The tenth Most Devastating Cyberattack in History.
It was a calm Thursday night in May of 2000. Woodland Hills, CA, a sleepy bedroom community north of Los Angeles, Ca rarely had any sort of excitement.
Braun, an information technology contractor specializing in Linux and Microsoft mail servers had just finishing his dinner and getting ready to turn in for the night, not knowing that the next several days were going to test his abilities like never before.
Around 2am in the morning, Braun received a frantic call from a recruiting agency in Newark, NJ asking if he could help a large corporation with a mail server. The frantic voice on the other end, in desperate tone said the whole network was being destroyed by the minute.
As Braun was trying to gather his thoughts after only a few hours of sleep, the phone rang again. This time from a client, a lawyer who was preparing documents for trail court that day. The frantic voice on that call would sound a lot like the previous call he had just received, only this time, he was told that the computer is eating all of his documents.
Now Braun knew there was a problem, a problem that would throw him into a spiraling tug-of-war between clients and the first call he had received. A call that in the back of his mind, he knew he was going to be awake for the next several days. Braun knew inside, this was not the kind of call that any contractor wanted to get and began to imagine the thousands of panicked phone calls that must have been taking place as he was washing his face to prepare for what was going to be a very big challenge and more than likely the biggest challenge of being a independent contractor.
On the other side of the world, in Pandacan, Philippines, a small oil depot suburb of Manila, a place that Braun knew nothing about, were two college kids finishing their college studies. One had just finished his thesis at the AMA Computer College. As with a lot of small towns in the Philippines in the 2000’s, people were not able to afford this readily available thing we called the internet that seemed like a normal everyday part of our life.
Around 3am, while Braun was driving on the freeway, the hundreds of thousands of thoughts kept racing through his mind of what could it be. Thinking back on the phone call from his lawyer client, what could be eating his documents. It had to be something with the computer. There had to be a hardware malfunction thought Braun, all the while in the back of his mind, he kept telling himself it couldn’t be happening to a major corporation and one of his clients at the same time.
As he was driving up to the gates of this major corporation that he had just been given the address to from the frantic call of the recruiter in NJ, his stomach began to twist into knots. This corporation was not just any corporation, it was Universal Studios. A place where high dollar people worked, where movies were made, movie stars roam the streets and the expectation of immediate gratification were the norm. This was not a normal call and he now knew he needed to call his lawyer client in a hurry to tell him to turn his computer off and not turn it back on till he could get to his office another 30 miles away in downtown Los Angeles, CA.
Bruan’s worst fears were coming to light like a dizzying wormhole that was out of control.
No sooner than he had hung up the phone from calling his lawyer client, the phone began ringing again, this time from another high profile client of the past, they too in a frantic voice would explain that their Novell server was eating all of the files needed to run a very predominate radio station serving the entire Los Angeles and Orange counties area, a stretch of land that encompassed over a 100 square miles.
For the next several hours into the morning business day as the cities surrounding Woodland Hills awoke to begin their day from home by checking their email, the phone continued to relentlessly ring, one-by-one all telling him that they couldn’t get their email and that their computers were crashing and documents and other files were missing. Those that had made it into their offices were calling with what now seemed like a familiar message, their computers and servers were eating files at an uncontrollable rate.
After Braun had been given his security clearance to enter Universal Studios, he met the information technology manager. A very big, buff ex drill Sargent from the Army. Bill too had the look of “what the hell is happening!” in his eyes as you could see that he too was yanked out of bed at an unholy hour. With him, a first year college student that looked like he had just been pulled out from the bar down the street and not in much condition to be able to process the severity of what was to come.
As Bruan and the IT manager Bill began pouring through the countless hundreds-of-thousands of entries in log files from several servers – from the ones that were still running – in a server room the size of a small city, one thing kept standing out. Email. There was what seemed like an abnormal amount of email that was being sent by the vise president and his assistants at an hour when a city of almost 12 million people would be sleeping.
This just didn’t make sense to either of them as what would the vise president of Universal Studios be doing sending thousands of emails at 1-3am in the morning. Braun had ask if Bill could call one of the vise president’s assistants or the vise president himself in an attempt to find out, but soon remembered, he was at a place where 10,000 high dollar people called home and would soon be lined up, pounding on the door demanding to know why they couldn’t get their email and why were their files missing.
This is much bigger than what Braun was used to working with as most of his clients were doctors and lawyers where 25-100 people would work the normal 9-5 day.
It’s now 4:45am. There are now millions of people making their way through an almost never ending stand-still of traffic that stretches as far as the eye can see on any given day. Braun knew that in the moments to come, there was not going to be a single phone in either Los Angeles or Orange county that would not be ringing off the hook, asking “where’s my emails and why are my documents gone!?”.
No sooner than those thoughts had crossed his mind, did Bill receive a phone call from AT&T at One Wilshire. A multi story behemoth building that housed thousands of servers on almost every floor serving most of all the phone and data services for Los Angeles’s downtown skyscraper district.
Twenty-Five of their engineers had been woken up in the early hours to be told that the world was crashing around them. They had called to find out if the DS1 digital phone lines that ran between Universal Studios and the Natural History Museum in Los Angeles were working. Something that neither Braun or Bill would have thought to check. As it turned out, they were not working either, causing a firestorm of very early morning phone calls to the engineers at AT&T.
During that phone call, it would be discovered that not only were the two DS1 phone lines that ran between Universal Studios and the Natural History Museum not working, but that the vast majority of the phone lines in downtown Los Angeles were not working either.
At a time in history where millions of people around the world relied on dial-up internet services from AOL , AT&T, Earthlink and a handful of other smaller dial-up service providers, it seemed incomprehensible that a high dollar DS1 or T1 subscriber line would not be working. If you were fortune enough to have such a service, you would have all but forgotten what it would be like to not consistently be connected at any one point in time.
As Bruan and Bill continued to answer the absolute barrage of phone calls while attempting to find out the cause of what was causing all of these email and file servers to disintegrate before their eyes and against the wishes of Bill, Braun had unplugged the network cables from several of the servers, but the rapid destruction was not slowing down. Bill would later discover that disconnecting those servers saved several hundred million dollar contracts that were stored in emails.
It was also discovered that almost everyone in any kind of management position at Universal Studios were storing their most precious high value contract documents in emails and not on the file servers. A policy that would be later changed and implemented with force as the backup tapes did not contain any of the documents that needed to be recovered in a big hurry. When ask why they were doing this, the reply most heard was “we were afraid we wouldn’t remember where the documents were”.
In light of Braun rushing to unplug the network cables from the cluster of mail servers, he was able to retrieve a single hive file where a copy of all the ten’s of thousands of emails were stored.
Getting a desktop computer from Bill, Braun installed a copy of the Microsoft operating system they were using along with a copy of the mail server software that was being used while making dozens of phone calls to all of his clients telling them to turn off and unplug their mail servers completely.
The process of digging into a hive file and subsequently rebuilding the index inside of the hive was a task that was almost unheard of, a taboo word that represented a catastrophe of epic proportion, a word that meant the mail server was going to be down for at least one day.
At a time where email had become of age along with AOL’s instant messenger, the two were very heavily relied on for communications. Unfortunately for most of the southern California area, most of AOL’s content was off line as well as it’s messenger service not functioning at all, adding to an already building hysteric apocalyptic population of Los Angeles.
As the hours ticked on, a single desktop computer sat in the corner of the server room, making almost non-existent progress, churning away at rebuilding a hive file that was already within a couple hundred megabytes of the 1.5 gigabyte maximum that a hive file could be at the time. Braun and Bill both in panic about this desktop that didn’t have any where near enough processing power or memory to handle a task that was only meant to be done on a large multiprocessor server.
It was now 2:30 in the afternoon and it was now apparent that the counties of Los Angeles and Orange would be at a stand-still, millions of people sitting at their desk with thousand mile stares in their eyes, completely lost, not knowing what to do or how to do it. A few million would be sent home at noon while the other few million comprised of all network and software engineers that would be spending the next several days sleeping on server room floors or wherever they could find a spot to get two or three hours of sleep before continuing on to the next phase of clean up. As for Braun, he would find himself waking up on the floor of a sportscaster’s sound room at the radio station that had called early on in the morning that was located a few blocks away.
The traffic was heavy that day as was not only all of the people that were sent home trying to make their way home, an amry the size of which was never seen of off-site tape backup storage company vans were also in a panic trying to make their way around the cites with tens of thousands of backup tapes in each of their vehicles.
While the single desktop sitting in the corner of server room at Universal Studios was grunting it’s way through the rebuilding of a single hive that had been recovered, Bill now had a mob of people standing at his door, repeating himself over and over about what was being done to recover from what seemed like a forever time warp of endless hours of no email or documents, Braun made his way to the radio station that too was collapsing in what looked like one of many nuclear bombs had been dropped within the area.
A lone network engineer sat in a small make shift server room fumbling with wires and a mountain of books. Not having been trained in computer sciences, only given the title of network engineer and stuffed into a closet. He was at a complete loss of what to do. There sat the three servers that ran the entire radio station.
Not heeding to the direction given during the phone call that Braun had received early that morning to unplug the network cables and shutdown the servers, almost all of the documents on the file server were destroyed, the mail server not being in much better condition, the only saving grace for the radio station was a single network appliance that had missed the memo about needing to be infected.
As with Universal, Braun had discovered that the same kind of worm that had caused so much devastation at Universal Studios, was also to blame for the devastation at the radio station. As with Universal, a rebuild of the mail server hive was needed, but unlike Universal, this hive was very damaged and there wasn’t a spare desktop computer laying around. One had to be ordered, which in it’s self turned out to be a major challenge as almost all of the computer stores in the area were completely sold out of pre-built computers, hard drives and associated parts.
It was now 3am. Braun had gotten the email hive from the radio station in good enough condition to be put on the desktop computer that was found, bought and delivered to the radio station.
As he sat there, wondering “what next?” and was this going to happen again right after all of these mail servers were fixed, all 7,000+ desktops at Universal were rebuilt, the 100+ desktops at the radio station had been rebuilt and the countless other mail servers and desktops that he still needed to fix or rebuild completely. It was 3am, delivered Chinese food and sleep is all that Braun could think any further.
At 6am, Braun was awoke by the general manager at the radio station asking if everything had been fixed and was he able to get his email. The general manager, a very large human being with an incredible large shoe size. As Braun looked up at the general manager, reminding himself that even at only three hours of sleep, he was still in the land of high dollar, instant gratification and that these people could not understand how much work it took to save their entire existence.
Still, he felt like he was being stared at like none other than Godzilla, expecting and answer that he did not get, certain that at any minute he was going to get roasted by the large ball of fire that was going to come out of this man’s mouth.
After managing to find the coffee room on the eight floor of the building that the radio station lay claim to, Braun checked on the hive file that he had just started rebuilding only hours before, knowing the answer, but not wanting to share the news with the station manager just yet, Braun knew it was going to take the better part of the entire day if not all of that day and night before that hive file would be rebuilt.
It was now 7am. Braun called Bill, who had also spent the night on the floor of his office over at Universal Studios, hoping that there would be some glimmer of hope the the hive file over there that was started earlier on the previous day might be finished. In a scruffy voice, reminding Braun that he too had just been woken up, said that it was still in the process of rebuilding when he had gone to his office at 6:30am.
After informing the radio station manager that the mail server would not be working till the next day and having left instructions for the network engineer for document recovery, Braun made his way into downtown Los Angeles on a Saturday morning, expecting light traffic along the way, only to discover the army of off-site tape storage companies were still in overdrive attempting to drop off backup tapes to the thousands of offices in the multitude of 30-50 story buildings that lined the skyline.
As with Universal and the radio station, the lawyers office had suffered the same fate. A worm that had infected all of their servers and again, an email hive file had to be recovered and rebuilt.
During the process of this, Bill from Universal had called to inform Braun the hive file that was being rebuilt was now done and the executives were chomping at the bit to get the mail server up and running again. Bill also informed Braun that one of the vise president’s assistants couldn’t sleep on Thursday night. When she checked her email, there was a email there from her boyfriend with the subject line “I Love You” and containing a text file that was named the same.
For the first time in all of this apocalyptic frenzy, it was now making sense. The attachment was a worm virus that quickly, silently had infected a home computer and now was running rampant among millions of severs and desktops.
Braun informed his lawyer client that he had to go back to Universal. Much to the dismay of the lawyer after having waited for a day for Braun to show up, there was discussion about finding another contractor, Braun left. The answer that Braun so desperately needed had been found and he needed to get to it before it disappeared. Every answer that he needed was in that worm file, while his suspicions were that he would see that file again several more times before all of this was over, he needed to dissect that file to find out what made it tick in hopes of keeping this worm from re-appearing to damage all that had been done to recover from this.
After arriving back to Universal Studios, what Braun discovered was the “I Love You” virus. The I Love You virus, sometimes referred to as Love Bug or Love pak, was a computer worm that attacked tens of millions of Windows personal computers on that faithful day in May.
Starting on May 5, 2000 in the Philippines it started spreading as an email message with the subject line “ILOVEYOU” and the attachment “LOVE-LETTER-FOR-YOU.txt.vbs”. The latter file extension ‘vbs’, a type of interpreted file was most often hidden by default on Windows computers of the time as it is an extension for a file type that is known by Windows, leading unwitting users to think it was a normal text file.
Opening the attachment activated the Visual Basic script contained in the file. The worm then inflicts damage on the local machine, overwriting random types of files, including Office files, image files and audio files. However after overwriting MP3 files the virus hid the file, then it would send a copy of itself to all addresses in the Windows Address Book used by Microsoft Outlook. This made it spread much faster than any other previous email worm.
On the machine system level, ILOVEYOU relied on the scripting engine system setting, which runs scripting language files such as .vbs files being enabled, and took advantage of a feature in Windows that hid file extensions by default, which malware authors would use as an exploit. Windows would parse file names from right to left, stopping at the first period character, showing only those elements to the left of this.
The attachment, which had two periods, could thus display the inner fake “txt” file extension. Text files are considered to be innocuous, as they are normally incapable of running executable code. The worm used social engineering to entice users to open the attachment – out of actual desire to connect or simple curiosity – to ensure continued propagation. Systemic weaknesses in the design of Microsoft Outlook and Microsoft Windows were exploited that allowed malicious code capable of complete access to the operating system, secondary storage, and system and user data simply by unwitting users clicking on an icon.
Messages generated in the Philippines began to spread westwards through corporate email systems. Because the worm used mailing lists as its source of targets, the messages often appeared to come from acquaintances and were therefore often regarded as “safe” by their victims, providing further incentive to open them. Only a few users at each site had to access the attachment to generate millions more messages that crippled mail systems and overwrote millions of files on computers in each successive network.
The malware originated in the Pandacan neighborhood of Manila in the Philippines on May 5, 2000, thereafter following daybreak westward across the world as employees began their workday that Friday morning, moving first to Hong Kong, then to Europe, and finally the United States.
The outbreak was later estimated to have caused US$5.5–8.7 billion in damages worldwide, and estimated to cost US$15 billion to remove the worm. Within ten days, over fifty million infections had been reported, and it is estimated that 10% of internet-connected computers in the world had been affected. Damage cited was mostly the time and effort spent getting rid of the infection and recovering files from backups. To protect themselves, The Pentagon, CIA, the British Parliament and most large corporations decided to completely shut down their mail systems. The ILOVEYOU virus infected computers all over the world. At the time it was one of the world’s most destructive computer related disasters ever.
The ILOVEYOU Script, the attachment, was written in Microsoft Visual Basic Scripting which runs in Microsoft Outlook and was enabled by default. The script added Windows Registry data for automatic startup on system boot.
The worm then searched connected drives and replaced files with extensions JPG, JPEG, VBS, VBE, JS, JSE, CSS, WSH, SCT, DOC, HTA, MP2, and MP3 with copies of itself, while appending the additional file extension VBS, making the user’s computer unbootable. However, MP3s and other sound related files were hidden rather than overwritten.
The worm propagated itself by sending out one copy of the payload to each entry in the Microsoft Outlook address book. It also downloaded the Barok trojan renamed for the occasion as “WIN-BUGSFIX.EXE”.
The fact that the virus was written in VBS provided users a way to modify the virus. A user could easily modify the virus to replace important files in the system, and destroy it. This allowed more than twenty five variations of ILOVEYOU to spread across the internet, each one doing different kinds of damage.
Most of the variations had to do with what file extensions were affected by the virus. Others simply modified the email subject in order to make it targeted towards a specific audience, like variant “Cartolina” in Italian, or variant “BabyPic” for adults. Some others only modified the credits to the author, which were originally included in the standard version of the virus, removing them completely or referencing false authors.
On May 5, 2000, two young Filipino programmers named Reonel Ramones and Onel de Guzman became targets of a criminal investigation by agents of the Philippines’ National Bureau of Investigation. Local Internet service provider Sky Internet had reported receiving numerous complaints from European computer users alleging that malware in the form of the “ILOVEYOU” worm had been sent via the ISP’s servers.
After surveillance and investigation by Darwin Bawasanta of Sky Internet, the NBI traced a frequently appearing telephone number to Ramones’ apartment in Manila. His residence was searched and Ramones was arrested and placed under investigation by the Department of Justice. Onel de Guzman was also charged in absentee.
At that point, the NBI were unsure what felony or crime would apply. It was suggested they be charged with violating Republic Act 8484 (the Access Device Regulation Act), a law designed mainly to penalize credit card fraud, since both used prepaid, if not stolen, internet cards to purchase access to ISPs. Another idea was that they be charged with malicious mischief, a felony (under the Philippines Revised Penal Code of 1932) involving damage to property.
The drawback here was that one of its elements, aside from damage to property, was intent to damage, and de Guzman had claimed during custodial investigations that he may have unwittingly released the worm.
To show intent, the NBI investigated AMA Computer College, where de Guzman had dropped out at the very end of his final year. They found that, for his undergraduate thesis, de Guzman had proposed the implementation of a trojan to steal Internet login passwords. This way, he proposed, users would finally be able to afford an internet connection. The proposal was rejected by the College of Computer Studies board, prompting de Guzman to cancel his studies the day before graduation.
Since there were no laws in the Philippines against writing malware at the time, both Ramones and de Guzman were released with all charges dropped by state prosecutors. To address this legislative deficiency, the Philippine Congress enacted Republic Act No. 8792, otherwise known as the E-Commerce Law, in July 2000, just two months after the worm outbreak. As of 2012, the ILOVEYOU virus was regarded as the tenth-most virulent computer virus.
The events inspired the song “E-mail” on the Pet Shop Boys’ UK top-ten album of 2002, Release, the lyrics of which play thematically on the human desires which enabled the mass destruction of this computer infection.