Smashing Security podcast #019: The Love Bug virus

Hi there, and before we begin the show today, I wanted to big up Recorded Future, the threat intelligence experts who are sponsoring this episode. If you want to know what is happening in the world of computer security threats and cybersecurity generally, one of the things that you really need is to know what's coming round the corner, what people are beginning to talk about, what threats are beginning to emerge, and that is where Recorded Future can help you. And one of the ways you can find out more about Recorded Future in their intelligence is by signing up for their daily newsletter. It's called the Cyber Daily, and all you have to do is go to recordedfuture.com/intel to sign up for it. recordedfuture.com/intel.

And thank you very much, Recorded Future, for sponsoring the show. Smashing Security, Episode 19: The Love Bug Virus with Carole Theriault and Graham Cluley. Hello, hello, and welcome to another episode of Smashing Security, episode 19 for the 4th of May, 2017. And as always, I am joined by my buddy Carole Theriault. Hello, Carole.

Hello, Graham.

And we're joined once again by our special guest, John Hawes from AMTSO. How are things, John?

Pretty good. How are you guys?

Good.

Not so bad. Thanks very much for asking.

He's almost a regular, Graham. This is your second time, right, John?

It is.

Second time. Do you think we should give people different kinds of badges or different t-shirts depending on how often they've been on the show?

Yes, let's put that in the nice to do list.

Maybe hats.

A hat. Yeah. So normally we talk about different topics on this show, right? A hat is a great idea.

Yes, because you sent something a bit cryptic saying, let's not prepare, I have an idea. So we're all here kind of— Yeah, I got nothing. Yeah, what's the plan, Graham? What's the plan?

Everyone loves a hat.

I thought, as it's May the 4th—

Star Wars?

No. Hey guys, what are three little words known all around the world? What are the three most magical words in the universe?

Empire Strikes Back?

No, no, no, Something else.

I hate you? Is it I Love You? Okay.

It is.

May the 4th. Oh, is this Love Bug?

The Love Bug.

Is it Love Bug?

no, no, no. Something else.

It's an anniversary.

It's not a particularly special anniversary.

Come on. What is more special than the 17th anniversary?

Okay, so we're doing a special for the 17th anniversary of the Love Bug virus.

Of the Love Bug, also known as I Love You, also known as the Love Letter virus.

Graham, this is a good idea. I think this is a great idea, 'cause it's a fascinating story. And I know you know it really in depth as well. So this is really gonna make you look good. So I'll ask lots of questions. I remember it, but I haven't thought about it in about 15 years. Three words?

It's pretty old.

Well, exactly. And you know what? I am of a certain vintage, and Carole, you're of a certain—

Excusez-moi?

John isn't quite of the same vintage, but he's still fairly grizzled.

I have a white beard.

That's right. And there may be listeners out there who actually weren't around on May 4th, 2000.

So what, people that are not 17?

Child listeners?

No, no, don't be silly. Oh, so close. I'm not talking about people who were— No, you can be 17, but not have had an email inbox growl in May 4th, 2000.

Oh yes, true, true.

Toddlers don't have in— Didn't have email. Even today they don't have email. They're all Snapchat and each other.

I suspect even those without email heard about this via the press. It was that big of a story.

That's right.

Even babies.

I can imagine a 6-month-old baby reading the Financial Times about the latest cybercrime. What kind of world do you live in?

I was certainly reading the FT at that age.

Did you have a monocle?

Yeah, I had two monocles.

Right, guys, calm the frack down, okay? Because I want to take you back in time. It's May 4th, 2000, and the biggest virus ever has spread around the world, arriving in people's inboxes with the subject line, I love you, and the message text saying, kindly read the attached love letter coming from me.

Kindly read the attached love letter. I don't, I didn't remember it said that.

Very romantic.

Yeah, that in itself seems a bit odd. I thought, I thought, I thought I remembered it just having an attachment.

No, no, no. There was a message as well. And the attachment was called love letter you.txt. Or if you had changed the defaults on Windows, it might actually have said loveletterforyou.txt.vbs because Windows by default hides the final extension of any file. And that's really critical.

Surely it doesn't do that anymore though.

Still, it still does.

No.

Yes.

It still does it because what they're trying to do is make Windows all friendly and fluffy. And actually in fairness, I think Apple Macs do it as well by default. They hide the real extension file because they think, why would the great unwashed public be bothered about file extensions?

Yeah.

Do Macs actually look at extensions though? I thought only Windows did that.

Pass from me.

I'm sure they must have a smarter way of telling what kind of file it is you're about to try and open.

I don't know the answer to that question, but if I did, I would tell you.

Oh.

I don't know the answer to that question.

If I knew, I would tell you.

Oh guys, this is a first on the show that Graham admits that.

If only we could Google it or something.

Duck Duck Go it, you mean.

Oh, sorry, yes.

So, right, come on, back to the message.

Right, so there's a message. It says kindly check this out or kindly open this little love letter. And then there was an attachment said love letters.

And there's an attachment and it is arriving in millions of inboxes all around the world. May the 4th, 2000. And when people open the attachment, believing it to be an ASCII text file rather than a Visual Basic script, the script runs on your computer and goes through—

Okay, well, I think we should slow down. So the reason this was going around everywhere was because it was a virus. So that's something that we don't see very often anymore. So that basically was replicating and then what, sending itself to everyone within the inbox and then it would do it again and it would just multiply exponentially.

Well, not just everyone in your inbox, but every address in your inbox, which would include mailing lists as well. So potentially it could go to tens of thousands of people.

Right.

From even if you didn't have that many contacts.

And I guess this is a reason why we don't see that many viruses anymore, because you can't control it. Once you've let it loose, it's gone and it'll just do what it will do.

Fundamentally, the reason why people create malware today is for a different reason than what they were creating it for then.

Yeah.

Back then, it was mostly about showing off. It wasn't about making money. But with the Love Bug, as we will find out, there were interesting ulterior motives. But today, most of the malware we see doesn't want to draw attention to itself. So it won't blast itself off to millions of people. It won't forward itself typically to everybody in your address book because it's sort of going, "Yoo-hoo, you know, I'm here." I remember this.

I had hundreds, lots and lots and lots of emails like this coming in to my personal mail.

You're a very popular lady.

No, it's 'cause I'm on a lot of lists 'cause I worked in communications.

So to recap, this worm is appearing in inboxes around the world. People are going bonkers. It's headline news around the world on television. Organizations are getting hit. There's reports that UK Parliament been infected, Ford Motor Company, the CIA.

And I guess servers are going down everywhere, like mail servers.

Right. Email inboxes are getting so flooded that people can't do their regular work. And everyone can't resist clicking on a love letter which has been sent to them. And that in some ways was the genius of this virus, was that it used those three words, 'I love you,' in the subject line. Three words which are understood all around the world, regardless of whether you can speak English or not.

That's true, right? Because a lot of viruses depend on language, on knowing a specific language. If you got one with Chinese characters, for instance, you may not be interested in even knowing what it was. You would just throw it away. Yeah, because you can't read it, and therefore—

You'd instantly be suspicious. So similarly, if you received a fake, these FedEx emails you get claiming to be a delivery designed to come to your address. And if those notifications arrived at you and they were written in Spanish, they wouldn't work for you, right? The social engineering wouldn't work because unless you read Spanish or you think, why FedEx, it could take to me in Spanish rather than English. But with I love you, you would open it. And in fact, you would open it even if you didn't believe it was a real love letter, because if it was sent to you by your boss and your boss wasn't someone who you could ever imagine getting romantically entangled with, then you might think, oh, it's a joke that they're forwarding me.

Oh, but that's, of course, that's it, right? It would spoof the sender address to be from someone from an address book that you were in.

Yes, indeed.

Of course. Indeed. So it would be like John sending you a love letter, for instance.

And actually, it isn't really spoofing the address. It really is coming from John's email account to my account or to your account, Carole, saying, I love you. So someone who maybe you regularly contact or you're in communication with, someone you trust. If you were to check the email headers, you'd see, yes, it really was sent by John's computer.

And you'd be shocked, of course, because you'd be like, I always thought something was going on with Dave.

Finally, I think, finally, something's happened. All these years I've wondered. And now this is the moment. And of course, you can't resist. Your mouse fingers are all twitchy.

Yes, right.

You see, I have to click, have to click, have to click.

Yeah, yeah.

So the worm is spreading all around the world. People are going crazy, ape bonkers over this. And the one question that everyone wants to know, who is behind it and what's its purpose?

Right, because they want to try and stop it. Are people thinking at the time, if we can contact him, there may be a way of stopping this? Or did everyone at the time think no? Well— You know, they knew there was no way.

It wasn't actually that hard for antivirus software to detect because the malicious code itself was written in Visual Basic script. It was static. It wasn't a polymorphic virus. There were some complications insofar as everyone who received the virus also received the source code in the form of the script. So they could write brand new versions of it themselves if they wanted to.

And lots of people did.

Oh, did they, Johnny?

Well, there were lots of different variants. I remember anybody with a copy of Notepad could open it up and tweak the text so you could just change the text and send it on again with a different strapline or—

So you could change it to, "I tickle you," or, you know.

Yeah, I think there were lots in different languages. And I think there was quite a lot of them saying, "Oh, watch out, there's this big virus going around. Here is the fix for it, or here is the update for your antivirus software." Loads of those.

They're crafty little buggers, aren't they, these virus writers?

And there was even, there was one that the subject line was insert subject here.

I don't think though, if for people that didn't live through this or weren't involved in the industry, I mean, it was everywhere. It was on the cover of every big paper and everyone was talking about it. It was huge.

Oh yeah, it was breaking news, national media. This is the top story. A virus has gone round and everyone was receiving it. And of course, the fact that people began to give it these cool names like the Love Bug. You know, it's perfect for headlines, isn't it? And the I love you angle, you know, there was something really easy for people to get a handle on and to use it.

Yeah, so it was very journal-friendly. Yeah.

Absolutely.

Yeah.

So everyone wanted to know who'd written it.

Right.

And inside the code, there was a reference to basically a hacking group or a computer group called Grammersoft. And it referred— Yeah, Grammersoft. And it referred to this computer college called AMA. And this was a computer college in the city of Manila in the Philippines. And so all fingers pointed in their direction, understandably, because it's there was this little remark inside the virus, not displayed on the screen, but contained inside the source code.

I can imagine they must have gone in with, you know, the authorities, 20 strong, bursting into the computer science department.

And they did, and they did arrest someone within about a day or two. They arrested someone. But they found in his house a floppy disk, because those were the days of floppy disks, containing source code which was very similar to the Love Bug. And they thought initially that this guy must have written it. However, he didn't have a computer. But what he did have was a girlfriend. Now, there are two clues there, first of all, that he can't have been the virus writer. First of all, he didn't have— What are you tutting about?

Nothing. Just this— I'm groaning. Go ahead.

So he can't have been the virus writer. But his girlfriend Irene was the sister of a geezer called O'Neill de Guzman, who went to this computer college.

And it was, oh, and he wrote it and he'd given it to his girlfriend as a sister to give it to her boyfriend to stash it.

Well, I don't know quite why the source code ended up on that floppy disk at their house. But what we do know is that de Guzman had The previous year in 1999, he had gone to his computer college and he was supposed to be doing an end-of-year project and he had to put the proposal together as to what his project was. And his project basically was, you know, the internet's fantastic, but it's expensive because these were the days of dial-up modems, right? People didn't have broadband, certainly didn't have broadband in Manila in the year 2000. And so what he said to his professor was, look, I'm going to find a way to give people cheaper access to the internet. And the professor said, that's a fantastic idea. How are you going to do it? And to Guzman, and you can read his actual thesis online, he says, what I'm going to do is I'm going to write a computer virus which steals people's internet dial-up usernames and passwords. And then anyone will be able to use those and they get cheaper internet.

And please tell me the professor went, no, no, no.

Yeah. In fact, you can see his scrawling over the paper. This is burglary. This is theft. You cannot do this. You know, in the outraged way that only professors can. And you would like to think that that would be the end of the story, but de Guzman actually went ahead and wrote this thing. So what the Lovebug was doing, and what most people have forgotten, was it wasn't just spreading around, sending love letters to people, and clogging up email systems. It was also stealing your dial-up username and password, the one which you used to get onto the internet.

And the idea was expose them all so that anyone can use them. You can't track them, therefore it has to be free. Because you're—

Oh no, he wasn't exposing them all. What he was doing was he was simply grabbing them. So they were being uploaded and sent back to him.

Now, just as described in his premise.

Yeah, exactly. So now if you think about it, that's a rather silly idea in itself because his virus has become phenomenally successful, much, much more successful than he ever could have imagined. And so he's now getting millions and millions of usernames and passwords sent to him. And remember, he's just on some dodgy—

Of course. So his own server's probably collapsing under this ginormous weight of traffic.

Yeah.

I mean, it must have been, you know, it must have been national. They must have just seen this kind of huge pipe, you know, clogged back for, you know— Well, de Guzman was probably connecting to the internet via a couple of yogurt pots and a taut piece of string. You know, it would have been fairly low fidelity, his connection. Of course.

There's more? There is. John, you know how to tell a story, don't you? Yes, there is more. Because unfortunately, there weren't sufficient computer crime laws in the Philippines.

I remember this. Yeah. And therefore, yeah, so they weren't able, even though they wanted to arrest him, they couldn't because there were no laws to support his arrest.

Right. So they only introduced computer crime legislation in the Philippines one month after this. And obviously it was—

Can you imagine the political pressure the Filipino government must have been under from international, you know, counterparts calling them up saying, you know, our country's lost millions and millions because of your you know, one of your guys.

Well, that's right.

You just write a law really fast.

Because you could, as you can imagine, if de Guzman had set foot in America at the time, they weren't going to be too impressed. You know, if he'd brought down government agencies, for instance, he can expect a bit of a spell in the choker, can't he?

But didn't he get lots of praise for putting the Philippines on the map? Wasn't there something about that?

Yes.

He was like

He was like Robin Hood or something like that. Exactly. So the president of the Philippines, he went on television and he said, "Isn't it fantastic? This is what the youth of the Philippines are like today." Wow.

a celebrity locally or something.

Wasn't an American who wrote the Love Bug. It was one of us instead. The Philippine Star newspaper, they said, "Here is a Filipino genius who's put the Philippines on the world map, proven that the Filipino has the creativity and ingenuity to turn the world upside down."

They knew they were already on maps, right?

Do you know what's interesting though? Okay, this is a bit controversial, but okay, so Philippines kind of got something out of him doing this. The security industry certainly did because I'm sure there was a huge uptick in people actually installing antivirus after this because everyone talked about it, right? I mean, it was huge. So it was good for the industry in terms of generating awareness and therefore cash. And yeah, and I'm sure the school, I'm sure where he went to school, I'm sure they had a big uptick in people wanting to learn how to, learning the skills from the master.

I bet the professor wasn't happy. Bet the professor wasn't happy though. That's a fast track to tenure if you're able to bring in a lot of students just by the mere mention of your name.

Well, I wasn't too impressed, but maybe, I don't know, it's probably because I'm inside the industry. I mean, I suppose many people may think, well, what was the long-term harm of this?

Well, I don't think people believed it before this. I mean, there were only a few handful of mass mailers before this, but this was a biggie, right? This was a biggie.

You know, emails would have been lost, communications would have been thwarted, people— the economic damage by people's email systems. I mean, literally, email servers falling over, right?

It's a big, big one. I mean, there's one big lesson though. This is not just a memory lane trip actually, because the one thing that Lovebug did was it used social engineering tactics with the "I love you" concept.

Kaput. So you couldn't communicate with the outside world because it couldn't cope.

And we still see those today and they're still huge. And they're often quoted to be at least something like 75 to 80% of all successful targeted attacks make use of social engineering tactics. So users are still not educated enough in my book.

This was much worse than just a barrage of spam coming in. And I think companies back then were much less able to deal with this kind of threat and deluge than they are today. I think you're right, Carole. I think in the aftermath of the Lovebug, every company realized we need to have some kind of protection at our email gateway. We need some method of blocking those emails before they reach the users because we cannot trust the users to make sensible decisions sometimes around this stuff. So anything we can filter out there is great. But what can't be upgraded and what can't be improved is of course the human mind. And I suspect 17 years on, we are just as susceptible and there is still the potential for another love bug.

You think?

Oh, do you think, John? Do you think you don't think it's possible?

I probably not on quite such a bigger scale. I think there's a lot of very basic things that people have done to block this kind of thing. Any business above tiny, tiny size that has any control over their email gateway, they block binaries and executables and anything with multiple extensions especially.

I'd agree. I don't think it would happen on the same scale, but what I would say is that I think with the right social engineering people can be duped into opening these attachments. And that's the kind of attack which we see all the time with ransomware, for instance. So it may not be viral as such. It may not be self-replicating or may not have worm-like characteristics, but it can be spammed out to people and people are being duped into opening those attachments and then getting infected.

I also think that we also can work better together. So when there is a mass mailer affecting lots of companies across huge networks, I think there's better equipped to being able to deal with that and get notification monitoring those and knowing what to do.

Yeah, I mean, I think you're right. I think we are working better as a community. We're sharing information better. The technology is working better to prevent all of these attacks happening. So it's not all bad news. You know, we have moved on in 17 years in many ways, but—

But just the human factor has not changed much.

It is, and I don't think it ever will change, really.

Well, no, that's not true. It will change if companies took teaching cybersecurity seriously and at least just gave every user, here is the basic security steps you need to know about, both for yourself at home and in the office, I think word would get around.

It'll get around, but you have to do that sort of training on a regular basis. You have to refresh people. You can't just when they first are introduced to a company, you've got to keep at it. And of course you have to make it relevant to people because, you know, it's all very well for us if we're working in IT and technology, but people who may use computers sparingly, for instance, it can be harder for them to remember all of these rules, just as it would be impossible for me, for instance, to take apart a car engine.

Buen rings a bell.

And especially when it's such a simple thing as well. If it's a more complicated idea, like, you know, oh, this is your sysadmin, please apply this patch, you can kind of teach people to look out for that.

That name rings a bell.

But if it's just, this is kind of interesting, that's much more difficult to look out for. I mean, you can look for, you know, so does Dave usually start his subject line with kindly open this?

Why do I remember that name? I mean, we've had ones with lots of celebrities as well, you know, like pretending that particular celebrity is dead, for instance, and then, you know, read the report.

Yeah, I think some of the later love letter variants did that

Yeah.

kind of thing as well. They basically all the different social engineering

Well, good topic, Graham.

Well, you know what? I just want to tell you a couple more things about the Love Bug before we go.

Oh, carry on.

tactics that people use today, people did with the love letter.

And that is, Onel de Guzman had a buddy. Remember I mentioned Grammersoft, the little club? They were a group of hackers who were selling people homework and doing some things online. They were obviously into computers and stuff. And one of de Guzman's buddies was a guy called Michael Buen, and he wins my award for the dumbest virus writer of all time. Wrote a Word macro virus, which we imaginatively called at Sophos WM97/Michael-B for Michael Buen. And what that virus did was at the end of the month, it would take over your printer and it would print out a message saying, if I don't get a job by the end of the month, I'm going to release a computer virus which will wipe your hard drive. And having posted that message, having printed out, imagine it on your dot matrix printer, he then printed out his CV, his resume, with his name, address, contact details, so that you could give him a job. So if you were really impressed by his virus, you know, there's an example of what you might think is a dumb thing to do. But actually, of course, there weren't computer crime laws in the Philippines. And so he got away with it. And the other little tidbit, the other little tidbit which comes from the Love Bug, this virus was so big there was actually a movie made about it. And not just any old movie.

Star Wars?

A rom-com.

No.

Yes.

The best kind.

Subject, I Love You, about a Filipino boy who falls in love with an American girl.

Is there a trailer? Is there a trailer?

There is a trailer.

Is this a Filipino movie?

Let's play it. Let's play some of it.

It arrived as a love note, but it was— It is the worst computer virus attack yet. It zipped through the global communications net at digital speed. Lovebug virus has— Virus is on the loose. The Cupid who cooked it up and committed the crime is a hacker in the Philippines. The Love Note is the most damaging and widespread computer virus ever. And tonight, the FBI believes it has a suspect. There's this picture that suddenly just comes into focus. I want to say something to you. Yeah, I think I do too. It's a story about how saying I love you almost ruined the world. If he comes after me, then I'll know. Isn't it worth it? There you go, guys. You really love her.

It looks schlocky.

It's your typical romantic story of Filipino boy falls for American girl, loses contact with her, and so writes a virus to spread around the world to get back in touch with her.

And presumably this— is this backstory completely made up? Is there any iota of truth in that?

Well, I've never actually seen the full movie. I really wish it were on Netflix. Wouldn't that be fantastic? To download it and check it out. If anyone has seen it, please contact the show. We would love to hear more from you if you've seen Subject I Love You.

Is it worth watching? That's all I need to know.

That's what we need to know.

It's not Subject Kindly Check the Attached. That wouldn't be quite as romantic, would it?

Well, thank you guys. It's been a fun little trip down memory lane. It is May the 4th.

And I'm glad we could offer you an audience.

Yes, I don't feel like we actually contributed a great deal there.

No, no, but

No, no.

Hey, and it was informative. And I'm sure the audience will love it. it was fun. Just tell them you do, guys. And a big shout out to Recorded Future, our sponsors this week. You can sign up to their Cyber Daily newsletter and get their latest insights at recordedfuture.com. I'm glad you enjoyed it.

Bitdefender.com/intel.

Well, that just about wraps it up for us this week. If you enjoyed the show, please consider subscribing to us on iTunes and leave a review. We're on iTunes, Google Play Music, Stitcher, TuneIn, Overcast, and everywhere where you can get podcasts, you will find us there. And if you want to leave us a comment, go to www.smashingsecurity.com where you find our email contact form and a link to our Twitter page as well.

We've made it really easy. Or you could just tweet us.

Thanks for tuning in. Until next week, John, thank you very much for joining us. Carole, lovely having you here. And we'll be back next week. Until then, toodaloo.

Bye-bye. Bye.