The Love Bug Turns Four: A Look Back
Commentary: Four Years Later, a Look at What Has Changed, and What Hasn't
I remember the day VBS/Loveletter appeared quite clearly. Although it technically debuted overnight on May 3rd, 2000 (depending on time zones), the morning of Tuesday, May 4th, 2000 will always be remembered as the day that changed computer viruses forever.
I was ten years old at the time. I awoke at 8 A.M. that day and turned on the radio to NPR (National Public Radio.) They were just finishing with a broadcast about an Internet worm. They concluded with something along the lines of “security experts do not consider it a high risk.” It was hard to tell. At that time, I read most of the write-ups posted for the various new threats on a collection of web sites, but was not extremely involved in the Internet security community. I tried to get online to various vendor web sites - McAfee, Symantec, and Trend Micro - but was out of luck. All of their servers were busy. In fact, the only page I could get was the front page of Trend Micro's site, which warned that they had declared a high risk alert for VBS_LOVELET.A.
When I got to school, I tried to go to the vendors' sites, yet they were still down. At lunchtime, the school tech guy made an announcement that no computers were to be used because of the outbreak. This was funny, considering all computers in the school were iMacs or PowerMacs and could not be affected. During this time, the worm stormed through the world and has been put down in history as probably the most high-profile worm incident in the history of computing.
Today is May 4th, 2004. It has been four years since the initial outbreak, and we are still dealing with worms similar to VBS/Loveletter. Now, a quick look at what's changed, what hasn't, and what the virus climate will look like four years from now if we continue along this path.
Predictions: The Good, the Bad, and the Wrong
In the days following the VBS/Loveletter outbreak, many things were said that probably shouldn't have been, even considering the knowledge of that time. Many predictions were made on fact-less base. Hysteria was the public diet in respect to worms. Experts suddenly appeared to make doomsday predictions that no one had ever heard of before, and then they vanished into the woodwork as quickly as they had appeared. Here's a look at some of the predictions made back four years ago and their truth today.
Prediction: VBScript worms will remain a major risk for most of computing.
Outcome: False
The Truth: In April of 2003, seven VBScript-based viruses were on the WildList. Three of those viruses were on the main list. Of those three, only one - VBS/Freelinks - had more than one line of reports. By December 2000, 33 VBScript viruses were on the list, fifteen on which were on the main list, and four with more than one line of reports. This number fluctuated only slightly for the next two years. By mid 2001, the VBS/VBSWG family of kit-based worms added a number of its family members to the WildList ranks. After this, the number of VBScript-based worms began to decline as .vbs became an infamous extension. Today, 25 VBScript viruses are on the list, of which are 11 on the main list, and two have multiple lines of reports. No new major VBScript virus has been discovered since VBS/Redlof in October 2002. The last even semi-major VBScript mass-mailer was VBS/VBSWG.AQ-mm in July 2002. VBScript worms are no longer considered a very significant threat in the field.
Prediction: Mass-mailing worms will remain a major risk for most of computing.
Outcome: True
The Truth: VBS/Loveletter was the second time a mass-mailing worm had grabbed the public's attention, the first being W97M/Melissa. And, ever since, the number one type of worm has more or less reliably been the mass-mailer. Of the 56 worms that currently have two or more lines of WildList reports (14 or more reports), 45 have some sort of mailing ability, and all but two of those are mass-mailers.
Prediction: VBS/Loveletter will always be the most successful worm of all time.
Outcome: (Arguably) False
The Truth: In terms of spread, it is hard to debate that VBS/Loveletter is NOT the most successful worm of all time. Any number of other worms - Blaster, MyDoom, Sobig.F - has easily trumped VBS/Loveletter in this category. Damage is another question. Fiscally, VBS/Loveletter definitely does not hold the world record. MyDoom does ($43.9 billion), followed by Sobig.F ($14.62 billion), Klez.H ($13.94 billion), and then Loveletter ($8.75 billion). Another worm which would probably eclipse it, Blaster, has no statistics available, while the current Sasser outbreak will probably also break Loveletter's position. Damage cannot necessarily be calculated in billions, but of any of the worms on this list, VBS/Loveletter was certainly the most destructive. Still, it is unlikely that it caused the most damage.
Prediction: The end of the world as we know it, or at least computing as we know it, is near.
Outcome: False
The Truth: Although a difficult and dynamic foe, computer security threats are NOT the end of the world - even the computing world. Developing technologies will continue to appear to protect against threats that seem to develop equally quickly. The average user will never become a victim of a security problem if they practice excellent security methods and keep up-to-date software and patches.
Did Loveletter Actually Mean Anything?
The question still remains after these four years: Did Loveletter actually mean anything to the security world or the public at large? This question is open to debate, but there are a few things that it is hard to disagree that Loveletter changed forever, and a few that it did not.
What Loveletter Did Change
The Public Perception of Viruses
Before VBS/Loveletter, the average person had little more knowledge of computer viruses than that they were bad, and in some cases that there was one named Melissa that did something a while ago that was also bad. After Loveletter, viruses became a common point of discussion, and fear - whether senseful or otherwise.
Public Awareness of Viruses
Although this is similar to the last entry, it is different enough to deserve its own category. Before Loveletter, many computer users would just click on anything they were sent, even if it had the subject “THERE IS A VIRUS ATTACHED DON'T OPEN IT.” In fact, many still do. However, this number is significantly lesser thanks to media coverage of worms like Loveletter, which brings us to...
Media Coverage of Viruses
The media had, before Loveletter, a superficial knowledge of worms much like the general public. Loveletter prompted them to at least bring in some experts, although much of it was still hype. This was somewhat negated by the sudden urge to report on every single worm that involved a celebrity or clever piece of social engineering. Reports continued, though, to use colorful terms such as “Killer Internet Trojan horse worm virus.”
Outbreak Response and Management
Both antivirus companies and system administrators at like were faced with the problem of more prompt response to sudden outbreaks of new viruses. No longer could detection files just be posted weekly; after Loveletter, it was down to the hour in a crucial attempt to squash the virus before detection release could help little.
What Loveletter Didn't Change
The Technological Aspect of Viruses
VBS/Loveletter was not a very interesting worm as much as it was a lucky worm. The code and methods was old hat even at that point. The clever social engineering wasn't all that clever even for the day. Making a detection file was more or less a piece of cake (although a few companies still managed to mess it up, such as the one who detected any instance of the filename “LOVE-LETTER-FOR-YOU.TXT.vbs” as the worm itself.)
The World
Loveletter was a significant but not technologically-based outbreak. It showed how a simplistic email worm could spread globally, how fast, and how much damage it could do, but all of this would eventually surface. It was just a matter of time and luck.
The Uncertain Future
Even four years later, we still deal with mass-mailing worms, and probably will still be doing so for a few years to come. What is the next wave of worms? It is futile to predict. New-age automatic worms like Blaster and Sasser have displayed some muscle, but their long-term spread is hindered by their easiness to prevent against. Spyware continues to become a developing threat, and the line between malicious software and intrusive software is blurring at an increasingly rapid rate. The one thing that hasn't changed, though, since Loveletter's day and age is a good security strategy: an updated firewall, an updated antivirus program, a good configuration, and current Windows Update patches (maybe a spyware killer these days, too.) And, of course, something that will be invaluable for computer security as long as it exists: common sense.