Malicious Mobile Code: Virus Protection for Windows (OReilly Computer Security)

Any warning not coming from a reliable news source should be suspected as a hoax. My natural philosophy is to not believe any warning until I independently verify it with a second source I trust. That source could be an antivirus site, a computer magazine's site, or an Internet security site. If you see any of the following themes in a warning message, immediately suspect it as a hoax message.

13.3.1 Read Message Looking for Telltale Signs

There are several common themes that run through most hoax messages:

"This is not a joke!"

Every email I've ever received that began with, "This is not a joke!" has been a hoax. Legitimate sources don't need to claim otherwise .

All the scary parts are capitalized

Hoax warnings are full of entire phrases or sentences with every letter capitalized and lots of exclamation points. The authors use capitalization for panic effect. Typically, you'll see the scariest parts of the message in all capitals. Three exclamation points at the end of a sentence are supposed to indicate that the authors are really serious.

This VIRUS is VERY, VERY SERIOUS! THERE IS NO REMEDY!!!!!!!!!! If you see the email DELETE IT!!!!!!!!! DON'T READ!!!!! Please pass this on to everyone you know! PASS IT ON QUICKLY and TO AS MANY PEOPLE AS POSSIBLE!!!

Reality check: the hoax authors want to really, really embarrass you by increasing the number of apologies you will have to send out later. Everyone knows that capitalizing everything is the same as screaming. Antivirus companies and security experts always want to appear calm, even if they aren't so sure what the bug they've just been sent does. And antivirus experts seem to feel reasonably assured that you will pass along their warnings to the appropriate people without guidance. I've yet to see a true antivirus warning encourage people to tell other people about it. They assume you will.

"If you open your email or download the file, it will infect your system"

Hoax messages almost always say that the virus or malicious program can attack your system if you open your email. "DELETE THE MESSAGE IF YOU SEE THE SUBJECT..." is a common theme to see. This example is taken from the Penpal Greeting hoax:

If you receive an email titled...JOIN THE CREW/for PENPALS, DO NOT open it! It will erase EVERYTHING on your hard dive!

This example is taken from the Bug's Life hoax:

Someone is sending out a very desirable screen saver, a Bug's Life-BUGGLST.ZIP. If you download it, you will lose everything!!! Your hard drive will crash and someone from the internet will get your screen name and password! DO NOT DOWNLOAD THIS UNDER ANY CIRCUMSTANCES!!!

While these claims are not entirely false, they are rare and usually require a specific set of circumstances.

"There is nothing you can do" or "no remedy"

Hoax warnings typically tell you there is nothing you can do to prevent the spread of the malicious code. This example wording was taken from the Wobbler hoax:

This information was announced yesterday morning by IBM. The report says that this is a very dangerous virus, much worse than Melissa and there is NO remedy for it at this time. There is nothing you can do, but not use your computer until further notice.

Reality check: There is always something you can do. Warnings from reliable sites always tell you the adequate steps you can take and how their product can detect, or will soon, detect and remove the latest bug. Remember, antivirus sites want to sell you software. In the very few cases of recorded malicious code history where antivirus software could not immediately reliably detect a particular bug, the warnings said a remedy would be available as soon as possible.

"This virus is the most devastating!" or "Destroys hardware"

A hoax message wouldn't be complete without saying over and over again how devastating the bug is. It can fry your hardware, kill your hard drive, and is already spread to every computer on the planet. This is the worst virus yet! It is worse than every other virus!

Reality check: To date, malicious mobile code has only been able to corrupt the firmware of CMOS chips. Besides that instance (and really the virus is just corrupting software in that case as well), malicious mobile code has not been able to physically damage hardware. Of course, if it destroys your FAT table and formats your data partition, it's done enough damage without physically damaging your hardware. Years ago, hoaxes reported that viruses could make monitors catch fire or rip the read-write heads off of hard drives . None of it was true. Messages with nothing but doom and gloom are always hoax messages.

"No one knows yet, so tell everyone"

Supposedly we are to believe that although this bug is binary nuclear disaster and destroying millions of computers, no one has heard of it yet. Popular press has decided not to mention it and anyone who knew about it tried to cover it up. And our only hope is you passing the message along. How patriotic?

This example comes from the Get More Money hoax virus:

PLEASE PASS THIS ALONG TO YOUR FRIENDS AND COLLEAGUES! MICROSOFT VIRUS ALERT...PLEASE PASS THIS INFORMATION ON AS QUICKLY AS POSSIBLE!!!

Reality check: The press can't wait to get a hold of a story about millions of PCs being killed . They do it all the time on real bugs even when the experts say that the malicious code probably won't be much of a threat. You can bet that any partially true story will end up on all the newswires, and national television within a few hours. You are never the only one who knows...unless you wrote it. Before you pass along a malicious code alert, verify its validity.

Official organization referred to is wrong or nonexistent or isn't linked

Nothing makes a hoax warning more official than official-sounding security organizations and testimonies from official-sounding people with official-sounding titles. This example was taken from the Baby New Year virus hoax:

The latest run of the Center for InterNet Security's most advanced virus detection software has revealed a new security threat, Baby New Years Virus, which, by CIS estimates, has already infected up to 42 million computers worldwide."

Here's another from the Good Times hoax virus:

The FCC released a warning last Wednesday concerning the matter of major importance to any regular user of the InterNet.

Reality check: There is no such thing as the Center for InterNet Security, but it makes a great acronym. The FCC doesn't regulate Internet security. A real alert message will usually place a web link next to the official organization's name so that users can click and be taken to the source of the alert. I've seen a few hoaxes that even bother to list links to official sites, but they are always generic and never point to a web page that mentions the supposed bug. For example, if an alert mentions CERT and a link, make sure it doesn't point to just http://www.cert.org . An official CERT link would look something this: http://www.cert.org/advisories/CA-1996-07.html .

Funny or suspicious email addresses

If you see a warning with many obviously strange or humorous company names or email addresses, chances are it's a hoax message. The Pluperfect virus hoax has these examples:

The CEO of LoseItAll.com, an Internet startup, said the virus rendered him helpless" and "A broker at Begg, Barow, and Steel said he couldn't...

They call everything a virus

Hoaxers seem to think that the word, "Virus", causes more panic than worm or Trojan. No matter how well they describe the Trojan-like affects of their rogue program, they keep on insisting it's a virus. Unfortunately, this is really a fine point, and is done by many well-meaning, non-hoax emails as well. This example is taken from the Buddylst.zip hoax:

Yesterday a friend of mine called and told me something that happened to him. He opened his Email and this BUDDYLST.ZIP was there. When he opened it his computer crashed and when he tried to reboot he had lost everything! It was a VIRUS that was being passed around.......BEWARE!

Reality check: Viruses that destroy everything immediately after executing aren't going to spread far. First, they kill any chance to move and replicate to another PC, because they kill their host. Secondly, rogue programs this malicious are noticed pretty quickly and don't accidentally get sent to many friends. Lastly, this mechanism of action would be caused by a Trojan, and not a virus. A real warning from a legitimate source would not incorrectly identify the type.

13.3.2 Search for Information on Hoax

Go to one of the links listed in this chapter and search for a hoax topic that might be similar to the email you received. Do a keyword search on the name of the "virus" they refer to. If you don't find it under one of hoax sites, connect to a reputable antivirus vendor's web site and see if the virus is real.

Usually, a fast-breaking news story about a new nasty bug will land on the web site's main home page. When Melissa went off, you could find the appropriate links within the alert messages pointing back to one or more antivirus sites; and every site made the Melissa virus a front-page topic. If you are not sure, you can usually send the alert to an antivirus company's email address for inspection.

13.3.2.1 Web sites about hoaxes

There are literally hundreds of links you can go to read up on hoax messages and viruses. Every antivirus vendor has a hoax virus page list. Here are a few you may be interested in:

• Computer Incident Advisory Capability's (CIAC) site at http://hoaxbusters.ciac.org. This is an excellent site for validating real and hoax rogue program alerts.

• Carnegie Mellon's Computer Emergency Response Team's (CERT) web site at http://www.cert.org/other_sources/viruses.html.

• The Computer Virus Myths's home page can be found at http://www.vmyths.com. It is contains personal opinions that are viciously tough on antivirus companies and the media for inciting public panic. It's a good site to explore when looking for hoax information and it balances out the hype from legitimate threats as well.

• The Electronic Freedom Foundation at http://www.eff.org/pub/Net_culture/Folklore/Hoaxes is another reliable site for reading up on hoaxes. Its hoax list isn't as inclusive as the others, but it mentions hoaxes the other sites don't.

• A whole site dedicated to the Good Times virus hoax? Yes, at http://www.public.usit.net/lesjones/goodtimes.html. It is called the Good Times FAQ, but contains information on other major hoaxes, as well.

• Hoax Kill, at http://www.hoaxkill.com has an interesting turn on the whole issue. You can forward any hoax emails you have to them and they will exact the email addresses of every recipient listed within the email and send out an enlightening antihoax email. It also has a great list of virus hoaxes, chain letters , urban legends, jokes, etc.

• An Urban Legend web site at http://www.urbanlegends.com talks about hoaxes and myths, and occasionally dispels them with anecdotal evidence. A fun site to browse.

• The National Fraud Information Center is more interested in commercial fraud, but carries related links at http://www.fraud.org.

• The Federal Trade Commission's (http://www.ftc.gov) Bureau of Consumer Protection has a web site and special Internet lab dedicated to monitoring Internet fraud. Like the listing above, the FTC's site is interested primarily in commercial fraud, but it contains warnings on all types of suspicious Internet email and web activity. Even better, the FTC is developing "search bots" that will scour the Web and web advertisements looking for fraudulent activity such as pyramid schemes and Trojan software.

13.3.2.2 Commercial vendor web sites

• Symantec's AntiVirus Research Center has a dedicated virus hoax page located at http://www. symantec .com/avcenter/hoax.hmtl. It's one of the better sites as far as content, listings, and readability.

• Data Fellows at http://www.datafellows.com/news/hoax.htm.

• Network Associates at http://vil.nai.com/VIL/hoaxes.asp.

• Sophos at http://www. sophos .com/virusinfo/scares.

• Command Software at http://www.commandcom.com/virus/virus-hoaxes.html.

To summarize, first look for words or phrases that scream hoax. Then do some quick research on the Web, first looking at sites specializing in hoax warnings. Lastly, failing the first two steps, look to validate the claim on legitimate antivirus web sites. If you cannot validate the claim as a legitimate threat, do not post it. As strange as it may seem, hoaxes are so prevalent that it pays to err on the side of not reporting the information.