Love Bug legacy shows users still fall for false promises

Five years ago today the world was in the grip of one of the worst ever computer viruses - the Love Bug worm.

It was a self-propagating mass mailer like so many we've seen since but the real interest was the simplicity with which it exploited the power of social engineering as the primary tool in the virus writer's arsenal.

Overnight on 4 May emails began arriving with the subject line 'I love you' - from contacts who had already been infected and whose mailboxes had surrendered their addresses to the worm. The temptation to click on the unsolicited attachment was too much for many.

Mark Sunner, CTO of MessageLabs, remembers the day well and claims the curious honour of being credited with naming the virus - which during its first few hours was known variously by names such as 'loveletter' and the 'I love you' worm.

However, the truth is a little more convoluted. It was a junior colleague of Sunner's who actually took a call from CNN asking what the virus was called.

Under pressure and unable to find a senior colleague - "we were all rushing around buying up extra capacity because we were intercepting so many emails," says Sunner - he used a name which the company had been using internally - 'Love Bug' - and the name stuck.

Love Bug was the first unquestioned triumph for social engineering, with a ploy so simple its success seems almost implausible with hindsight. The promise of love and subsequent heartbreak even catapulted a computer virus onto the front page of national newspapers and into prime time TV bulletins.

"It was social engineering to a whole new level," said Sunner. "It arrived in inboxes, from somebody the recipient knew, claiming 'I love you'. People clicked on it immediately because humans are curious beings and also because they had never seen anything like it."

But this was far from an exercise in ascertaining gullibility. "It had a properly malicious payload," added Sunner. The worm looked for media files such as .jpeg and .mp3 and over-wrote them, hitting some companies very hard as they lost image banks and music libraries.

Five years on little has changed for the better in terms of the adoption or the awareness of social engineering - a good angle is still a guarantee of some joy, even for crudely coded malware.

This week saw the release of the latest Sober variant which exploited the clamour for World Cup tickets to entice users to click on the attachment. And over the years naked pictures of celebrities and topical angles that have exploited war and natural disasters have all encouraged users to launch .exe files.

David Perry, global director of education at Trend Micro, told silicon.com: "I heard of an employee at one company who complained to his IT department that he'd clicked on an attachment - even though he knew he'd be launching a virus - and yet still hadn't been able to see the naked pictures of Anna Kournikova.*"

It's a tale which shows the extent to which the most obvious social engineering can baffle an apparently semi-savvy end user. (*And there may even have been some reading this who were disappointed to see the above click simply navigated through to a story about the Kournikova worm, rather than some pics - you know who you are).

Sunner said: "The problem is this technique will never go away now."

The simplicity of the underlying tactic is still lost on many users and there will always be the latest celebrity or topical hook to exploit.

"People are always going to click on things. The human element is the real crux of the issue and you can't patch people," added Sunner.

As a curious footnote, in the past 30 days MessageLabs has intercepted five Love Bug emails.