13.1 The Mother of All Computer Viruses
13.1 The Mother of All Computer Viruses This "virus alert" about the BadTimes virus arrived in my email inbox one morning:
Can't say I've had a better laugh all year. The unknown author of the message had obviously read one too many emails proclaiming the next cataclysmic virus attack. It was a good lesson about hoaxes . His humor tries to drive home, in a humorous way, that viruses can't do all the things these messages are saying. I get at least a few emails a week from concerned friends sending me the latest virus warning...just in case I hadn't heard . Hoax messages warn me about emails containing destructive viruses, MP3 music files containing Trojans, and browser cookies that allow their creators to sneak onto hard drives late at night to steal information. In almost every case, they are hoaxes. When the real virus alerts do come, I get them from reliable antivirus sources and they are never full of the doom-and-gloom language that fills the hoax messages. In fact, real alerts bend over backward to downplay the latest threat. There are so many virus hoaxes appearing, that they almost outweigh the real threats, and unfortunately , take up too much time. I have become so tired of the time it takes to personally respond to each user who has sent a hoax message, that I have developed a standard prewritten response. It politely lets them know they've been duped by a hoax, and what web links they can visit to investigate hoax messages in the future. Most antivirus companies have a section of their web site dedicated to dismissing hoax warnings. Some of the more popular links are listed later on in this chapter. 13.1.1 BamboozledIf you've ever been fooled by a hoax message, don't feel like you're the only one. Many of the hoax messages that I'm sent are from network and security administrators who should know better. They want to make sure no one opens the purported virus email, and in the process gets fooled. It takes a few hoax messages and a skeptical eye toward all virus warnings to be able to figure out the real and fake warnings. And you can't always rely on the press to figure it out either. There are dozens of documented cases where major newspapers, magazines, law enforcement agencies, and books have recounted hoaxes as actual facts. Over the years , several news sources have reported the "tragic" tale of computer viruses making monitors catch on fire. As recounted in the stories, a virus causes one screen pixel to continuously be turned on. The constant flow of electricity from heating the one tiny dot on the screen supposedly overheats the monitor's components , and bam, the entire place burns down. Sounds great, but it can't happen. I've had file server monitors turned on for years in my computer rooms without ever being turned off. All the pixels are lit up. No fires. Rob Rosenberg, on his Computer Virus Myths home page (http://www.vmyths.com), reports that the December 1996 edition of the FBI's Law Enforcement Bulletin contained an article entitled " Computer Crime: An Emerging Challenge for Law Enforcement ." The FBI article mentioned as real several hoax viruses that have long been passed around in joke emails, as though they were legitimate threats. It included the Clinton virus that can never make up its mind which program to infect , and the SPA virus that looks for illegal software and dials 911 when any is found. The sections mentioning hoax viruses were quickly removed in later revisions. 13.1.2 Why Do People Write Hoax Messages?Like malicious code authors, hoaxers are often teenagers and young adolescent males with socialization problems. Most are mischievous pranksters who can't believe how gullible people can be. They do it as a joke, then sit back, laugh, and feel falsely superior . Others intend to harm a product or company's reputation in retaliation for some unknown event in their life. Many national companies, falsely attributed in hoax emails, spend significant resources trying to calm the anger of fooled consumers. There are several hoaxes claiming that American Online administrators have developed this or that program to capture everything you do on your computer. They always purport to be from ex-AOL employees fired because they uncovered management's unethical scheme. Other hoaxes try to discredit a particular company's product by claiming it doesn't work or contains a Trojan. Virus writers have sent emails saying only ABC's antivirus product could detect a particular virus in a weak attempt to cause suspicion by making readers think that ABC company must have written the virus to sell more product. To anyone who thinks antivirus companies write and release viruses to make more money, think again. There are more than enough volunteer malicious code writers working every spare second they have to keep all the antivirus researchers employed. Antivirus companies don't need to make new ones up. Some hoaxes had their beginnings in a magazine's April Fool's article. A little bit before every April (remember issues always comes out a few weeks before their published date) a few magazine columnists always feel compelled to dedicate their column to a hoax. I've seen columns about viruses that live in the electrical wiring of your home, Trojans that are able to eject floppy diskettes at fatal speeds, and malicious code that will take over the world. As with hoax emails, I get at least part of the way in until the article gets so unbelievable that I check the date. Last year, I blasted a columnist with scathing emails about how I couldn't believe he and his reputable magazine were ridiculous enough to print a story about an impossible virus. The article included a link where you could download protection software. The columnist responded several times saying I should click on the link provided and check out the software. I refused , saying, "I'm not going to download a program to fix a nonexistent problem!" It wasn't till a few days later that I finally clicked on the link. Instead of taking me to the antivirus company's web site, it said, "April Fools!" I've got to watch my scathing emails. 13.1.3 Partial TruthsHoax messages are usually based on partial truths that seem believable. They contain somewhat realistic events. Hoax messages go out of their way to appear credible. There are official sounding embedded links for verification. They purportedly contain expert opinions from recognized sources. It gives the story a feel of sincerity . If you aren't intimately familiar with a particular type of technology, who's to say what is and isn't possible? When the Modem Subcarrier virus hoax came out, it took me a few days to research whether or not it was possible. This hoax, considered to be one of the earliest Internet hoaxes, dating back to October 1988, talked about a virus that used the subcarrier frequencies of modems to spread. Supposedly, this virus attached itself to the downloading bits of information coming from a BBS site, and would destroy the victim's hard drive. Like many hoaxes, it was partially based on an obscure technical idea that took a little research for me to debunk. The PKware hoax mentions a virus contained in the latest version of PKware's PKUNZIP 13.1.4 Hoaxes Can Come TrueUnfortunately, hoaxes sometimes come true. In researching and writing this book over the last few years, several hoaxes I originally included contained fake warnings of what the hoax virus could do to a PC. And although it was programmatically impossible at the time of the original hoax release, technology changed and ended up allowing some of those very same things happen. Virus hoaxes frequently claim that the touted harmful program destroys hardware. And that is still mostly false, but the W95.CIH virus can make it so that a motherboard replacement is needed to repair its damage. The Cell Phone virus hoax was not possible years ago, but now that cell phones are becoming Internet-enabled and contain sophisticated microprocessors, the reality of a cell phone virus isn't a joke anymore. A few rogue code programs have even used computer Trojans to target cell phones. Sometimes the hoax is so eerily close that it seems like a prediction. This example is taken from the JPG Virus hoax, which for years was not technically possible:
Today, the only completely false claim in the message is the made-up Internet security group , Internet Security Taskforce. Although the exact exploit listed in the message hasn't happened , there are several similar ways for a related attack to occur. First, someone can click on PICTURE.JPG in an email and find out that it was really PICTURE.JPE.EXE in disguise, because of Windows's tendency to hide file extensions. Second, a .PIF or .SHS (Scrap file) can be used to hide the object's true filename. Lastly, a few video and picture types have been found to allow buffer overflows in specific instances. So, the fake claim became a reality. For years, virus hoaxes have claimed that simply viewing the email (and not clicking on the attachment) causes the malicious program to go off. This used to be completely false. But now that many email programs are HTTP-enabled, they can automatically execute malicious content when an email is opened. It usually takes a specific set of circumstances that are only exploitable for a brief time before the product is patched. But it can happen. The Kak worm can execute from an email signature. Bubbleboy executed in Outlook Express's Preview pane. Outlook, with security set to Low, will allow malicious programs to execute simply by viewing the email. And there are a few rogue emails, with malformed headers, which can compromise computers while being downloaded (even before being viewed ).  |
utility. It's true that hackers did place a virus-infected copy of PKUNZIP.EXE on some bulletin boards , but that was almost 10 years ago. It wasn't widespread then, and hasn't resurfaced since. PKware utilities have carried self-validating code ever since. Even more confusing is when hoax threats become real. | | |
Team-Fly  |
| Top |
EAN: 2147483647
Pages: 176