Editor 11-May-00

The ILOVEYOU Worm

What the press is trying very hard not to tell you.

Home

Index

Services

6-Apr-00
What's to be done with Microsoft

25-Mar-00
Our Website comes alive again

The ILOVEYOU worm spread through company e-mail systems more rapidly than any other virus or worm because it chose to re-mail itself more agressively. No anti-virus program stopped it because it was new and did not contain any known "signiture" patterns. It was not stopped by any firewall because it could not be told apart from legitimate e-mail.

Total cost to stop this bug is going to be very high because it hit so many companies so hard. Some had to take their e-mail servers off line for more than a day resulting in severe interruption of business. Of course the lightly disguised "me too" follow-ons caught some too (at least one major company e-mailed an appology for sending ILOVEYOU that was infected with a "me too").

Especially severe damage was suffered by all those collections of porno pictures that somehow mysteriously gather on desktop PCs even though no one has ever downloaded anything of that sort. Porn is mostly in .jpg format and the worm deleted .jpg files and MP3 (music files).

Press reports, especially those in the computer press, have carefully avoided several important points. If they made any mention at all of Microsft it was a couple of lines burried deep down in the article. This points out the inordinate influence Microsoft still holds over editors and columnists - the truth is out there, just not in the press.

  • Only systems making extensive use of Microsoft products were hit hard. The primary victims used a combination of Outlook, Outlook Express, Word, and Exchange Server (all running on Windows).
  • Systems using software that emphasises compatibility with Microsoft products (Lotus Notes, etc.) were also hit, but not nearly as hard.
  • Outlook in particular is regarded by the technically savy as "a massive security hole that is also an email client".
  • Systems not compatible with Microsoft products (Unix, Linux, OS/2, etc.) could not be and were not affected in any way (except for being unable to communicate with Microsoft based e-mail systems that were turned off).
  • The worm was not written by a skilled "hacker". It was very sloppily done and could have been written by anyone with a few weeks training in Microsoft products.
  • The spread of this bug was specifically enabled by the tight integration among Microsoft products, and the fact that what security features there are are all turned off by default to make the products more "user friendly". Turning any security on requires knowledge, initiative and produces inconvenience because the products really want security turned back off.
  • Microsoft has denied all responsibility and specifically stated it will make no changes in its products due to this worm problem.

Microsoft, as always, takes the position that "A site adhering to good security practices has nothing to fear". I suppose that's why Microsoft has to shut down their own e-mail system every time something like this happens.

Microsoft will, as they have clearly stated, make no security improvements, because the tight integration that makes worms like this possible specifically locks out competitors. Also, even well designed security causes some inconvenience, and that goes against Microsoft's "user friendly" marketing goals.

Appologists for Microsoft harp on two points:

  • It's all the fault of dumb users who should know better.
  • It's not a Microsoft problem. If any other system was so popular it would be subjected to similar attacks.

The first points is obviously just stupid. Microsoft aims their software specifically at "dumb users who don't know better" and discourages them from learning much about computers. As such, its "dumb user" software should at least attempt to protect the user. It does not.

The second point is just as stupid but less obvious to most people. No other system can be attacked this way because no other system has the tight integration and total lack of security. No other system would allow an email attachment to be run, and especially not run in privileged mode, able to affect system files and system directories. Only Microsoft products allow this.

Will attacks like this happen again? Yes, and more and more often. As defenses get a bit better, the attacks will be better written. As I have pointed out, ILOVEYOU was noteworthy for poor quality and lack of sophistication. Future versions could be far more destructive and far more difficult to stop.

For more on viuses, worms and trojans, see our article Virus & Other Invaders.

Andrew Grygus

©Andrew Grygus - Automation Access - www.aaxnet.com - aax@aaxnet.com
Velocity Networks: Network Consulting Service - Internet Service Provider - Web Page Design and Hosting
All trademarks and trade names are recognized as property of their owners