Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Malware Defense History

by Dr. Nikolai Bezroukov.

Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013

Contents : Foreword : Ch01 : Ch02 : Ch03  : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13


Chapter 2: Social Aspects of Malware

Fighting Computer Virus Hoaxes


 Introduction 
Checklist
Useful sites for checking new hoaxes
Some known hoaxes

Supplement 1. Example of the header of CIAC bulletin
 


1. Introduction

  No snowflake in an avalanche ever feels responsible

- Stanislaus Lezczynski

Hoaxes can be viewed as a special kind of junk mail that parasite of panic reaction of many people assiciated with viruses. Most hoaxes contains information about non-existent computer viruses and/or Trojans. Sometimes bits of true information is mixed with large doze of fantasy.

Hoaxes are usually distributed via e-mail and often get inside large organizations e-mail systems. These hoaxes are as time consuming and costly to handle as real virus infections. Users are requested not to spread unconfirmed warnings about viruses and Trojans. If you receive an invalidated warning, don't resend it without checking with the  HELPDESK and/or LAN support personnel.

The most popular 1997 hoaxes seems to be  "Join the Crew" and   "PenPaL".  All known hoaxes are based on an implicit assumption that opening e-mail message will execute some malicious code (so called Trojan). While such concern is in general valid, this is NOT true for Netscape Messenger and Lotus Notes Mail as well as current versions of all other popular e-mail agents. Only non-patched version of Outlook 97  exhibited such behavior of the past.

For a Trojan hoarse to act or virus to spread, it must be executed. Reading a mail message can execute it only if the message is in HTML and full capabilities of HTML (JavaScript and Java) are enabled for messaging. For Microsoft additional danger represents AcriveX controls. Now the standard configuration usually exclude the possibility of such execution and in most corporation it is additionally hardened beyond blocking such execution.

Usually only explicit opening of attachments present some real danger. Typical example of such an execution is opening of a MS Word attachment. In this case if document contain auto-macros they will be executed and this is the way by which the macro viruses are propagated.  Reading E-mail, using typical mail agents (such as Ms Mail, Notes, Netscape Navigator, etc.), will not activate malicious code even if it is delivered in or with the message.

The Checklist

The following checklist is useful for detecting hoaxes:

  1. Request to inform other people. Check for the following typical phrases:
  2. There is no date on warning (to prevent message outdating).
  3. Reference to some influential, often government, organization, but without naming the person responsible for the text, contact phone number, e-mail address and PGP signature. Some hoaxes attribute the message to the Federal Communication Commission (FCC). FCC has nothing to do with virus protection. It is not part of their job.
  4. Statement of some catastrophic damage on opening of the message - typically the hoaxes state that it will destroy/affect "entire disk"
  5. Message is not signed by PGP, or PGP signature checking fail.  Real warnings about viruses and other network problems are issued by CIAC, CERT, etc. are digitally signed using PGP. Even if a signature exists user should  validate the PGP signature to be assured that the warning is real.
  6. Warnings without the name of the person sending the original notice, or warnings with name/address/phone numbers that does not actually exist.
  7. Message exploit obscure computer jargon. In such a case most computer naÔve individuals, tend to believe that the warning is real. For example, the Good Times hoax says that "...if the program is not stopped, the computer's processor will be placed in an nth-complexity infinite binary loop which can severely damage the processor...". No reasonably computer educated person can believe that such nonsense exists.

As for organization people tend to believe the warning from federal organizations or large computer companies(IBM, HP, etc.), because they should know about those things. One need to understand that even if message is not faked, in any large organization there are a lot of pople who do not have any undestanding of computer technology and that are eager to help others to avoid dangers ;-).

CIAC signature is available at the CIAC home page: http://ciac.llnl.gov/ You can find the addresses of other response teams by connecting to the FIRST web page at: http://www.first.org. If there is no PGP signature, see if the warning includes the name of the person submitting the original warning. Contact that person to see if he/she really wrote the warning and if he/she really touched the virus. Ask if he/she is passing on a rumor. If the address of the person does not exist or if there is any questions about the authenticity or the warning, consider it a hoax. Instead, send the warning about this hoax to the HELPDESK. Do not send it out to the world.

In addition, most anti-virus companies have a web page containing information about most known viruses and hoaxes. You can also call or check the web site of the company that produces the product that is supposed to contain the virus. For example checking the PKWARE site for the current releases of PKZip would stop the circulation of the warning about PKZ300 since there is no released version 3 of PKZip.

Useful sites for checking new hoaxes

Some known hoaxes

1. "Join the Crew" Virus

The hoax exists in a dosen of variants. Here is the variant that  was found recently:

Please pass onto your staff!

WARNING!!! If you receive an e-mail titled "JOIN THE CREW" DO NOT open it! It will erase EVERYTHING on your hard drive! Send this letter out to as many people you can....this is a new virus and not many people know about it! This message was received this morning from IBM,and the Army National Guard, please share it with anyone that might access the Internet.

Several other variants exist. For example:

IMPORTANT - VIRUS Alert!!!

  Take note !

Someone got an email, titled as JOIN THE CREW. It has erased his hard drive. Do not open up any mail that has this title. It will erase your whole hard drive.

This is a new email virus and not a lot of people know about it, just let everyone know, so they won’t be a victim. Please e-mail this to everyone you know!!!

Remember the title : JOIN THE CREW
 

PENPAL Virus

First 2-3 sentences of the message can vary. In the latest incarnation message can be attributed to IBM. Recommendation J "Please share it with anyone that might access the Internet" can be present at the beginning of the message.

Here is one of the variants:

     FYI!

     Subject:  Virus Alert
     Importance:  High
     If anyone receives mail entitled: PENPAL GREETINGS! please delete it WITHOUT 
     reading it.  Below is a little explanation of the message, and what it would 
     do to your PC if you were to read the message.  If you have any questions or 
     concerns please contact  SAF-IA Info Office on 697-5059.

     This is a warning for all internet users - there is a dangerous virus 
     propagating across the Internet through an e-mail message entitled "PENPAL 
     GREETINGS!".  
     DO NOT DOWNLOAD ANY MESSAGE ENTITLED "PENPAL GREETINGS!"
     This message appears to be a friendly letter asking you if you are 
     Interested in a PenPaL, but by the time you read this letter, it is too late.  
     The "Trojan horse" virus will have already infected the boot sector of your hard 
     drive, destroying all of the data present.  It is a self-replicating virus, 
     and once the message is read, it will AUTOMATICALLY forward itself to anyone 
     who's e-mail address is present in YOUR mailbox!
     This virus will DESTROY your hard drive, and holds the potential to DESTROY 
     the hard drive of anyone whose mail is in your inbox, and who's mail is in 
     their inbox, and so on.  If this virus remains unchecked, it has the potential 
     to do a great deal of DAMAGE to computer networks worldwide!!!!
     Please, delete the message entitled "PENPAL GREETINGS!" as soon as you see it!
     And pass this message along to all of your friends and relatives, and the
     other readers of the newsgroups and mailing lists which you are on, so that 
     they are not hurt by this dangerous virus!!!!

Deeyenda Virus

             **********VIRUS ALERT**********
         
         
    VERY IMPORTANT INFORMATION, PLEASE READ!

    There is a computer virus that is being sent across the Internet.  If 
    you  receive an email message with the subject line "Deeyenda", DO NOT 
    read the message, DELETE it immediately!

    Some miscreant is sending email under the title "Deeyenda" nationwide, 
    if you get anything like this DON'T  DOWNLOAD THE FILE!  It has a virus 
    that rewrites your hard drive, obliterates anything on it.  Please be 
    careful and forward this e-mail to anyone you care about.

    Please read the message below.

    Alex
   
    -----------

             FCC WARNING!!!!! -----DEEYENDA PLAGUES INTERNET

    The Internet community has again been plagued by  another computer 
    virus.  This message is being spread throughout the Internet, including 
    USENET posting, EMAIL, and other Internet activities.  The reason for 
    all the attention is because of the nature of this virus and the 
    potential security risk it makes.  Instead of a destructive Trojan 
    virus (like most viruses!), this virus referred to as Deeyenda Maddick, 
    performs a comprehensive search on your computer, looking for valuable 
    information, such as email and login passwords, credit cards, personal 
    inf., etc.

    The Deeyenda virus also has the capability to stay memory resident 
    while running a host of applications and operation systems, such as 
    Windows 3.11 and Windows 95.  What this means to Internet users is that 
    when a login and password are send to the server, this virus can copy 
    this information and SEND IT OUT TO UN UNKNOWN ADDRESS (varies).
         
    The reason for this warning is because the Deeyenda virus is virtually 
    undetectable.  Once attacked your computer will be unsecure.  Although 
    it can attack any O/S this virus is most likely to attack those users 
    viewing Java enhanced Web Pages (Netscape 2.0+ and Microsoft Internet 
    Explorer 3.0+ which are running under Windows 95).  Researchers at 
    Princeton University have found this virus on a number of World Wide 
    Web pagesand fear its spread.

    Please pass this on, for we must alert the general public at the 
    security risks.


 

Good Times Virus

Variant1

     Here is some important information. Beware of a file called Goodtimes.
     Happy Chanukah everyone, and be careful out there. There is a virus on 
     America Online being sent by E-Mail. If you get anything called "Good Times", 
     DON'T read it or download it. It is a virus that will erase your hard drive. 
     Forward this to all your friends. It may help them a lot.

Variant2
 

     The FCC released a warning last Wednesday concerning a matter of
     major importance to any regular user of the InterNet.  Apparently,
     a new computer virus has been engineered by a user of America
     Online that is unparalleled in its destructive capability.  Other,
     more well-known viruses such as Stoned, Airwolf, and Michaelangelo
     pale in comparison to the prospects of this newest creation by a
     warped mentality. 

     What makes this virus so terrifying, said the FCC, is the fact that
     no program needs to be exchanged for a new computer to be infected.
     It can be spread through the existing e-mail systems of the
     InterNet. Once a computer is infected, one of several things can
     happen.  If the computer contains a hard drive, that will most
     likely be destroyed. If the program is not stopped, the computer's
     processor will be placed in an nth-complexity infinite binary loop
     - which can severely damage the processor if left running that way
     too long.  Unfortunately, most novice computer users will not
     realize what is happening until it is far  too late.


Ghost.exe Warning

The Ghost.exe program was originally distributed as a free screen saver containing some advertising information for the author's company (Access Softek). The program opens a window that shows a Halloween background with ghosts flying around the screen. On any Friday the 13th, the program window title changes and the ghosts fly off the window and around the screen. Someone apparently got worried and sent a message indicating that this might be a Trojan. The warnin g grew until the it said that Ghost.exe was a Trojan that would destroy your hard drive and the developers got a lot of nasty phone calls (their names and phone numbers were in the About box of the program.) A simple phone call to the number listed in the program would have stopped this warning from being sent out. The original ghost.exe program is just cute; it does not do anything damaging. Note that this does not mean that ghost could not be infected with a virus that does do damage, so the normal antivi rus procedure of scanning it before running it should be followed.

NaughtyRobot

       Subject: security breached by NaughtyRobot

       This message was sent to you by NaughtyRobot, an Internet spider that
       crawls into your server through a tiny hole in the World Wide Web.

       NaughtyRobot exploits a security bug in HTTP and has visited your host
       system to collect personal, private, and sensitive information.

       It has captured your Email and physical addresses, as well as your phone
       and credit card numbers.  To protect yourself against the misuse of this
       information, do the following:

               1. alert your server SysOp,
               2. contact your local police,
               3. disconnect your telephone, and
               4. report your credit cards as lost.

       Act at once.  Remember: only YOU can prevent DATA fires.

       This has been a public service announcement from the makers of
       NaughtyRobot -- CarJacking its way onto the Information SuperHighway.

It has been two years since the "Good Times" email virus hoax was launched (See the Good Times Virus Hoax)and we're continuing to see new hoaxes patterned after this lame old hoax. The MMF (Make Money Fast) (hoax) warning is almost a direct copy of "Good Times" while Irina was apparently an

ill-advised publicity stunt.
 

Irina virus

The so-called "Irina virus" is a hoax. You may receive warnings about a "deadly new virus called Irina". Just as with "Good Times", there is a claim that this virus spreads via email and it's also claimed that it will damage your CPU. (Something that isn't possible to do via software.). This hoax apparently began as part of a media campaign in the UK. According to Graham Cluley of S&S (UK): "The entire hoax was orchestrated by Penguin Books as a publicity stunt for a new interactive book called "Irina".

According to the Daily Telegraph, Guy Gadney (the former head of electronic publishing at Penguin) sent out a bogus letter to newspapers and television stations giving a warning about the "Irina" virus. The message claimed to be from Professor Edward Pridedaux of the College of Slavonic Studies in London.

Prideaux is one of the main characters in the Irina book Penguin is planning to launch. Some newspapers received six copies of the bogus letter, all signed by Professor Prideaux, but making no mention of Penguin Books, a publicity campaign or that the warning was a PR stunt.

The hoax was eventually traced back to Penguin via the envelopes used. The College of Slavonic Studies does not exist. But London's School of Slavonic and East European Studies said it had been inundated with calls to the fictitious Professor Prideaux."
 

The MMF (Make Money Fast) Virus

According to virus myths expert, Rob Rosenberger, the first warnings came from a man named Lance Clarke, who claimed computers could contract this virus if a user read a UseNet message where the phrase "MAKE MONEY FAST" appears in the subject line. Lance Clarke admits he concocted the warning message as a hoax. He used the Good Times urban legend as the foundation for his MMF alert message. Clarke apparently got the idea from another person on UseNet's alt.folklore.urban newsgroup who jokingly said "I'm thinking about spreading the Good Times newbie-gooser around with a new title: 'The MAKE MONEY FAST Virus.'"

If you have been active on newsgroups or have simply had an email address for some time you have probably been receiving messages telling you how you can "Make Money Fast". This gets to be rather annoying for many of us and the hoax was no doubt a reaction to this annoyance.

Supplement 1

Example of the header of CIAC bulletin

-----BEGIN PGP SIGNED MESSAGE-----

 

 

__________________________________________________________

 

The U.S. Department of Energy

Computer Incident Advisory Capability

___ __ __ _ ___

/ | /_\ /

\___ __|__ / \ \___

 

__________________________________________________________

 

INFORMATION BULLETIN

………………………………….

< text of the message>

 

-----BEGIN PGP SIGNATURE-----

Version: 2.6.2

 

iQCVAwUBMzbOf7nzJzdsy3QZAQGbuAP/cWI0IQNicMjjodPXtF3ypgEEjwMTNO08

9GrGv4Ayrj8pkWa0hzP4zGU/5JSXiH4hUqEeNzfXUTOX7twi1SJsOdlMU1RBiTrx

GmaHzK3zpe5Q/uI0poRjpcFOAKjc7lKU8vjJGNsE61Ws7rp8UAfEYzopYLOmel3I

4lLxcoGYAcg=

=WXhU

-----END PGP SIGNATURE-----


  Copyright 1998, Nikolai Bezroukov. Standard disclaimer applies. As long as this copyright notice is preserved, and any changes are clearly marked as such, the author gives his consent to republish and mirror this text.

 


Etc

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Haterís Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: May 08, 2017