Dealing with Internet Hoaxes/Alerts David Harley Copyright March 30th 1997 [May be freely distributed (without modification) and (accurately) quoted provided due credit is given. This paper may not be sold, reprinted or distributed electronically or otherwise for commercial gain without the permission of the author, David Harley .] On many sites, more resources are consumed in dealing with viruses which don't and can't exist than in handling 'real' viruses. Alerts of this sort are not computer viruses in the same sense as boot sector viruses, file viruses, macro viruses etc., but rather examples of social engineering. Social engineering is often associated with gaining unauthorised access to systems, but can also be applied to exploiting the victim's good intentions and lack of in-depth technical knowledge in order to inspire fear and confusion. Typically, this amounts to a denial-of-service attack. The user is unable to make full use of the resources available to him/her because of fear of the imaginary attack, while the administrator is besieged by panicking users and has to expend time and resources on reassuring them, validating reports, user education, keeping support staff informed, and so on. The best-known examples of this genre are the Good Times hoax virus and its variants: out-and-out fictions relying in many cases on the gullibility and lack of technical expertise of the victims, but more importantly (and unpleasantly) on their altruistic urge to warn as many people as possible about what they believe to be a genuine danger. A number of close-related hoaxes (Good Times, Irina, PenPal Greetings, Deeyenda) publicise viruses which use a very similar array of "special effects": in general, these are described as spreading over the Internet and having some destructive effect when E-mail or newsgroup postings are read. There are, however, a variety of subspecies: erroneous alerts such as the GHOSTS screensaver alert; alerts with a grain of truth which has been overlaid, deliberately or otherwise, with a patina of mythology, such as the PKZ300 'Trojan Virus'; and humorous alerts such as the CDA meme virus. Many of the mechanisms which are described in hoax alerts may ring a little false even to the technically unsophisticated, and once a user has been alerted to the fact that a given alert is technically impossible, there may be a temptation to dismiss all future alerts. While it may be true that even most genuine virus alerts are rarely useful to the average user, it is inappropriate and unsafe to ignore every potential danger. The following is a list of possible indicators of a hoax virus, but a message could be without most or all of these and still be a hoax. Indeed, hoax virus alerts are only one currently conspicuous aspect of a type of nuisance attack which may have nothing to with viruses, real or otherwise - the Jessica Mydek cancer chain letter, for example. * Much or all of the text is in capitals. * Over-liberal use of exclamation marks. * Consistently poor spelling and grammar. * The alert acquires 'credibility by association' by quoting an impressive-sounding authority (which may or may not exist). Claiming to quote the FCC is a particular giveaway when it comes to virus alerts - the FCC are not in that particular line of business. Nevertheless, Good Times and some of its variants continue to claim to be quoting it. Claiming to quote a known anti-virus vendor is another common indicator. It is not unknown for anti-virus companies to 'hype-up' a virus in press releases, or on their website, but they don't broadcast alerts to every mailing list on the Internet. * Virus described in terms of confusing technobabble such as the Good Times "nth-complexity infinite binary loop", or with the use of inappropriate terminology such as "a Trojan virus". * Virus described as being unrealistically destructive. * Reader is urged to pass the alert on to as many people as possible. * Alert claims to originate from an authoritative source such as CIAC, but can't be verified by digital signature or other means. Some hoaxes (like so many real viruses) are so derivative to be easily recognisable, but it's not possible to present a nutshell summary of everything a user needs to know to evaluate all present and future alerts with reasonable accuracy. In the last analysis, this requires knowledge and experience. The regrettable fact is that very few people have enough detailed knowledge of virus technology to assess some of the "better" hoaxes: some surprising people have passed on the Good Times alert...... It's probably a good idea to incorporate anti-hoax measures into an Acceptable Use Policy for E-mail and Usenet. * Appoint a competent individual to verify potential hoaxes as required by checking PGP signatures, personal contact with trusted individuals, checking quoted sources and URLs. * Discourage individuals from passing on virus alerts, chain letters etc., and absolutely forbid them to do so without having them verified. * Be as general as possible in your definitions: you don't want people who would recognise a Good Times clone easily to fall victim nevertheless to a chain letter hoax, so discourage unverified mass mailouts rather than just discouraging the passing on of virus alerts. * Consider passing a standard response form to individuals who've passed on a hoax, and asking them to pass it on to anyone they've alerted. Reading the headers of their mail and CC-ing the response to everyone who seems to have received it is probably not worth the bandwidth problems, redundancy and general annoyance it's likely to create. These strictures could be integrated with other recommendations for good practice: * considering other parties' privacy * respecting their intellectual property rights * not transmitting unacceptable material (threats, pornography, defamation etc.) * discouragement of wasting of network resources * discouragement of unacceptable commercial usage * encouragement of good disk/file hygiene/protection With the remorseless rise of the macro virus and the global spread of E-mail, it's as well to present some of the real threats to which network/Internet users are vulnerable when they use dedicated mailreaders or web-browsers (most current web-browsers include mail management). Some mailreaders allow the automatic execution of programs received as mail-attachments. Cc:mail is a particularly notorious example. Some web-browsers may allow this and may also allow automatic execution of downloaded files. It makes sense to disable either or both of these facilities, if present, and scan all program files with a reputable, up-to-date virus scanner before running them. Documents which are vulnerable to macro virus infection, especially Word and Excel documents (on any platform) should also be scanned with a suitable scanner before being opened, whether received as mail attachments or as file downloads via HTTP or FTP. Eudora Pro has automatic opening of attachments. Most quality Windows-hosted resident (VxD) scanners are suitable for such scanning on a file by file basis, if properly configured and updated. If you use a dedicated mailreader or web-browser/mailreader which allows you to open an attached or downloaded document automatically, make sure it doesn't use Microsoft Word to do this. Use Microsoft's free Word viewer, or another editor (like Win95 WordPad, which reads Word documents) or Word Processor instead. Further information/resources ----------------------------- http://webworlds.co.uk/dharley/ My website. Will shortly include the first draft of the "Not-Altogether-In-The-Wild" list, which includes a comprehensive list of hoaxes and similar nuisances as well as discussion of the topic. Also includes my alt.comp.virus and "Viruses and the Macintosh" FAQs, among others. ftp://usit.net/pub/lesjones/good-times-virus-hoax-faq.txt Les Jones' Good Times FAQ - useful general material, as well as detail on the Good Times hoax. http://ciac.llnl.gov/ciac/ Includes a hoaxes page. (Now has a page on chain letters, too.) http://www.soci.niu.edu/~crypt/ (Crypt newsletter - worth reading for its anti-hype content generally) http://www.csmil.umich.edu/~chymes/newusers/Think.html http://www.av.ibm.com/current/FrontPage/ "Anti-Virus Online": includes hype alerts and a good article by Joe Wells (though I'd quibble with some of the detail). http://www.urbanlegends.com/ http://www.kumite.com/myths/ http://www.drsolomon.com/ Includes an excellent article on hoaxes by Graham Cluley. Most of the useful vendor sites now include hoax information, including: http://www.datafellows.com/ http://www.symantec.com/ Thanks to Bruce Burrell (as ever) for constructive nitpicking, referring me to the Burrell Barometer of Bogosity, and bringing to my attention Padgett Peterson's suggested heuristics for detecting a hoax. Thanks to Padgett for allowing me to quote it below. ------------------------- begin quote ------------------------- "First you must separate the actual warning from the mass of forwarding that usually accompanies them. Then look for these: 1) No date on warning (to keep it alive) 2) No identifiable originator 3) No identification of affected platform, just "E-Mail". 4) Immediate catastrophic damage on opening - typically affects "entire disk" 5) No means of recovery 6) No reporting agency 7) Advises to "forward to everyone you know" Occasionally will contain agency (CERT/CIAC/FCC) heading but no internal point of contact or preparer will be identified. If four of the seven heuristic signs are there, you probably have a hoax." ---------------------- end quote ----------------------