Twenty years ago, millions of people fell victim to the Love Bug worm. Prof. Steven Furnell FBCS looks back at the incident and considers how things have changed since.

If you were using your email on 4 May 2000, you’d probably have never felt so loved. You were very likely receiving emails simply titled ‘ILOVEYOU’ (and who cared about the lack of spaces? They love you!). And it wasn’t just one or two of them, but a whole set - probably from unexpected sources.

The scale of the outpouring was truly humbling but, of course, it proved to be fake news. No one actually loved you! Variously referred to as the Love Letter, Love Bug, or ILOVEYOU Worm (and often incorrectly referred to as a virus), this was instead a malware incident the like of which we’d never seen - not so much in terms of what it did, but in terms of how it spread.

What was it?

If you’re not familiar with it, the message arrived with the title ILOVEYOU, which was enough to get many people to pay attention. The message content was simply ‘kindly check the attached LOVELETTER coming from me.’ and the attachment (LOVE-LETTER-FOR-YOU.TXT.vbs) was a VBScript file (and so not the natural language of love for the vast majority of people, though many recipients didn’t know or notice the file type).

Alongside its engaging title and inviting message, the other notable thing was that you probably knew the sender. So, what did this mean? Did they love you? Were they just having a laugh? The potential excitement or curiosity was enough to encourage many people to open the attachment and see what it said.

Unfortunately, the answer was nothing… there was no love letter. Opening the attachment instead ran the malware and caused a number of things to happen:

  • a copy of the ILOVEYOU message was sent to every contact in your Outlook address book;
  • various files - including scripts, images and music - were overwritten or replaced with copies of the worm;
  • the worm attempted to spread via internet Relay Chat via the mIRC client;
  • a password-stealing Trojan (Barok) was downloaded, which could then email stolen passwords from the victim’s PC.

So, ultimately, there wasn’t much to love! However, as it turned out, the notion of receiving a love letter proved to be a powerful lure and the malware spread quickly - with estimates suggesting that tens of millions of people opened it and around 90% of systems having received it.

Resulting damage and disruption was estimated in the region of $7bn. The creator of the worm was quickly traced to the Philippines. However, at the time, the country had no cybercrime laws with which to charge him and so a criminal case was not pursued.

Why did it matter?

When we talk about the Love Bug, the first thing that we tend to recognise is that it was a headline example of malware. However, even then, this wasn’t a new problem. Malware had been the most prominent cyber threat for over a decade by the time it came along, but our adoption of the internet had seen it become a significant channel for malware dissemination.

But this was all two decades ago and so you may be wondering why it matters now. Aside from still being the only love letter messages that some of us have ever received, there are a several reasons why it was important:

  • it was a timely example of how our increased connectivity could represent a threat as well as a benefit. It was far from being the first widespread malware incident on the internet - that dubious honour had already gone the Morris Worm over a decade earlier - but it was the biggest incident to occur since the internet had found its way into homes and businesses, rather than just universities and other early users;
  • it reached the end-user directly and provided a clear illustration of how they could be targeted and play a significant part in spreading things further;
  • it showed how an appropriate combination of technology and human persuasion could help to ensure a wider reach than previous incidents. In short, it was a very good sign of things that were to come in terms of online threats and exploitation.

How have things changed?

The Love Bug was a product of simpler times - it was not motivated by financial gain, didn’t hook the system into a botnet, didn’t try to hold your system to ransom and it didn’t disguise itself - once you knew to look out for the message title and attachment, its cover was blown.

Unfortunately, the passing years have not been kind to us with malware. We thought we were badly off back then, but we have since seen malware appearing across all manner of platforms and with far more insidious effects. Moreover, it has moved from the personal motivation behind the Love Bug to something that is now routinely underpinned by organised criminal activity.

Equally, we can argue that our protection practices have, to some extent, kept pace with the threat. Back then, there were still many systems - at home and at work - that still lacked effective malware protection. Our position today is still not perfect, but malware protection is a generally recognised necessity on certain platforms and devices (in broad strokes: Windows was the main target then and it remains so now - although Android malware is also notable in the mobile space).

A challenge is that we have an increased range of devices that require protection and various types of non-PC device that we are not used to protecting.

In terms of laws and legislation, the intervening years have seen a more widespread international recognition of cyber offences, as well as international collaboration in terms of policing across geographic boundaries. In the specific case of the Philippines, related legislation was introduced just a couple of months later. Overall, we are far better placed in terms of recognising the criminal threat and taking it seriously.

Perhaps the biggest unlearned lesson from the Love Bug is how it sought to exploit us. At its core it was a social engineering attack - and we have certainly seen no shortage of these in the intervening years, with the arrival and subsequent dominance of phishing as the key example. However, while we are now better prepared in terms of malware protection technologies and surrounding legislation, we are arguably far less evolved in terms of ensuring that people are able to identify and avoid the problems.

Without rattling off the old trope about people being the weakest link, in a way that implies that it’s their fault, we do need to recognise that cybersecurity literacy and threat awareness amongst the general users are still not where we need them to be. It doesn’t take much looking around to find evidence that many businesses still fail to address security awareness and then find some of their biggest incidents arising from unaware employees. And in the wider public arena it is not too different - there are some great resources available, but relatively few people using and learning from them.

Of course, no amount of awareness-raising and prior warning would have prevented some users from rushing to open the prized love letter, but it may have given others pause for thought! As it stands, the concern is that if love were to come knocking, it’s likely that many would be smitten all over again.

About the author

Steven Furnell is a professor of information security and leads the Centre for Security, Communications & Network Research at the University of Plymouth. He is also an Adjunct Professor with Edith Cowan University in Western Australia and an Honorary Professor with Nelson Mandela University in South Africa.

His research interests include usability of security and privacy, security management and culture, and technologies for user authentication and intrusion detection. He has authored over 320 papers in refereed international journals and conference proceedings, as well as books including Cybercrime: Vandalizing the Information Society and Computer Insecurity: Risking the System. 

Prof. Furnell is the current Chair of Technical Committee 11 (security and privacy) within the International Federation for Information Processing, and a member of related working groups on security management, security education, and human aspects of security. He is also a board member of the Chartered Institute of Information Security and chairs the academic partnership committee and southwest branch.

Other articles by Prof. Furnell: