The power of Love
By Alan C. Robles
Hot Manila [May 2000]
The bomb was crudely made. The artistry was in the way it was gift-wrapped.
Whereas previous computer viruses transmitted through the Internet exhorted their intended victims with tags like "URGENT: OPEN AT ONCE" or "READ THIS IMMEDIATELY", the ILOVEYOU worm used a brilliant piece of "social engineering". It came disguised as a love note, with the following enticement: "kindly check the attached LOVELETTER coming from me." The irresistible come-on probably contributed to the rapid proliferation of the worm.
In hackerspeak, social engineering has nothing to do with computer programming - it is jargon for conmanship: duping people into doing something they wouldn't normally do, such as revealing passwords or codes.
One website exhibiting viruses credits authorship of ILOVEYOU to someone named Spyder. Actually the program was very likely written by at least two young Filipino computer students belonging to an informal barkada called the GRAMMERSoft Group. Most, if not all, its members are or were students of AMA Computer College in Makati, Metro Manila. Many are now lying low, one might have left the country.
They developed the worm - which is supposed to have inflicted billions of dollars worth of damage -- from a password-stealing virus called Barok, which is the very first word on the first line of the ILOVEYOU code. Hot Manila managed to visit a site where Barok is posted. It site identifies the virus' author as Spyder. An AMACC student named Onel de Guzman submitted a 10-page thesis proposal for a program that steals passwords - just like Barok. In fact the ILOVEYOU code contains the words "Barok", "Spyder" and "GRAMMERSoft."
According to one source reached by Hot Manila, members of the group were bragging about their project two months ago in chat discussions. What the GRAMMERSoft members did was to modify Barok to produce a deadly payload. Apart from filching passwords, ILOVEYOU implants itself within the operating system, seizes control of the browser in order to download another program, deletes files and replaces them with copies of itself, and emails itself out to all the people listed on an address book. The worm only affects Windows PCs, taking advantage of weaknesses long recognized in that operating system.
The source speculates: "The code may have been written by one person but it is very possible that somebody suggested things to the coder. -- `why don't you put this? Or do that?' -- egging each other on."
He says ILOVEYOU patched Barok together with at least two other virus programs. "It's a local blend of what's been done before, Babylonia and Melissa." Babylonia downloads plug-ins from the virus author's account. Melissa emails itself to names on an address book.
On May 5 a computer virus expert in Stockholm said that ILOVEYOU was written by a young German living in the Philippines named Michael. There is a Michael involved and he lives in the Philippines but he's a Filipino.
His full name is Michael Buen , a graduate of AMACC . Buen also calls himself myckl and myckl12_4.
Someone using the name Mycklangelo "The Skulltor" Buenarotti posted a sample Word 97 macro virus on a site which is now down. The virus is triggered by a specific date, at which time the victim loses control of the keyboard and finds the screen showing the message "Michael Learns To Hack." The virus then replaces the victim's Word document with a resume of Mycklangelo.
In it he identifies himself as Michael Buen, born November 5 1976, a student at AMACC (which he and other virus writers calls AMACCONDA). "I 'm not a virus programmer per se, I'm just a dedicated programmer and a serious learner," the writer claims.
After listing his mastery of a formidable list of computer languages, Mycklangelo jokingly describes himself as "hardworking, softworking cute, down to earth (ALIEN?!), boy next window" then goes on to issue a threat: "if I don't get a stable job by the end of the month I will release a third virus that will remove all folders in the Primary Hard Disk, or layman's term (sic) para ko na ring fi-normat ang Hard Disk Mo ."
Mycklangelo also maintains a site called Michael Learns to Hack, which contains nothing but text files of quotes like "Hacking is not an activity, it is an attitude", and "programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to produce bigger and better idiots. So far the universe is winning."
For a virus writer to post his biodata within a computer program seems so preposterous that it's probably a red herring. However, a source tells Hot Manila if you've written a virus "you usually leave a sign that its yours, because you want to take credit or just plain boast - it's like telling people, `hey I did this, can you?'"
Having made their lethal program, ILOVEYOU's creators decided to launch it last week. To set the groundwork, they took over four accounts at SkyInternet - an Internet Service Provider that isn't exactly 100 per cent efficient (up to now it continues to send bills for an account deactivated three years ago). Once it had taken over a victim's browser, the virus was supposed to access these hijacked accounts for further instructions.
While they might have been smart programmers, the creators of ILOVEYOU turned out not to have too much Internet savvy. They didn't realize how fast the virus would spread. Nor did they think that the unusual activity in the sites they had commandeered would attract attention. "They became overconfident," says the virus expert.. "They thought, because they were using hacked accounts they couldn't be traced."
GRAMMERSoft's virus writers have gone into hiding and in fact most of the virus sites in the Philippines have been taken down.
If they're caught, the writers of ILOVEYOU might say that they were conducting an experiment which had broken loose and gone out of control. This isn't the opinion of Hot Manila's source.
"The virus was meant to be released. If you go to all that trouble to setup and release the virus, then your intention is there. Anyone who wants to code a fast replication process and test it should do it somewhere where you can control things. Experiment with a virus like that in the wild it's just like testing a nuclear bomb in New York City. "
Hot Manila has emailed both myckl and spyder, asking them to explain their side. They haven't replied. The void from where the hateful power of love lashed out is silent.