LoveBug: A decade of virus detection
LoveBug: A decade of virus detection

May 4, 2000 was a game-changing day for anti-virus security.

A virulent worm was about to catch security experts by surprise and cause chaos to an estimated 45 million email users that day. With virus levels surging overnight from one in every 1,000 emails to one in 28, the mass-mailing virus, LoveBug, was on the cusp of causing billions of dollars of damage.

From the moment I logged in to the MessageLabs system that morning, it became apparent that a massive security event was unfolding. Launched from the Philippines, the attack increased in extent as more countries globally started their working day and emails with the subject line ‘ILOVEYOU' were opened. Exploiting the power of social engineering, the email attachment looked like a text document, but once the recipient opened it, the worm sent itself to every email address in the recipient's address book

At that time, we'd never seen a mass-mailer spread so fast. Ten years ago, the entire threat landscape was very different. MessageLabs, now part of Symantec, was barely 6 months old. There were only two of us in the anti-virus department, and the most infected emails we had previously stopped in one day was 700. That day we stopped 10,000. Now we routinely stop millions.  

To cope with the sheer scale of the attack, we commandeered all available members of the support team. We suddenly had 20 people working on the problem, and others buying more hard drives because we could see that at the rate the quarantine was filling up, we would shortly run out of storage capacity. It was incredibly exciting. We were also putting out warnings to other anti-virus companies and onto the security newsgroups which were used then.

One of the team members answered the phone to a technology journalist and called the worm the LoveBug. The name stuck. We had caught the worm that everyone else had missed.

For the rest of what was to be a long day, the entire support team was fielding calls from terrified customers asking if they were covered. We were able to say yes.

In the ensuing days, we saw a slew of copycat programs and even kits to generate scripting malware, but we were able to stop these variants too. Our heuristic detection engine looks at what a program does, the behavior it causes, and flags it up if the behavior is suspicious.

We also asked ourselves: What if LoveBug was written in a different scripting language such as JavaScript? How would it behave? That paid off, because a month later we saw similar worms using different scripting languages.