‘Love Bug’ Probe Focuses on Suspect in Philippines

As law enforcement officials struggled Friday to find the perpetrator of the global “Love Bug” computer virus, which may become the most damaging in history, security experts warned that similar widespread attacks may soon follow.

That’s because computer viruses spread rapaciously and easily mutate, and they can take weeks to control because of the open nature of the Internet.

Since late Thursday, at least eight copycat strains of the Love Bug, such as two transmitted in e-mails titled “Mothers Day Confirmation Order” and “Joke,” have emerged, complicating efforts to limit the contagion and expanding the scope of the police probe.

“The FBI has narrowed it down to one specific individual in the Philippines,” and the agency’s legal attache in the Philippines is working directly with local law enforcement, said Amit Yoran, a security consultant who formerly headed computer security for the Defense Department.

Investigators found the suspect, who is a teenager or young man, because he inserted his Internet moniker, “spyder,” into the computer code that defines the virus.

“The guy put his calling card within the source code,” Yoran said. “He wanted the code to be attributed to him. The hacking world is about gaining recognition.” The code also contained a reference to Supernet, a Manila-based Internet service provider that may have served unwittingly as a launch pad for the attack.

But the ability to cause massive damage despite such sloppiness is also a worrisome sign, experts cautioned.

“It shows some inherent vulnerabilities in the system,” said John Vranesevich, founder of AntiOnline, a Web company that tracks computer crime and hacking episodes. “Some of the viruses--I hate to use the word brilliant in regard to destruction--but they are brilliant,” he said. “What would a terrorist group be able to do, if we’re talking about a couple of teenagers here, as I suspect we are.”

The Defense Department said Friday that at least two classified military computer systems were infected with the virus, but the problems were fixed before they caused lasting damage.

The pernicious virus, initially spread via e-mail messages titled “ILoveYou,” brought the mail systems of thousands of companies and government agencies to their knees while destroying files on an estimated tens of millions of computers.

Estimates of the overall scope of Love Bug damages vary widely, but because the virus destroys or hides files--including common graphics and music files using the popular MP3 format--some say that eventual losses could rise into the billions of dollars.

Some companies hit hard by the infection said their actual financial losses would be hard to quantify but relatively small.

Ford Motor Co. shut down its e-mail system for all 125,000 employees for more than 24 hours but resumed it Friday. Ford’s moves eclipsed measures it took last year to combat the Melissa virus, a less-destructive e-mail scourge that swept across the Internet and caused about $300 million in damage worldwide.

But even in this virus case, Ford lost no essential documents, said spokeswoman Kathleen Vokes.

“It was literally a minor inconvenience, but for a large number of people,” Vokes said. “There is some debate about the lost-productivity issue. I myself got more done without having to read e-mail yesterday.”

The rate of infection by the Love Bug is already declining sharply as users deploy anti-virus tools, said Carey Nachenberg, chief virus researcher for Cupertino, Calif.-based Symantec, a vendor of such products. But pockets of the infection will continue for a couple of weeks, he said.

Even if officials apprehend the person who launched the virus attack, experts expect even more serious viruses to be launched as the Internet expands.

“All of the features that make the Internet exciting, fast, dynamic and open go against security,” said Bruce Schneier, a noted cryptographer and chief technical officer of Counterpane Internet Security in San Jose. “Complexity is the enemy of security. The Internet is the most complex machine ever designed by human beings, and it’s getting more complex every day.”

Though commonly called a virus, the Love Bug is technically a “worm,” a self-contained, destructive software program. A virus is a set of computer instructions that attaches to a program or computer file.

The increasing availability of tools for hacking into computer systems and to create viruses and worms--all available free on the Internet--has vastly expanded the population of potential network vandals.

Once the province of macho programmers bent more on demonstrating technical prowess than in causing actual damage, hacking tools are now easily available to careless youths who fail to grasp the power of the tools. These are often called “script kiddies.”

“It’s like a kid playing with a gun. They have no idea how damaging it can be until it misfires,” said Jeffrey Bedser, a consultant with the Internet Crimes Group in Princeton, N.J.

For example, a Montreal teenager calling himself “Mafiaboy,” was recently charged with bringing down the CNN Web site during a spate of attacks in February that caused service outages on leading Web destinations. But the CNN episode is considered a copycat of an earlier attack on Yahoo, whose perpetrator has so far effectively disguised his online identity and has not been caught.

Given the ease with which such disguises can be used, experts cautioned that the clues left by the Love Bug attacker may be a ruse to distract investigators. “Each computer crime, whether it’s a virus crime or an intrusion crime or a hacking crime, raises its own challenges and complexities,” said Chris Painter, deputy chief of the Justice Department’s computer crimes section. He said the FBI is working closely with state agencies and foreign police forces on what is a global problem.

He acknowledged that the task is daunting, however.

“With the explosive growth of the Internet . . . we will unfortunately increasingly see the dark side. People are going to disrupt commerce and communication,” Painter said.

And experts agree that technology favors offense over defense in the virus wars. “The security industry has become stagnant,” Vranesevich said, “while the hackers and virus writers are being very innovative.”

Symantec’s Nachenberg said his company is hoping to come up with a system that automatically detects suspicious e-mail messages or software programs, instead of dealing with a virus that normally has a several-hour head start before eradication efforts begin.