The 4th of May 2000 was a game-changing day for antivirus security. A virulent worm was about to catch security experts by surprise and cause chaos to an estimated 45 million email users that day.
With virus levels surging overnight from 1 in every 1000 emails to 1 in 28, the mass-mailing virus, LoveBug, was on the cusp of causing billions of dollars of damage. It was also the day which proved the superiority of heuristic ‘in-the-cloud’ detection over traditional antivirus tools.
- Paul Fletcher
That morning, it became apparent that a massive security event was unfolding. Launched from the Philippines, the extent of the attack increased as more countries globally started their working day and emails with the subject line ‘ILOVEYOU’ were opened.
Exploiting the power of social engineering, the email attachment looked like a text document, but once the recipient opened it, the worm sent itself to every email address in the recipient’s address book.
At that time, we’d never seen a mass-mailer spread so fast. Ten years ago the entire threat landscape was very different; Symantec Hosted Services, then MessageLabs, was barely six months old. There were only two of us in the antivirus department and the most infected emails we had previously stopped in one day was 700. That day we stopped 10,000. Now we routinely stop millions.
To cope with the sheer scale of the attack, we commandeered all available members of the support team and we suddenly had 20 people working on the problem. One of the team answered the phone to speak with a technology journalist and called the worm the LoveBug. The name stuck. We had caught the worm that everyone else had missed. We were also putting out warnings to other antivirus companies and onto the security newsgroups which were used then.
For the rest of what was to be a long day, the entire support team was fielding calls from terrified customers asking if they were covered. Unlike other antivirus companies, who took more than 10 hours to release a signature, we were able to say yes.
In the ensuing days we saw a slew of copycat programs and even kits to generate scripting malware, but we were able to stop these variants too. Unlike conventional signature-scanners which look for specific lines of malicious code, our heuristic detection engine Skeptic™ looks at what a program does, the behaviour it causes, and flags it up if the behaviour is suspicious.
We also asked ourselves: what if LoveBug was written in a different scripting language such as JavaScript? How would it behave? That paid off, because a month later we saw similar worms using different scripting languages.
Ten years on, the threat landscape is very different and typically sees us focus on more malicious, highly targeted attacks. We learned some valuable lessons that day regarding the scalability and speed of malware and the infrastructure needed to ensure organizations still receive clean email even if another huge outbreak occurs.
Paul Fletcher is Chief Software Architect at Symantec Hosted Services
