senders were few and far between because they had to pay for their bandwidth and hosting.

The LoveBug showed how to get spam to send itself and how, with a cleverly designed virus that preyed on human psychology and technical failings, malware could rack up enormous numbers of victims.

The end result is that now 90% of all e-mail sent is spam. Star Labs, which became MessageLabs soon after, now stops more than one million viruses every day. Cyber crime is big business and is done for financial gain rather than kicks of bragging rights.

"The LoveBug showed the shape of things to come," said Mr Fletcher.

Related Internet Links

The BBC is not responsible for the content of external sites.