Wearing a striped shirt and Matrix-style dark glasses, Onel de Guzman stared at the floor as he made his way through a crowd of photographers into a hastily arranged press conference in Quezon City, a suburb of the Philippines capital Manila.
Skinny, with a mop of black hair falling to his eyebrows, he appeared to barely register the journalists’ shouted questions, his only movement the occasional dabbing of sweat from his face with a white towel. Seated to his right, de Guzman’s lawyer Rolando Quimbo had to lean in close to hear the 23-year-old’s mumbled response, which he then repeated in English for the waiting press.
“He is not really aware that the acts imputed to him were indeed done by him,” the lawyer said. “So if you ask me whether or not he was aware of the consequences I would say that he is not aware.”
It was May 11, 2000, and if de Guzman was feeling shell-shocked, he had good reason to be. He was accused of authoring and releasing the first truly global computer virus that had disrupted the operations of businesses and government agencies the world over, from Ford (F) and Merrill Lynch to the Pentagon and the British Parliament, and was on track to cause a estimated $10 billion in damages — all in the name of love.
Twenty years on, the ILOVEYOU virus remains one of the farthest reaching ever. Tens of millions of computers around the world were affected. The fight to contain the malware and track down its author was front page news globally, waking up a largely complacent public to the dangers posed by malicious cyber actors. It also exposed vulnerabilities which we are still dealing with to this day, despite two decades of advances in computer security and technology.
This account of the virus is based on interviews with law enforcement and investigators involved in the original case, contemporaneous CNN reporting and reports by the FBI, Philippines police and the Pentagon.
Multiple attempts to reach Onel de Guzman for this article, including through his family and former lawyer, were unsuccessful. De Guzman had not commented publicly since around 2000, until this week when author Geoff White tracked him down to the phone repair shop he now runs in Manila, where he admitted to authoring the virus.
On the afternoon of May 4, 2000, Michael Gazeley was in his office at Star Computer City, a warren of IT companies and shops selling electronics and gadgets overlooking Hong Kong’s Victoria Harbor.
A few months earlier, Gazeley and his longtime business partner, Mark Webb-Johnson, founded their own information security firm, Network Box, which specialized in protecting customers from online threats. Both men had decades of experience in the industry, and had just finished the grueling (though occasionally lucrative) work of preparing for the new millennium by staving off the Y2K bug that threatened to cause widespread damage to systems worldwide.
Though largely remembered today, much to the chagrin of those involved, as an overreaction — or worse, a hoax — the Y2K bug was real, and the potential costs massive. They were avoided thanks to the diligent efforts of programmers around the world working together. It was a sign of the new connectivity that the internet, still in its relative infancy, was fostering.
That connectivity cut both ways, however, as Gazeley was reminded of that afternoon.
All the phones in his office started ringing at once. First were his clients, then came non-customers, all calling frantically in the hope that Network Box could help stop a virus that was screaming through their systems, destroying and corrupting data as it went.
They all told the same story: Someone in the office had received an email with the subject “ILOVEYOU” and the message, “kindly check the attached LOVELETTER coming from me.” When they opened what appeared to be a text file — actually an executable program masquerading as one — the virus quickly took control, sending copies of itself to everyone in their email address book. Those recipients, thinking the email was either some weird joke or a serious declaration of love, opened the attachment in turn, spreading it even further.
Office email servers were soon clogged as thousands of love letters went back and forth, disseminating the virus to more people. It turned out to be much worse than just a self-propelling chain letter. At the same time as it was replicating itself, the ILOVEYOU virus destroyed much of the victim’s hard drive, renaming and deleting thousands of files.
Many of the increasingly panicked callers Gazeley was fielding inquiries from did not have backups, and he had the awkward job of explaining to them that many of their files — everything from spreadsheets and financial records to photos and mp3s — were likely lost for good.
“This wasn’t something that people were used to as a concept, they didn’t realize that email could be so dangerous,” said Gazeley, recounting the first calls.
The entire concept of the internet was still relatively new in 2000. According to statistics from the International Telecommunications Union (ITU), a United Nations body, just 28% of Hong Kongers had access to the internet at that time, along with 27% of the United Kingdom, and 15% of France. Even in the United States, where the technology was invented, only some 43% of Americans were getting online.
Two years earlier, Hollywood star Meg Ryan asked “is it infidelity if you’re involved with somebody on email?” as the movie “You’ve Got Mail” introduced people to the idea of cyber-romance — and that email could be used for something other than boring office work.
From Hong Kong, where the virus crippled the communications and ravaged file systems of investment banks, public relations firms and the Dow Jones newswire, the love bug spread westward as the May 4 workday started.
Graham Cluley was on stage at a security conference in Stockholm, Sweden, when the virus hit Europe. He had just finished describing an unrelated virus which targeted a now-defunct operating system, hijacking users’ accounts to broadcast messages to their coworkers, including “Friday I’m in LOVE.” This, Cluley cracked, was likely to cause severe embarrassment for most people, but could potentially lead to some office romance.
As the conference broke for coffee, attendees’ mobile phones and pagers began going off wildly. Several guests approached Cluley, asking if the virus he’d described was spread via email. He assured them it wasn’t — and, anyway, it was limited to a niche system that most people didn’t use.
“They said, Well, that’s weird because we’re suddenly getting loads of emails with the subject line ‘I love you,’” Cluley said in an interview from his home in the United Kingdom.
When Cluley turned on his own phone, he was bombarded with notifications of missed calls, voice mails and text messages. Back home, Cluley’s employer, the anti-virus firm Sophos, had been getting “absolutely hammered” with phone calls from clients begging for help and journalists trying to understand what the hell was going on.
Cluley raced to the airport to catch a flight to London, and even traded phone batteries with a generous taxi driver as the constant stream of messages drained his Nokia cellphone of power. When he landed in the United Kingdom, a car was waiting to whisk him to a TV studio to discuss what had by now become one of the biggest tech stories in the world.
Soon after starting business on May 4, the United Kingdom’s House of Commons had to take its overloaded email servers offline, as did the Ford Motor Company and even Microsoft, whose Outlook software was the primary means of spreading the virus.
At the time, Windows controlled more than 95% of the personal computer market, and Outlook came bundled with Microsoft Office, then all-but-required for doing business on a computer. For most people, Outlook was email.
Unlike today, when many email services are run via centralized servers — think Outlook.com or Gmail — companies in 2000 were running email off the same servers on which they hosted their website. This could be janky, slow and startling insecure.
Back then, Cluley said, “many companies didn’t have in place filters their email gateways to try and stop spam, let alone viruses.”
Even though the United States had advance warning, the virus spread just as quickly there — as almost everyone seemed apparently unable to resist opening the “love letter.” Within the Pentagon, there was consternation as the virus hit the United States Army Forces Command (FORSCOM) mailing list, with 50,000 subscribers.
From there, almost every major military base in the country — barring a handful that didn’t use Outlook — watched as their email services were crippled and forced offline for hours as the problem was fixed.
Searching for the culprit
Across the Potomac River, at the FBI’s Washington, DC, headquarters, Michael Vatis was scrambling to get a handle on the crisis.
As director of the National Infrastructure Protection Center (NIPC), a relatively new intergovernmental agency tasked with tackling cyber threats, Vatis was awoken early May 4 with news of the ILOVEYOU virus hitting the United States. The NIPC soon sent out an alert warning of a “new, in-the-wild worm virus identified as LoveLetter or LoveBug [that] is being propagated globally via e-mail,” but it came too late to prevent much of the US government and military, as well as dozens of private companies, from being affected.