Let's try something. Imagine this. You just got an email notification. You check it, and the subject line reads, I. Love. You. All caps, no spaces. You'd probably be a bit suspicious, right?
But back on May 4th, 2000, people didn't react that way.
And this was just a few months after the Y2K scare.
I still remember it clearly, sitting on the floor of my parents' living room
on that deep ocean blue shag carpet, surrounded by wood-paneled walls just waiting for midnight.
There was this fear that computers wouldn't be able to handle the change to the new millennium
and everything might crash, power outages, computer failures, you name it.
But as we know, none of that happened.
Then, just as we were settling down, this worm appeared and caught everyone off guard.
My name is Josh, and welcome to In The Shell.
Does this pose a national security matter?
Are being used without the operator's knowledge?
And if it sounds malicious, it's because it is.
Many attacks just this year on educational organizations.
And now to the massive cyber attack targeting hotels and casinos in Las Vegas.
To a possible cyber attack at one of the nation's busiest airports?
A cyber security firm, CrowdStrike, has caused this outage.
That it takes you longer to do something by putting it into a computer and calling it up again
than if you just kept simple records yourself in the house.
Every other week, I'll be bringing you a new story from the archives
about hackers, malware, and the people who've shaped the tech world as we know it.
But for now, let's dive back into this week's episode.
Today we are discussing the I Love You worm, also known as Love Bug or Love Letter.
Some refer to it as a Trojan, but I think a worm is the more accurate term.
A worm is a type of malware that replicates itself to spread to other computers.
But before we get into the details of what it was and what it did, let's start with the
person behind it.
Onel de Guzman was a 24-year-old computer science student from the Philippines.
He ended up dropping out of college after his professor rejected his undergraduate thesis.
His thesis?
The idea of using malware to steal internet passwords from nearby neighborhoods.
Back then, accessing the internet required a password, so if you had someone else's, you
could use the internet as if you were them.
He was ahead of his time in some ways, believing that everyone should have access to the internet
as a basic human right.
Now that we know the who behind it, let's get into what happened.
Even after dropping out, de Guzman wasn't ready to let go of his idea of using the script
he had created to steal internet passwords from people in his neighborhood.
But, like anyone would be, he was curious.
So, one night, he decided to remove the restrictions on how far the script could spread, making it
no longer limited to just nearby neighborhoods.
After making those changes, he sent it to someone in Singapore he had met in the chat room.
Then, he went out for some drinks with friends.
When he got back, international news outlets were already buzzing about a global manhunt for
the hacker who had just crippled global infrastructure.
For the last 36 hours, the I love you virus has been creating havoc around the world, certainly
here in North America.
In just 24 hours, Lovebug had infected nearly 45 million Windows computers, which was around
10% of the world's internet-connected computers at the time.
Governments and corporations had a team.
Governments and corporations had a team.
Governments and corporations had a team.
temporarily shut down their email systems to stop the spread.
That included companies like AT&T, Microsoft, Time Warner, Merrill Lynch, Ford,
and government organizations like the Pentagon, the CIA, NASA, and even the British House of Commons.
Now back then, there were far fewer protections for users on computers,
and the internet was still new to many people, so there was a general innocence about email.
The code behind Lovebug was written in VBScript, a scripting language commonly used to automate tasks on Windows computers.
These files can execute commands and perform actions, much like a mini-program.
The script was attached to the email as a file named love.
dash letter dash four dash u dot txt dot vbs at the time windows would hide most known file
extensions so when someone looked at the attachment they would only see dot txt
and likely assume it was a harmless text file the email subject was i love you all caps no spaces
which is where the worm got its name and the body simply said kindly check the attached love letter
from me exclamation point from a social engineering and phishing standpoint this content was almost
perfect email was still somewhat novel at this time it wasn't something that constantly flooded
your inbox that novelty combined with curiosity helped
fuel the worm's spread. It's considered one of the first examples of malware using social
engineering to persuade victims to open an attachment. Once someone opened the attachment,
the worm copied itself to specific directories so it would run when the computer was rebooted.
It made three copies in total. One of the copies kept the original name of the attachment,
while the other two disguised themselves as Windows Library Files. After copying itself
onto the victim's machine, the worm attempted to download a file called win-bugsfix.exe,
which was a trojan. A trojan is any malware that deceives the user about its true purpose
to accomplish something else. The name comes from the ancient Greek story of the giant wooden
that hid soldiers inside. To download the Trojan, the worm set the victim's Internet Explorer
homepage to a URL that would automatically download the file when they opened their browser.
If the download was successful, win-bugs-fix.exe was set to run upon reboot, and the Internet
Explorer homepage was changed to a blank page. This Trojan fulfilled de Guzman's primary goal
of stealing Internet passwords from users. But that's not all it did. The worm also carried
out some pretty destructive actions on the victim's machine. Files with certain extensions
like .jpg, jpeg, css, and doc, among others, were replaced with copies of the worm.
For files with the mp2 and mp3 extensions, the worm created copies of itself but hid the original files instead of removing them.
You can imagine the chaos this caused when all your Microsoft Word documents and Napster downloads were suddenly overwritten with the worm.
You know, when they hear the word Metallica, just like we're sitting here talking 15 minutes in, the Napster thing comes up.
Now let's talk about how it spread.
The worm sent an exact copy of the email I mentioned earlier, including the malicious attachment, to every contact in the victim's address book.
To prevent multiple emails from being sent to one person each time the worm was run, since it ran any time the user rebooted or clicked one of those overwritten files, it created a copy.
A registry key for each address book entry once the email was sent.
A registry key is a small piece of data stored in the Windows registry, which stores settings
and options for the operating system and software.
Because this email was sent to everyone in the victim's address book, the next person
to receive it would get it from someone they knew, which made them more likely to trust
and open the attachment.
It was simple, yet brilliant, and a highly effective method for spreading.
I came across some figures that estimated Lovebug caused between 10 and 15 billion in damage,
mainly due to the effort required to remove the worm and recover files from backups.
The worm was quickly...
It traced back to de Guzman, who tried to cover his tracks by removing his computer from his
apartment, though he overlooked some floppy disks lying around that contained the worm.
He was arrested and placed under investigation by the Department of Justice. There's been some
speculation about de Guzman's true intentions. Was he just a misguided individual with altruistic
ideas, or did he knowingly unleash a global disaster? But despite the extensive damage
caused, all charges against de Guzman were eventually dropped and he was released. At the
time, there were no laws in the Philippines against writing malware. However, in July 2000,
just two months after the outbreak, the Philippine Congress enacted Republic Act No. 87
in 1992, also known as the e-commerce law, which made the creation and distribution of malware
illegal in the Philippines. This incident was one of the key events that brought public awareness
to cybersecurity threats, especially in how we handle email attachments and open unknown files.
Since then, DeGuzman has kept a low profile and stayed out of the spotlight.
I personally find this story fascinating because it was the first of its kind.
While it might seem simple, and like something you wouldn't fall for today,
the timing and the way it exploited human nature were what made it so effective.
So, could something like this work today? I don't think so, at least not at the same scale.
There are far more
protections in place now both at the email provider level and within modern operating systems
to prevent something like this from happening again email filters are smarter and more people
than back then at least i hope so are more cautious about clicking on suspicious attachments
while threats like this still exist they've evolved today's attacks are more focused
like spear phishing which targets specific individuals or organizations rather than
trying to target the globe we've learned a lot since 2000 and the way we approach cyber security
has changed significantly until next time i'll leave you with a clip of the song email
by pet shop boys which was inspired by the love bug
Communication's never been as easy as today
And it would make me happy when you've gone so far away
Send me an email that says I love you
Send me an email that says I love you
Send me an email that says I love you