The LoveBug/Loveletter/Iloveyou worm (much more geekishly called VBS/Loveletter.a@mm by, well, AV geeks) has become one of those legendary events in malware history. The fact that 10 years on we’re still writing about it. Not only that, but many of us will remember exactly where we were and what we were doing when we first heard about it – in fact many more might remember it than were actually there :).
Still, I remember exactly where I was – I was in Reading, at Microsoft headquarters attending a security seminar and my Blackberry (one of the very early ones, with a greyscale LCD screen), started to go off regularly. I grabbed the next train back to Dorset, got into work, and spent the next ten hours ensuring that nothing bad was going to happen on our network. Many other people have written about their memories of the day – 10 years ago yesterday – including Graham Cluley and Mikko Hypponen, and indeed our own David Harley, and I’ve nothing to add to that. You see – we were using Lotus Notes (~shudder~) and not one single system got infected – although we did get a tremendous amount of email, which very quickly got blocked once we knew the attachment name. No, I remember the Loveletter for what happened 10 years ago TODAY, the 5th of May. And, it is a tale I felt worth sharing, about how even good information about one situation is not necessarily applicable across the board.
Although they were not directly under my responsibility, my team had involvement with the IT systems of all the schools across Dorset, and while none of the systems we were responsible for were affected by Loveletter, this was not true of other systems within the schools, which were under supervision of the school’s own IT personnel. On the morning of the 5th of May, I sent out a message to everyone on our network to the effect that “Our network was not affected by the VBS/Loveletter worm, and no damage resulted from any mails that were opened within our network, but we request that you remain vigilant and avoid opening attachments that are not work related. We also suggest that you install an Anti-virus product at home, and ensure that any mails with the subject “ILOVEYOU” are deleted without being opened” This was the very last time I ever sent out such a message, not because it was incorrect, but because the information ended up being spread outside of our organisation – particularly in schools, where I’m sure people felt they were being helpful by forwarding my email – at which point I got several very angry phonecalls and emails abusing me for my lack of intelligence. The reason? The information was only true of our organisation, and those whose networks DID end up getting affected (Loveletter also deleted .jpg/jpeg images) were angry that I so downplayed the risks of the worm while they were watching it eat through all the images on their servers and workstations. In fact, many of the schools were running Microsoft Exchange and Outlook, and once their systems were infected, many pupils lost work.
This highlights the fact that information is often specific, it isn’t necessarily relevant to all situations. Think of it like fire extinguishers; they have specific uses on specific types of fires – don’t go spraying a water extinguisher onto an electrical or fat fire, you will get burned.
User education is often very difficult, and one of the reasons it is so is that there are so many variables, so many different ways that things can go wrong. In a way the Loveletter worm was one of the first Phishing attacks – it combined clever social engineering with malicious code to steal passwords. David Harley and I have written fairly extensively on Phishing, including examining whether the sort of ‘anti-phishing’ quizzes we’ve seen on some security sites are actually of any use. As far as I’m concerned, the jury is still out – there’s far too little common sense, too much irrelevant information, and it takes (literally) a lifetime to become a security expert; you can’t expect people to learn in five minutes.
As David mentioned yesterday, AVIEN was formed out of the need for non-vendors working in the AV industry to get fast and accurate information about spreading threats – I was glad to find that the instances where such information got so wildly misconstrued as in my Loveletter incident were few and far between. AVIEN also has its 10th birthday this year – more of that later in the year.
As an aside, I later applied for a job at one of the schools that had been affected, imagine how my heart sank when my interviewer turned out to be one of the people who had written me an angry email…no, I didn’t get the job! Anyway, it’s all water under the bridge, and since it is the 5th of May, my greetings to all my Mexican/Southern Californian friends, who will no doubt be regretting their today’s activities tomorrow morning.
Andrew Lee CISSP
AVIEN CEO / CTO K7 Computing