I Spy A Virus Hoax

[zigar]

since i regularly get emails telling me of impending disaster...and i'm sure you do as well, i offer a short tut on how to spot a hoax.

virus hoaxes are quite prevalent and are a form of social engineering. they rely on fear and misinformation to spread. many of these types of things are spread by well meaning but uninformed users (your dad, your sister and that helpful person on that listserv you belong to who mails all 9000 users)

many of these hoaxes are fairly innocuous but they can cause several problems. the first is that some hoaxes actually call for you to delete actual OS system files. (sulfnbk.exe is the most "popular' hoax of this type.) the next problem is that many users are fooled by a hoax, find out about it and then tend to discount the true dangers of malware. the worst problem is that some clever malware writers have taken advantage ofhoaxes and written true malware which takes advantage of previously harmless hoaxes by attaching malicious code to a "hoax" email.

how to tell

The Urgency Factor
or as i sometimes call it the exclamation ratio. count the number of !!!!! in your warning mail. anything over one should raise alarms. example..this is the most destructive virus ever!!!!...

Exploding Computer Syndrome
many hoaxes offer dire warnings of critical hardware damage when in fact almost no malware actually does physical damage to a system (CIH being a noteable exception...)

Pseudo-Credible Source
often hoax writers will add an apparently reliable source which on closer inspection are false. many hoaxes contain "in an announcement by {IBM, AOL, Microsoft}"...none of these sources generally make statements on malware but for the average user, if they feel that a a message has the credibility of a microsoft, it must be true. the same doesn't necessarily apply for a real announcement from kapersky or symantec, which are far less household names.

Pass-It-On
a major clue is the line, "forward this to everyone you know" this is the key to the propogation of a hoax and is usually the dead give away...

conclusion
we've all heard the saying if it seems too good to be true, it probably is. my thought for the day when it comes to virus warnings...if it seems seems too bad to be true it probably isn't...if you experience any of these symptoms head to your nearest av vendor website and check out the hoax section...and send the person who sent you the hoax the link as well with a note that tells them to check before passing these things on. you'll do us all a favor.


EDIT:

ok...ok...i was too lazy last night but here's a list of links...

Kapersky - http://www.viruslist.com/eng/index.html?tnews=1005
McAfee - http://vil.nai.com/VIL/hoaxes.asp
Sohpos - http://www.sophos.com/virusinfo/hoaxes/
Symantec - http://sarc.com/avcenter/hoax.html
TrendMicro - http://www.trendmicro.com/vinfo/hoaxes/hoax.asp
CA - no specific page but search for hoax

and of course www.vmyths.com ...(except they've got waaay too many pop up ads these days...)

[Palemoon]

I would only add to this by saying if you work and your Admin sends out a warning not to forward out the waring to everyone in your address book. Most sys admins are on top of what is going on and are taking corrective action against a known virus and forwarding these type of things waste their time and resources.

[SoggyBottom]

Thanx Zigar, if you dont mind, I think that I might forward your post to my "well meaning but uninformed mum and dad".

[ebatt]

Its always worth checking www.vmyths.com , they have a weekly chart of the most common hoaxes.

Thank god its Friday

[allenb1963]

Good post, zigar. Accounting scandals, voter fraud,M$ admitting they can't compete with free, and now false virus alerts.....world seems to be headed for hell in a handbasket these days. LOL

[souleman]

Zigar> Don't forget the ever popular "Microsoft and McCaffee did xxx YESTERDAY" I always love seeing the ones that give a day of the week, but no actual date. I actually had a small hoax collection going back in college (96/97) for something to do when I was bored. Anyway, I got a message a few weeks ago that had the YESTERDAY thing that I had in my collection. I was amazed the message stayed around that long.

Oh yeah, and everyone make sure you turn off your computers this weekend, because on Saturday, Japan is releaseing 6 giant internet cleaning robots because of all the garbage out there. Any machine that is on will be completely erased....

[LeeryOne]

NIce tut Zigar. For anyone who wants it, you can always check a hoax or urban legend at www.scambusters.org. Thats one site I send people to who send me hoaxes or legend mail. I've also made it a habit of sending that site link to those few people who use my mail service (as part of the Welcome letter, I provide a list of informative links - McAfee, Norton, McAfee's AVERT, ScamBusters, and a few others). As they say, forewarned is fair-warned :-)

[debwalin]

LOL...here's a little funny story. My ex-husband sent those things on almost a daily basis to about 50 people. Finally his father got sick of it, and emailed all the people he had emailed with the page from www.vmyths.com and pointed out that it was a hoax, and that all of the ones he had emailed had been hoaxes also. Guess the embaressment was too much, because I haven't received any since then...it was funny.

Deb

[qwerty_smith]

Hoax Busters is the one i use most often.

i was always a big fan of the amish virus.

You have just received the Amish virus. Because we don't have any computers, or programming experience, this virus works on the honor system. Please delete all the files from your hard drive and manually forward this virus to everyone on your mailing list. Thank you for your cooperation.

[nobix]

Thanks Zigar,
Most the time I don't even read those emails they got directly to the trash; however, I might start reading them looking for the clues that you mentioned in your tutorial.