Sneaky bug is king of the one-liner

PUBLISHED : Saturday, 06 May, 2000, 12:00am
UPDATED : Saturday, 06 May, 2000, 12:00am

CURIOSITY, VANITY, NAIVETE, gullibility were the friends of a sneaky computer bug called 'ILOVEYOU' which swept the world on Thursday. Let's be honest - without any forewarning, how many people would be so unintrigued as to leave unopened in their inbox an e-mail marked with such a flattering message? It seems that the Internet is at the mercy of mischief makers. Yet, say computer technologists in Hong Kong, things can be learned from such attacks - and improvements are on the way.

At least a million people worldwide are thought to have opened the file attached to the e-mail. That released what computer nerds call a 'worm', which burrowed into its guests' address books and copied itself to everyone they knew. The result was a spread so rapid that a Scandinavian computer security company reported calls from computer users in 20 countries within two hours.

Worse, this particular bug, or rather the person who devised it, clearly disliked pictures and sound - it slithered through the hosts' computer disks, erasing or hiding graphics and popular music files in MP3 format. If the computer user was part of a network - as many office users are - or linked to a chat room, the worm could reach everyone else linked through those connections. The result was millions of computers infected, e-mail systems prevented from working due to overload and others closed down deliberately by companies to prevent further attack.

The computer savvy scoffed that users should have guessed something was up when they received screen-loads of messages with the same subject, but that does not account for the people who opened the first one before others landed. One US information technology analyst said such a strange message was 'almost a keyword for viruses'. But Professor Samuel Chanson, director of the Cyberspace Centre at the Hong Kong University of Science and Technology, said that, while such a subject line might seem 'fairly stupid', it could also be considered as 'very clever because it could come from a friend'.

He said the virus was worse than a similar one sent out last year. Called 'Melissa', it also copied itself to a host's contacts, but only to the first 50 in the address book, and it did not corrupt any files. Yet 'Melissa's' subject line - 'important message from' and then the sender's name - was far more subtle than the 'ILOVEYOU' tag, and just opening the mail released the bug.

Imagine the devastation if the subtleties of 'Melissa' were combined with the more malicious aspects of the 'ILOVEYOU' bug, or if the bug erased more files. David Chess, staff member of IBM's T J Watson Research Centre, told Web magazine ZDNet News that it had been written by an amateur - it was a glorified 'Melissa' with a sprinkling of known aspects of other viruses. 'It's certainly not a tour-de-force of programming,' he said.

These viruses, annoying and expensive as they are, are a warning of the potential downside of a worldwide easy communications system used by rapidly increasing numbers of people uninterested in how the system works.

Hackers who write such virus programmes take delight in keeping a step ahead of the technology. Yet, said Professor Chanson, more could be done to keep abreast of them, both by companies and by governments.

About 100 countries, led by the United States in 1988, have set up a network of Computer Emergency Response Teams (Certs), which monitor the latest virus developments, handle distress calls from those infected, collect data and send out warnings to member organisations. His group had received such a warning of the 'ILOVEYOU' virus in time to prepare for it, he said.

Yet an application by his university and the Hong Kong Productivity Council (HKPC) for funding to set up an SAR version had been turned down by the Industry Department two years ago, said Roy Ko Wai-tak, principal information technology consultant at the HKPC. The group has re-submitted a request for 'several million dollars' and is expected to receive its first cash by the end of the year. 'Hong Kong is behind in joining this [network],' he said. 'It would allow more knowledge to be disseminated. It could promote awareness of security issues; help people evaluate their security.' Increased awareness is required. There are 40,000 known viruses which continually infect inadequately protected systems, yet 'a lot of people install a virus scanner and then never use it or update it,' said Professor Chanson. Local companies, panicking that they are late in setting up Web pages or even e-commerce activities, could do much more to protect themselves, according to Mr Ko.

He said many of the small firms he dealt with - which have up to 50 or 100 employees - were in such a hurry to set up their Net presence that they did not consider the security issues, or the back office operations they would need. Plans were not comprehensive: 'There are a lot of missing pieces [when you move] your business on to the Net,' he said. Security protection was a double-edged sword: 'It's always a sacrifice of performance and flexibility.' For instance, the 'ILOVEYOU' virus contained a piece of computer code which could be spotted as it arrived at the receiver's e-mail and filtered out, but some companies might want to send genuine e-mails containing that code, which would mean sending and receiving by a special route.

Other methods of checking the origin of arriving mail could improve security, said City University associate professor of computer science Lee Chan-hee. The Hong Kong Post Office is pioneering the use of digital signatures attached to e-mail - a method by which the receiver can check the source of the mail before opening it. But Dr Lee said better protection would soon be available that could remove much of the headache for small firms, by passing on the responsibility of looking after their security to other agents.

He was talking about application service providers (ASPs), which were starting to take business from the more usual Internet service providers (ISPs). Whereas the ISP simply offers a connection to the Net but takes no responsibility for what travels to your computer, an ASP could offer more interaction, taking care of your Web site if required, maintaining it and offering security advice, as well as handling any viruses that creep through.

But with only a handful operating in Hong Kong so far, Professor Chanson said good could come from the 'ILOVEYOU' virus in the form of greater awareness. 'A few of these things and everybody knows about not opening attachments,' he said. 'A little bit of common sense is the best protection.'