MAY 19, 2000 VOL. 27 NO. 19 | SEARCH ASIAWEEK

When Love Hurts
The world's biggest virus attack is traced to the Philippines
By STUART WHITMORE

Also:
Catching the Culprits: The head of Interpol on Internet crime

The affair started sweetly enough, with an e-mail message titled ILOVEYOU. The note landed in inboxes on May 4, carrying an attachment purporting to be a love letter. It turned out to be tough love - and tough luck for those who opened it. Double-clicking on the file uncorked a virus that within hours had infected hundreds of thousands of computers around the world, causing as much as $10-billion worth of damage and bringing corporate networks to their knees with a deluge of e-mail.

Anti-Virus 101 INNOCULATE Keep your PC's anti-virus software bang up to date SCAN Never open an attachment without first scanning it for viruses QUESTION Don't open suspicious-looking files, even if they appear to come from a friend SAVE Backup your files onto discs regularly. An infected PC can be treated, deleted files are lost forever Click here for more details on virus prevention

The virus launched a three-pronged attack on its victims. It began with a search and destroy mission, scouring the PC's hard drive for MP3 music files and pictures carrying the .jpg suffix then replacing each one with a copy of itself. Next it hijacked Microsoft's Internet Explorer browser, redirecting surfers to one of four predetermined websites. There another program began probing the victim's PC for log-in names and passwords. Most devastatingly, if the computer ran Microsoft's Outlook e-mail program, the virus sent a copy of itself to every name in the user's address book. The message: ILOVEYOU.

Within two hours the so-called Love Bug had spread its contagion across the globe. Almost as quickly, the origin of the malicious code was traced back to the Philippines. The author left plenty of clues for digital sleuths to follow. Most obviously the words "Manila, Philippines" appeared within the virus code, while the websites used for the password grab were hosted by an ISP in Quezon. The footprints were so blatant they were almost dismissed as a red herring. But once the word barok and the hacker alias "spyder" were spotted, virus hunters zeroed in on Manila.

Barok is the name of a caveman-like character that appears in Filipino movies whose broken speech gives rise to the term barok Tagalog (the equivalent of speaking pidgin English). It is also the name of a popular hacker tool authored by spyder. That program contained a reference to Amable Mendoza Aguiluz (AMA) computer college with 150,000 students nationwide, including some at a branch in Manila's Makati business district. Could the culprit be a current or former pupil?

The route the virus took was traced back to Manila service provider Supernet. The ISP ran a simple caller-ID check and turned up a flat in Pandacan district from where the first ILOVEYOU e-mail was sent. Game Over, it would seem. But then the whodunnit descended into farce. The National Bureau of Investigation (NBI) staked out the flat, but couldn't enter until they had a search warrant. And they couldn't get a warrant because they couldn't find a judge to sign one on a Sunday. By the time the NBI went in on Monday afternoon, the PC allegedly used to send out the virus was nowhere to be found. The police carted away floppy disks and whatever else they could find in the flat - including its occupant, Rionel Ramones.

Ramones had the computer-savvy credentials to be behind the attack, being employed in the tech-support department of a local bank. But without the smoking PC, a judge ruled that the police had insufficient evidence to detain the 27-year-old. Ramones was freed the next day and the authorities given 10 days to unearth proof. Ramones claims he is innocent, a victim of "mistaken identity." He has also disappeared, promptly vanishing after his release, along with his girlfriend, Irene de Guzman, who voluntarily appeared before the NBI following Ramones arrest.

Attention has turned to who else may have had access to their Pandacan flat - and the missing computer. That list includes de Guzman's brother, Onel, who happens to be a student at AMA. Onel de Guzman is described by AMA executive vice-president Manuel Abad as an average student, but one "quite brilliant in computer subjects."

However, de Guzman failed to graduate on schedule last March due to a "thesis deficiency." Professors took objection to his proposal. "It had a feature we considered illegal and immoral," says an aghast Abad, who now recognizes de Guzman's proposed project as being "very similar to the [ILOVEYOU] virus."

The school is cooperating closely with the NBI, which is looking into the possiblity that de Guzman and a loose grouping of past and present AMA students, calling itself GRAMMERsoft, is behind the Love Bug. Other theories on the origin of the virus are as numerous as the copycats that flooded the Net in ILOVEYOU's wake. Another suspect is a mysterious Michael, who has been identified variously as a German exchange student living in Australia and a Manila-based member of the hacker group the Acolytes.

Yet even as the net tightens and the FBI in Washington dust off its extradition papers, many question whether the perpetrators can even be charged with a crime. "The NBI had no business doing what they did because no Philippine law had been violated," says Joker Arroyo, a human rights lawyer who represents Makati City in Congress. "There is no law yet on computer hacking." The NBI obtained a warrant to search Ramones's flat by citing the Access Devices Act of 1998. "That act does not apply," insists Arroyo. "It is for credit cards."

Indeed, when the NBI filed its case against Ramones it charged him not with violating the Access Devices Act, but with "malicious mischief," an act of deliberately damaging property which is punishable by no more than six months in prison. Justice Secretary Artemio Tuquero declined to be interviewed by Asiaweek, saying he did not want to prejudge the case. But what is clear is that in the Philippines, as in so many countries in the region, catching those who commit a cyber-crime is hard enough. Bringing them to justice is even tougher.

With reporting by RAISSA ESPINOSA-ROBLES Manila

Catching the Culprits
The head of Interpol on Internet crime

Kanemoto Toshinori, 54, wears many hats. He heads the International Affairs Department of Japan's National Police Agency, chairs a G-8 forum on transnational organized crime and, since 1996, has served as president of the international police body, Interpol. Last year Kanemoto publicly echoed U.S. Attorney General Janet Reno's warning that the Internet could become a "Wild West" without proper policing. He recently discussed high-tech crime with Senior Correspondent Alejandro Reyes in his Tokyo office.

What is the extent of Net crime?
Nobody has an exact picture but cyber-crime is on the rise. In Japan in 1998, there were more than 800 illegal access cases. And not all are reported.

Are people getting arrested?
Sure.

Do you expect Asia to be a high-tech crime spot?
Yes. High-tech crime is closely linked to economic development. As Asia grows it will become a much more significant issue that not only law enforcement but also the criminal justice system will have to address.

How do you punish somebody who launches a virus from a PC in Japan that affects computers elsewhere?
We have to identify criminals in real time, not afterward. In that respect, we can't work alone. If the crime is conducted internationally, we have to secure cooperation from our [police] counterparts in real time.

Do we need a new supranational law?
This is still a world of sovereign states. You can't impose an international penal code tomorrow. We work with what we have now. In the real world, we are more concerned with how we cooperate in tracing criminals and identifying and collecting evidence.

How do you equip police to deal with such a problem?
High-tech crime takes place 24 hours a day so law enforcement should be ready to intervene at any time. We need well trained and well equipped personnel and a legal framework in which high-tech crimes are punished.

Must police forces patrol the Internet to sniff out potential problems such as the anti-WTO violence seen in Seattle, or terrorist plans?
Detecting the signs of disturbance can be done through many ways, including patrolling the Net. We do it [in Japan]. Last year, there were several cases of pharmaceutical substances being sold for those who wanted to commit suicide. Messages were exchanged on the Net.

Was there any evidence that such people took advantage of Y2K?
There was no evidence that terrorists abused Y2K. Nothing serious happened.

Are you finding that police have enough technologically capable people?
There is a shortage of talent everywhere, we have to have [more] trained people. We also have to narrow [the technology divide between different nations] by giving training and assistance. This is one of the things I have tried to do.

Write to Asiaweek at mail@web.asiaweek.com