Writing

ILOVEYOU: an early note from a busy week

Published · Updated
iloveyou loveletter malware outlook vbs

Yesterday a piece of malware called ILOVEYOU — sometimes also called Loveletter — appeared in the wild and propagated globally in hours. By this morning it has hit major corporations on every continent. Damage estimates from the cleanup vary wildly, but the rough order is billions of pounds in lost productivity and remediation.

This is bigger than Melissa. It uses a different mechanism. The implications are larger.

This is the first-night-of-busy-week note, written before the dust settles, with the things I am confident enough to commit to in writing. The longer analysis will follow.

What ILOVEYOU does

The vector: an email with the subject ILOVEYOU and an attached file LOVE-LETTER-FOR-YOU.TXT.vbs. The body of the email reads, in roughly the wording I have seen: "kindly check the attached LOVELETTER coming from me."

The attachment is a VBScript file. Windows, by default, hides the .vbs extension and shows it as LOVE-LETTER-FOR-YOU.TXT, so users see what looks like a text file. They double-click it. The VBScript runs.

What the script does, in roughly the order it does it:

  1. Propagates by email. It uses Outlook's MAPI interface to send a copy of itself to every entry in the user's address book. Unlike Melissa, which limited to 50 entries, ILOVEYOU sends to every contact, often hundreds.

  2. Propagates over IRC. It looks for mIRC configuration on the host, and if found, modifies the IRC client's startup script so that anyone joining a channel where the user is gets sent a copy of the worm via DCC. This is the second propagation vector; it has been less reported but is operationally significant.

  3. Overwrites files. The script searches for files with extensions .jpg, .jpeg, .vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta, .mp2, .mp3 and overwrites them with copies of the worm code. The original content is destroyed; the file's name is preserved (with extension changed to .vbs); the worm gains new replication vectors.

  4. Steals credentials. A separate small payload attempts to download an executable from a remote site that, if it runs, harvests cached passwords and emails them to a fixed address.

The combination is a worm that propagates aggressively, destroys local data, and exfiltrates credentials. Worse than Melissa on every dimension.

Why it propagated faster than Melissa

A few specific properties matter.

No attachment-stripping by default. Most mail systems strip .exe attachments by default after the post-Melissa hardening. They do not strip .vbs. The category was not on most operators' filter lists.

Windows hides the extension. Even users who had been trained "do not open executables" did not recognise a .vbs as executable, especially when the visible filename ended in .TXT. The deception is at the operating-system level, not the user level.

The mail comes from someone you know. Like Melissa, the propagation uses the recipient's contacts. The mail arrives from people you correspond with. Even users alert to suspicious attachments often opened it because the source was familiar.

The address-book propagation is unbounded. Melissa stopped at 50. ILOVEYOU does not. A single infected machine in a large company can send to hundreds of contacts; each contact is a potential further infection.

Multiple propagation vectors. Email plus IRC means a single infection can reach two distinct populations of further victims. The growth rate is correspondingly higher.

What is currently happening operationally

From the half-dozen operators I have spoken to today, the picture is similar everywhere:

  • Mail volume has spiked to many times normal, almost all of it ILOVEYOU traffic.
  • Mail servers are queueing or refusing connections under load.
  • Anti-virus vendors have updated signatures; most are now detecting and stripping the worm at gateway, but the gateway only catches what passes through it.
  • Internal network spread has happened in many organisations through the IRC vector and through file-sharing of the overwritten .jpg and .mp3 files.
  • Several major news organisations have lost media archives — .jpg files overwritten by the worm.

The cleanup will take days. The reputational damage will take longer.

What I have done in the last 18 hours

For my own infrastructure (Linux mail relay, no Outlook anywhere): nothing dramatic. The relay does not interpret VBScript. The worm has been arriving in volume — about 200 attempts in the past 12 hours — and being passed through to friends, who have all reported they recognised it and did not open it.

For friends' infrastructure where Outlook is present: I have spent the day adding gateway-level filtering for .vbs, .vbe, .js, .jse, .wsh, and .hta attachments. None of these are legitimately sent as email attachments in the normal course of business; stripping them at the gateway has zero false-positive cost.

The specific procmail recipe for the most paranoid relay:

:0 fw
* H ?? ^Content-Type:.*multipart
| /usr/local/bin/strip-attachments.sh

Where strip-attachments.sh is a small script that walks the MIME parts and replaces any with extensions in the danger list with a notice. The notice tells the recipient that an attachment was stripped and what its filename was, so legitimate cases can be re-sent through a different mechanism.

This is more aggressive filtering than I would have committed to a week ago. The trade-off has shifted again.

Three lessons for the rest of the year

The Outlook security model is structurally broken. Allowing VBScript attachments to execute with the user's full privileges, with hidden extensions making them look like data files, is an architecture that will keep producing worms until it changes. The fix is at Microsoft's end. Operators can mitigate but cannot solve.

Attachment stripping is now mandatory. Anyone running a mail relay that does not strip executable attachments is, on present evidence, taking on substantial liability. The list of stripped extensions is finite and short. There is no longer a defensible reason not to do it.

The propagation tooling is mature. Melissa proved the mass-mailing-worm category was viable. ILOVEYOU proves the category is now an established operational reality. The next worm of this shape will appear within months. The defenders' baseline has to assume it.

More on this as the week develops. The longer analysis will be next week's post; this is the immediate reaction. The week is going to be busy and tonight is going to be short of sleep.

Back to all writing