Security News

Remembering the ILOVEYOU virus twenty years later

Malea Lamb-Hall, 5 May 2020

Lessons learned on security from the ILOVEYOU virus and what it means for the future of viruses

For those who are new to security, it may be a surprise that the one of the farthest reaching and devastating computer viruses, ILOVEYOU virus, first appeared 20 years ago this week. The virus originated in the Philippines and arrived in the form of an email from a known sender with the header “ILOVEYOU” and the instruction to read the attached document.

Recipients, curious to see what was in the document, opened the supposed love letter. In addition to overwriting files on the host computer, the virus propagated the same email and sent itself to the people in the victim’s contact list. Who could resist opening a letter professing love? It was a masterful example of early social engineering. In the span of days, it had hit upwards of 50 million computers around the globe causing much personal embarrassment. The FBI later estimated that the virus and its variants caused $8 to $10 billion in total damages worldwide.  

For the 20th anniversary of this virus, I sat down with Avast’s own Luis Corrons, security evangelist and Martin Hron, senior security researcher, to discuss what their thoughts on the ILOVEYOU virus and what is to come in the future. 

Do you remember May 5, 2000?

Luis Corrons, Security Evangelist at Avast: At that time I was working in the tech support team at another security company. I remember very well what happened that day. I was scheduled to work the night shift from 10pm to 8 am, so I was home when the news hit Europe- I couldn’t believe a malware attack was making the news every hour, as that never happened before. I went to work early that day at 6pm and ended up working till 10 am. I remember sending faxes, because email systems and companies' internet was down, preparing disks with a virus definition update that we had to send out via courier.

Martin Hron, Senior Security Researcher at Avast: The account of the company I was working for at that time received the email and unfortunately, the accountant opened the attachment. I was forced to code my first antivirus, which was more like a remover/cleaner. I actually recently found the program while cleaning up my old files, and it’s still functional, even today. I called the program the “I hate you” antivirus.

Do you think something similar could happen again, like WannaCry or the ILOVEYOU virus? 

Luis Corrons: I think we are more likely to see an attack similar to WannaCry in the future, but I don’t think we will see an attack like the ILOVEYOU virus.

Malware today can propagate at a rapid pace, much faster than the ILOVEYOU virus did 20 years ago, but things have changed since then. 

Twenty years ago,  nobody had seen a .vbs (visual basic script) file used for malicious purposes, which caused many people to click on the file. From an infrastructure point of view, the capacity of the networks affected, which included networks belonging to governments and companies, was nothing compared to today, and so everything collapsed when a network became infected. Additionally, email was the only digital communications tool used by companies twenty years ago, there were no chat applications like Slack, so they were completely isolated. Antivirus companies had to fax instructions to desperate customers as they could not receive any emails and the amount of traffic generated by the virus sending itself out  forced companies to disconnect. 

A few years after the ILOVEYOU virus made its rounds, we saw worms that spread much faster without user interaction, affecting millions of people around the world, however,networks stood still strong during attacks like Blaster.

Martin Hron: I agree, I think we are going to see more attacks carried out by botnets and more “automated” WannaCry like attacks, but over time threats have become complex beasts, carrying out attacks in multiple stages. Even today, an attack can be triggered by a user simply opening a phishing email or clicking on a phishing link. We’ve seen cases where opening a malicious link by a user led to the networks’ router being compromised. That could open more backdoors to the user's system or ultimately redirect the user’s browsing sessions to malicious websites that can carry more threats ranging from ransomware to password stealers, and scanning the internet for more potential victims. 

The motivation behind attacks has significantly changed over the last two decades. The first virus I came across was Michelangelo back in 1991, which overwrote the first hundred sectors of a hard drive making the machine unable to boot up. While back then viruses were more like proof of concept and a source of pride for their authors, nowadays the threat landscape is a  well-oiled money-making machine, spreading ransomware to companies, bankers designed to steal money, and fake news to support propaganda and state-sponsored cyber wars.

What would be abused to enable a virus to spread so widely and rapidly? 

Luis Corrons: Today, there are billions of devices connected to the internet. In order for a malicious worm to spread widely and rapidly, malware would need to exploit a vulnerability that allows it to infect and spread without user interaction, similar to how Wannacry behaved. A worm taking advantage of multiple IoT vulnerabilities could cause a global attack, targeting homes and businesses alike. 

Martin Hron: I think IoT devices have added a large attack surface, ready to be misused. If you think about it, we are now connected 24/7 so leaving these devices readily available for an attack at all times. This combined with the number of vulnerable devices with weak security out there makes a mass scale attack inevitable. As Luis said, global mayhem always starts with one widely present flaw. What we have seen in the last few years is a massive explosion of attacks carried out on the firmware level of IoT devices or computers without user interaction, like VPNFilter, LoJack, or various attacks against versions of Intel’s Management engine firmware. The reason for this trend is that these attacks usually remain below the radar and are hard to discover by non-tech savvy users.

What should be done to prevent it? 

Luis: The key to preventing any attack is security. Windows was very vulnerable in the past, but it is now much safer. Nevertheless, bad actors are and will continue to discover vulnerabilities and risks in the Windows operating system and attempt to abuse them.

When it comes to IoT devices, most devices are in a Windows 95 stage in terms of security. Security is rarely considered when IoT devices are designed, making everything from IoT software, how data is transmitted, and port security vulnerable.

Martin: I would also add that the user awareness of prevalent threats, what these look like and how to handle them, as well as users keeping up-to-date with security issues, and using security solutions, is also key to preventing attacks. The security industry, of course, is responsible for protecting people by improving detection mechanisms in security products, providing various solutions and educating users. However,  it’s ultimately up to them to learn about security and make the right decisions to secure themselves, but also especially important they make the right decision when confronted with a social engineering scam that can lead to malware installation or them giving up sensitive information.