Meet the Lovebug Hacker

by Jeff Elliott

There was nothing fundamentally new about Lovebug. It's just a simple variation of the "Melissa" worm which first surfaced in March 1999, and has reappeared since in many incarnations. But where most of the other versions just made pesky copies of itself to mail to others in your address book, Lovebug is malicious. Besides mailing clones of itself to everyone you know, it destroys some of your files and steals your passwords. Can't get any meaner than that.

That family of viruses spread in the old-fashioned way -- you had to run an attached file that was infected. Unfortunately, that's pretty easy to do with Microsoft e-mail products (Outlook/ Outlook Express/ Internet Explorer). Windows usually comes configured with these programs set to open attachments automatically. In the case of Lovebug attachment, this meant that it ran the program for you.

Running an unknown program is dangerous, like sticking your hand in a bee hive without first checking to see if anyone's home. But to prevent their mail program from doing that, most users have to tweak out-of -the-way settings. (Move the security setting in the Windows Internet control panel from "moderate" to "high." Outlook users should choose OPTIONS under the Tools menu and set Attachments to "high.") Why aren't these the default settings for all versions of Windows and Microsoft e-mail? Good question -- ask Bill.

Besides these security settings, a cautious Windows user also has the latest versions of their Microsoft mail programs and virus protection software installed -- although neither of these would have stopped Lovebug from initially spreading. Programmers at Microsoft and the anti-virus companies raced to create a "patch" for their programs that would squash Lovebug, but by then most of the damage was done.

Yet future Windows users may soon look back on Lovebug with a kind of morbid nostalgia; at least it could be easily avoided if you took reasonable precautions. The newer generation of viruses don't need attachments at all. The virus is embedded in the e-mail itself -- or rather, in Microsoft's codes that are normally used to display a message with specific fonts, colors, and other enhancements.

A current high risk is "Wscript.KaKWorm," which uses the signature part of the message to embed a virus. Open the message with Outlook Express and your computer is infected. Even more worrisome is a completely different worm called "BubbleBoy," which can invisibly place itself anywhere inside the message. Fortunately, the latter virus has not been used maliciously -- yet. Once that happens, the damage will certainly be magnitudes worse than experienced last week.

So what can be done? Some users are disabling parts of Windows itself -- an exercise not for the squeamish. (See: http://www.F-Secure.com/virus-info/u-vbs/ for more information on this.) The only other antidote to these kind of viruses is relying upon Microsoft to offer patches (revisions) that fix bugs in their products that made such destruction possible.

Patching released software is business as usual for Microsoft, where almost every month sees a handful of such revisions available, always after a virus or worm has wreaked its havoc. Even with effort, they're falling behind -- more than 50 new Windows viruses have circulated already this year. Some take Microsoft months to even acknowledge.

Microsoft continues to insist that their corporation is not culpable for any of these problems. Yet the hackers are only exploiting bugs and "design features" in Microsoft products. The author of Lovebug didn't modify Outlook to steal your passwords; that was a flaw in Windows itself -- a significant vulnerability that should have been found in early testing.

If you can't depend on Microsoft to block these viruses, the only defense left is having a good anti-virus program installed. But as happened with Lovebug, this only helps after the virus has been unleashed; these programs have only limited ability to detect viruses they aren't specifically designed to stop. Nor should these programs be expected to fix problems with Windows itself. After all, if your car explodes in flames when a bumper is tapped at 5MPH, the solution is not to build a stronger additional bumper around the old one -- the answer is to figure out why the damn car blows up so easily.

Last week Gates wrote in a Time magazine guest editorial that Lovebug was an argument for not breaking up Microsoft. The truth is just the opposite; the billions lost from Lovebug are perhaps the best example yet of why the Microsoft monopoly must end. It demonstrates that the corporation has no interest in correcting serious flaws in its products until forced to. And even then, any fixes are made in piecemeal fashion that depends upon millions of computer users to download weekly fixes. This is not a solution -- it's another problem itself.

Lovebug and the other viruses also demonstrate the high risk of intergrating programs like Outlook so closely with the operating system. Another virus currently circulating takes the contents of your clipboard (what's captured when control-c is pressed) and mails it off to a hacker's address. Why in the world should an e-mail program even have access to a computer's basic functionality like this? Good question -- ask Bill.

The tech support desk at monitor.net strongly encourages our customers to use programs that will not damage their computers -- or the computers of others. Only Microsoft e-mail products can spread these viruses or have them accidentally triggered; Eudora, Pegasus, Netscape, and Lotus Notes don't have these problems. Yes, Outlook and its variants may have a few extra features; you can, for example, write e-mail to your Aunt Hattie using that Helvetica font you like so much. But in the last week, we have helped several customers reinstall Windows after Lovebug damaged their computers beyond repair. One customer told us about irreplaceable files lost: Financial records, pictures sent from distant family members. Is that kind of risk a good tradeoff for the ability to use a pretty font? Good question -- ask Bill.