RAY'S COMPUTER CLASS:

THE INTERNET ONRAMP

by Ray Jones


'Moon-Woman' by Jackson Pollock

 

There are lots of hoaxes on the Internet and this column cannot attempt to deal with them all. I'll only mention a few but hope you'll learn enough from this article that you can spot them on your own.

One of the best places to check out virus hoaxes is the CIAC. The CIAC is the U.S. Department of Energy's Computer Incident Advisory Capability. It was established in 1989, shortly after the Internet Worm scare. The CIAC is located at Lawrence Livermore National Laboratory in Livermore, California, and is a part of its Computer Security Technology Center.

Previous CIAC notices, anti-virus software and other information can be found on the World Wide Web at:

http://ciac.llnl.gov/

 

2400 BAUD MODEM

Since 1988, computer virus hoaxes have been circulating the Internet. In October of that year, according to Ferbrache (A Pathology of Computer Viruses, Springer, London, 1992), one of the first virus hoaxes was the 2400 baud modem virus.

According to this hoax, the virus was distributed by the "sub-carrier" waves of 2400 baud (or higher) modems and trashed hard drives. The hoax went on to say that the virus would then infect other modems that used a sub-carrier wave. According to the hoax, the only way to get rid of the virus was to reset the modem registers by hand.

The hoax message went on to recommend using only 1200 baud or lower modems. The hoax used lots of "technical jargon" which would make the average person believe it. It amazes me, however, how many supposedly "technically competent" persons were also fooled.

 

IRINA

The former head of an electronic publishing company circulated the Irina Virus Hoax warning to create publicity for a book by the same name. The publishing company has apologized for the publicity stunt that backfired and panicked Internet users worldwide.

The hoax warned against reading an e-mail message containing the subject line "Irina". It also warned that anyone seeing it should DELETE it immediately and asked that the warning be passed along to everyone.

For more information pertaining to this hoax, reference the UK Daily Telegraph at http://www.telegraph.co.uk.

 

 

  

GOOD TIMES

The CIAC first described the Good Times Hoax in December, 1994, and described it again in April, 1995. According to the CIAC, there is no virus by that name in existence today. These warnings have been circulating the Internet for years. Internet users must become aware that it is unlikely that a virus can be constructed to behave in the manner ascribed in the "Good Times" virus warning.

Like the Irina Virus Hoax, the Good Times Hoax warned against reading any message with the subject of "Good Times" and, of course, asked everyone to delete the message and pass along the warning to everyone they knew.

Soon after the CIAC's original release about this hoax, another Good Times message was circulated. The second message included a claim that the Federal Communications Commission (FCC) released a warning about the danger of the Good Times virus, but the FCC did not and will not ever issue a virus warning. It is not their job to do so.

More information is in the Good_Times FAQ written by Les Jones.

http://www-mcb.ucdavis.edu/info/virus.html

 

EBOLA

 The Ebola Virus Hoax has been seen on the Internet and other networks for quite some time. The CIAC found it to be similar to the Good Times Hoax. The Ebola hoax was supposedly sent out by DataTech Development in Westhills, Texas. According to the hoax message, the Ebola Virus primarily affected UNIX users who'd ftp'ed (file transfer protocol) files from a major server, though the affected server was not identified. 

Supposedly, the virus patched itself onto the ftp program, and automatically piggybacked on files ftp'ed to another site, where it again patched itself onto the ftp program. When an infected user ran ELM or PINE (popular UNIX mail programs), the virus secretly sent one of several pre-written letters to the user's SysAdmin (System Administrator), addressed from the victim. The letters supposedly contained graphic appeals for sexual favors of a deviant nature, or explicitly described Diane Sawyer bondage fantasies.

 As of June, 1997, the CIAC had not been able to locate a DataTech Development of Westhills, Texas. In fact, they had not even been able to locate a town of Westhills, Texas. They had also not been able to locate the person who uploaded the message to several newsgroups, or anyone who has actually seen the alleged virus program. 

 

DEEYENDA

The Deeyenda virus warning is very similar to those for Ebola, Irina, and Good Times, stating that the FCC issued a warning about it; that it is self-activating and can destroy the contents of a machine just by being downloaded.

Again, one should note that the FCC does not and will not issue virus or Trojan warnings. It is not their job to do so. As of this date, there are no known viruses with the name Deeyenda in existence.

IF YOU REMEMBER NOTHING ELSE FROM THIS ARTICLE, REMEMBER THE FOLLOWING:

 For a virus to spread, it must be executed. Reading a mail message does not execute the message or any attachments. Trojans and viruses have been found as executable attachments to mail messages, but they must be extracted and executed to do any harm. The CIAC still affirms that simply reading E-mail (ANY e-mail), using typical mail agents, cannot activate malicious code delivered in or with the message.

 

 GHOST

 The Ghost.exe program was originally distributed as a free screen saver containing some advertising information for the author's company (Access Softek). The program opens a window that shows a Halloween background with ghosts flying around the screen. On any Friday the 13th, the program window title changes and the ghosts fly off the window and around the screen. Someone apparently got worried and sent a message indicating that this might be a Trojan.

 The warning grew until it was said that Ghost.exe was a Trojan that would destroy your hard drive and the developers got a lot of nasty phone calls. The original ghost.exe program is just cute; it does not do anything damaging.

 Note that this does not mean that Ghost.exe could not be infected with a virus that does do damage, so the normal antivirus procedure of scanning programs before running them should be followed.

Common sense and a little prevention will prevent 99% or better of all viruses. I've been into computers and electronic communications for 17 years. To my knowledge, I've never seen a virus. That doesn't mean they're not out there, but they're not as common as some would have you believe.

 

PENPAL GREETINGS

The Penpal Greetings Hoax appears to be an attempt to kill an e-mail chain letter by claiming that it is a self-starting Trojan that destroys your hard drive and then sends copies of itself to everyone whose address is in your mailbox.

Reading an e-mail message does not execute it nor does it execute any attachments, so this Trojan must be self-starting. Aside from the fact that a program cannot start itself, the program would also have to know about every different kind of e-mail program to be able to forward copies of itself to other people.

 

MAKE MONEY FAST

We all have or will receive messages in e-mail or in newsgroups urging us to respond and become overnight millionaires. As you all should know, whether you've read my other columns on scams or not, THERE IS NO program that will make anyone instantly rich.

The Make Money Fast Warning Hoax appears to be similar to the Penpal Greetings warning, in that it is a message that is attempting to kill one of those e-mail "Get Rich Quick" chain letters. While laudable in its intent, the hoax warning has caused as many or more problems than the chain letter it attempted to kill.

 

NAUGHTY ROBOT

The Naughty Robot Hoax warns of an Internet spider that crawls into servers through a tiny hole in the World Wide Web. For those of you that are not familiar with them, spiders, worms, crawlers, robots, and similar names refer to programs that surf the 'net, automatically getting information for their users.

Supposedly, Naughty Robot exploits a security bug in HTTP (Hypertext Transfer Protocol) and visits systems to collect personal, private, and sensitive information.

While this particular warning is bogus, users of web browsers such as Netscape should be aware that many web sites do "offer cookies" to your browser. When these cookies are retrieved by the site offering them, they may contain information on what you did while visiting the site and can include any personal information you provided if you ordered something or filled out a form.

Such cookies themselves are innocuous and are an accepted manner with which to keep track of a sites visitors. They can be abused, however. It is said to be possible that other servers can also retrieve these cookies, obtaining information they're not entitled to. I'm not entirely certain this is possible, but many feel that it is. You pays your money and takes your chances. You were warned, anyway.

Many people set their browsers to not accept cookies at all or to warn them whenever a cookie is offered. I've seen some sites that offered as many as 50 cookies in a couple of minutes. They just wouldn't give up. I suggest you not visit such web pages, as most will give up after a few tries.

 

POWERLINE VIRUS

Some virus hoaxes are humorous -- such as the one that supposedly came in on the 60 HZ powerline subcarrier and claimed to do damage to everything in sight. It even claimed to infect batteries. It claimed that over 300,000 systems in Murphy, West Dakota were attacked in just 12 minutes. I've never heard of the town (or the state, for that matter), but the idea of any city but a major metropolis even having 300,000 systems is absurd. That in itself should have told any reasonable person it was a hoax.

 

Identifying Hoaxes on the Internet

by Ray Jones

 

 There are several methods for identifying internet virus hoaxes, but first consider what makes a successful internet hoax. There are two known factors that make a successful virus hoax; (1) technical sounding language, and (2) credibility by association.

 If the warning uses the proper technical jargon, most individuals, including technologically savvy individuals, tend to believe the warning is real. "Credibility by association," refers to "who sent the warning." If anyone (including the janitor) at a large technological organization sends a warning, people on the outside tend to believe the warning because "the company should know about those things." Even though the person sending the warning may not have a clue what he is talking about, the prestige of the company backs the warning, making it appear real.

 Individuals should also be especially alert if the warning urges you to pass it on to your friends. This should ALWAYS raise a red flag that the warning is probably a hoax. Another flag to watch for is when the warning indicates that it is a Federal Communication Commission (FCC) warning or that it is from any other governmental agency.

 Just use your common sense. If a warning is real, don't you think you'd hear about it on the television news, read about it in the newspaper, or have the information passed along by your system administrator or in another similar manner?

 Even what you hear on network news or read in the paper is not always true. Do you really think the best way for a governmental agency to get information to the public is to pass it along in e-mail messages?

In most cases, common sense would eliminate Internet hoaxes. While these hoaxes do not infect systems, they are still time-consuming and costly to handle. According to the CIAC, they spend more time de-bunking hoaxes than handling real virus incidents.

 The CIAC recommends that you DO NOT circulate virus warnings without first checking with an authoritative source. Authoritative sources are your computer system security administrator or a computer incident advisory team. Send the warning to your computer security manager or incident response team and let them validate it. Your computer security managers and the incident response teams have experts who try to stay current on viruses and their warnings.

Warnings without the name of the person sending the original notice, or warnings with names, addresses and phone numbers that do not actually exist are probably hoaxes.

 Real warnings about viruses and other network problems are issued by different response teams (CIAC, CERT, ASSIST, NASIRC, etc.) and are digitally signed by the sending team, using the Pretty Good Privacy (PGP) public key. If you download a warning from a team's web site or validate the PGP signature, you can usually be assured that the warning is real. Upon receiving a warning, you should examine its PGP signature to see that it is from a real response team or antivirus organization. 

To validate the PGP signature, you will need a copy of the PGP software and the public signature of the team that sent the message. The primary source for PGP software is ftp site net-dist.mit.edu. More information is available at http://web.mit.edu/network/pgp.html and http://www.mantis.co.uk/pgp/pgp.html. The CIAC signature is available at the CIAC home page: http://ciac.llnl.gov/. You can find the addresses of other response teams by connecting to the FIRST web page at: http://www.first.org. Most anti-virus companies have a web page containing information about most known viruses and hoaxes. You can also call or check the website of the company that produces the product that is supposed to contain the virus. Another useful web site is the "Computer Virus Myths home page" which is found at: http://www.kumite.com/myths. This site contains descriptions of several known hoaxes. 

 


"Big Ray the Buggy Driver" Jones was actually born in Norman, Oklahoma. Nowadays he is considered a "local," having lived in New Orleans for longer than most and knowing more about Louisiana history than anyone we know. You can write to Ray Jones at:

rayjones@praline.no.neosoft.com

Or you can join Ray as he is disseminating info about New Orleans & Louisiana via his web page at: http://www.neosoft.com/~rayjones/welcome.html>

Or you can even join "Big Ray's" New Orleans Mailing List by sending:

subscribe noml

to: majordomo@communique.net