ITsecurity
twitter facebook rss

Virus hoaxes still thrive while ‘Sonia disowns Rahul’

Posted by on March 21, 2016.

This is something of a twist on an old favourite – a virus hoax that I saw posted by an acquaintance recently on a social media site. Bizarrely, virus hoaxes seem to be surviving in the modern world even though malicious software that meets the technical definition of a computer virus is actually quite rare. However, Facebook and its siblings seem to have taken over from email as the natural home of hoaxes nowadays. This particular hoax is  also reported to be circulating on SMS.

Tell all contacts from your list not to accept a video called the “Sonia disowns Rahul “. It is a virus formats your mobile. Beware it is very dangerous. They announced it today on the radio. Fwd this msg to as that many as you can

Hoax watchers will recognize the approach to hoaxing, if not this particular variant, from way back. For denizens of Facebook, though, there’s no need to go back as far as I do: the very similar ‘Dance of the Pope’ hoax from 2015 looks something like this:

URGENT: Tell all contacts from your list not to accept a video called the dance of the Pope. It is a virus that formats your mobile. Beware it is very dangerous. They announced it today on the radio. Pass on to as many as you can. It was announced on the radio in USA.

It’s hard to imagine that the recent hoax doesn’t deliberately borrow from the older one.

The Birth of the Meta-Virus

But virus hoaxes are almost as old as the Internet. In 1988, Jeffrey Mogul coined an example of a hypothetical ‘meta-virus’, of which he observed:

The beauty of this “meta-virus” is that it took me about two minutes to make it really scary and I didn’t even have to write any code.

Moral: don’t join witch-hunts until you trust the witch-hunter more than you distrust the alleged witch.

Mogul’s intention was not to deceive, but to warn of the potential for confusion (and worse) arising from ‘virus paranoia’. But his warning was timely.

Modem Operandi

Just a few months later, a VIRUS-L post by ‘Mike RoChenle’ described a totally mythical ‘modem virus’, and came packed with technobabble, clearly designed to confuse the unwary and non-technical.

Kenneth van Wyk commented subsequently:

In addition to the fact that the reported virus is highly incredible, as was pointed out by several of our readers, it’s even more unlikely that someone would have the name Mike RoChenle (read: Micro Channel).

Thus […], I’d like for everyone to assume that the reported virus was a hoax.

[…] I would like to ask all persons submitting messages, particularly when forwarding messages from other sources (as was the case here), to confirm their sources of information, within reason.

Good Times just around the corner

In 1994, the Good Times virus hoax unleashed a tsunami of virus hoaxes that had a major impact on the directions my own career took. I was already engaged in research into real viruses (and other malware, though in those days nearly all malware consisted of true viruses and the occasional worm), but I found myself drawn also into dealing with virus hoaxes and other chain letters. As you might gather from the number of hoax-related conference papers I’ve written, listed at the end of this article. As for blog articles on the subject, I’m not even going to try to list them.

To be fair, it may be that not all virus hoaxes originate with a single individual intending to deceive. Some seem to have arisen because someone misinterpreted a different kind of problem as being caused by a virus. As the message is passed on, it acquires extra layers of misconception and in some cases deliberate and malicious embroidery.

Confessions of a Hoax-Hunter

I could spend a lot of time waxing nostalgic about the virus hoaxes that have crossed my radar over the years. I could spend even more time talking about the historical, social and motivational aspects of hoaxing, chain letters and memetics, and how they apply to the narrower field of virus hoaxes, but for now, let’s focus on what we can learn from this particular type of virus hoax.

There’s a broad range of hoaxes that say, in effect, ‘if you open an email/video/graphic/whatever from a particular person or with a specific filename or subject, your phone/computer/hard disk will be hacked or destroyed. This is just one more. And we can, as regular hoax-busting sites like Hoax-slayer and Snopes have done, point out some of its improbabilities.

How do you know it’s a hoax?

  • There is no such virus. Furthermore, it’s unlikely that there ever will be, at least in the form that’s described in that message. Easy for me to say, of course. I’m in the anti-malware business, so I’d expect to have heard about it if such a virus were even technically possible, let alone in existence. However, the people who are passing this message on don’t have the advantage of thirty years working in security. So how possible is it?
    • There is certainly malware that targets mobile phones, going back to a spate of Symbian-targeting malware that kicked off around 2000, including examples that were fairly destructive. Skulls, for example, overwrote system applications with non-functional code, so the phone was good for nothing except making phone calls. Come to think of it, that’s all my first cell phone was ever capable of doing, even out of the box, but people expected more from a phone by then.
    • But malicious code that works on all mobile phones, irrespective of platform? That’s what we seem to be talking about here, since no specific phone or mobile operating system is mentioned. But that doesn’t happen. You can’t run exactly the same code on an iPhone, an Android, a Blackberry, and a Windows phone: the operating system on one platform doesn’t know what to do with code for another. You could write individual programs that would have much the same functionality for each those platforms, of course, but then you’d have the problem of matching the app to the platform when it came to distribution. That’s by no means impossible –there is malware that does something like that – but it’s a lot of trouble to go to just to brick a stranger’s phone.
    • Nowadays, mobile malware – like all other malware – is usually written to make a profit for the criminal, and there isn’t much incentive to write malware that does nothing but wreak destruction. Unless you’re talking about cyberwarfare, but we’re getting into Tom Clancy territory there. There are exceptions, of course. See, for instance, this article on hoaxes intended to persuade victims to destroy their own hardware: 4Chan: destructive hoaxes and the Internet of Not Things. Of course, there’s no reason in principle that a virus hoax shouldn’t describe a relatively modest payload more characteristic of real malware, but hoaxers naturally incline to sensationalism. And since they target people who aren’t particularly tech-savvy, why would they bother to gild the lily?
  • So the warning was on the radio, was it? Leaving aside the fact that not everyone who is called an expert on TV or radio actually knows what they’re talking about, no-one has so far managed to trace this particular broadcast. Not surprising, since the message gives no indication of where or when it was made. Come to that, since the Sonia hoax was just copied from the earlier hoax, it’s not at all likely that there was ever a radio warning associated with this one. Nor has anyone ever managed to trace such a warning about the dancing Pope. In either case, you’d think that if such dramatic malware really existed, it would have made more impact on the media than that single obscure – not to say invisible – broadcast.
  • It’s a chain letter. In other words, someone, somewhere wanted it forwarded to as many people as possible. For many of us, just that fact makes it automatically suspicious. You might argue that sometimes an issue is so serious that it should be forwarded to as many people as possible. I might stretch to conceding that point, but only if everyone who forwards it first checks that it carries genuine information. But chain messages are vexatious precisely because people don’t check the information before forwarding. Of course, most people forward chain messages for the best of reasons, because they believe them to be genuine and that they contain important information. But hoaxers rely on that as a means of making mischief. (Presumably it makes them feel better about themselves because duping others makes them feel superior to their victims.)

Recognizing Hoaxes

What about detecting hoaxes in general? Here’s a list suggested by Padgett Peterson that I quoted in a much earlier paper, and which still works with a bare minimum of modification.

“First you must separate the actual warning from the mass of forwarding that usually accompanies them. Then look for these:

1) No date on warning (to keep it alive) [‘This morning…’ or ‘Yesterday…’ doesn’t count!]

2) No identifiable originator [If the hoaxer quotes an easily verified source people might actually check it out, either from caution or from simple curiosity. So he’d rather rely on the expectation that the victims will receive the message from someone whose good intentions they will take for granted. But trusting the person doesn’t mean you should trust the message he or she is passing on.]

3) No identification of affected platform, just “E-Mail”. [Back in the days of this pre-Facebook, pre-Twitter discussion, email was the universal means of electronic communication. But the point here was that just as the hoaxes discussed in this article don’t distinguish between mobile phones, nor did older hoaxes distinguish between devices running MS-DOS, Mac OS, Windows and so on. The hoaxer assumed that victims wouldn’t know enough to realize how improbable a universal virus would be.]

4) Immediate catastrophic damage on opening – typically affects “entire disk” [So in this case we can substitute ‘trashes phone’, but the principle remains the same.]

5) No means of recovery [Curiously, no virus hoax ever claims that the mythical virus will do something relatively mild or even amusing. It always has to have some catastrophic payload.]

6) No reporting agency

7) Advises to “forward to everyone you know”

Occasionally will contain agency (CERT/CIAC/FCC) heading but no internal point of contact or preparer will be identified. [Hoaxes have frequently tried to acquire ‘credibility by association’ by claiming to quote an impressive-sounding authority which may or may not exist.]

If four of the seven heuristic signs are there, you probably have a hoax.”

There are other indicators noted by myself and others, but these have tended to be specific to a certain era of virus hoaxing.

However, Padgett’s suggestions do a good job of equipping a receptive user with heuristics which will catch any chain letter and most hoaxes. (Most hoaxes are just a special case of chain letter). Most of these indicators work because most composers of hoax virus alerts are unimaginative or lazy, and endlessly recycle. A disquieting aspect of parodies of hoaxes – some of which have been quite creative and amusing– is that even they, like ‘real’ hoaxes, have been plundered for subsequent hoaxes. Which is why hoax parodies like the Bad Times ‘warning’ are often listed in hoax databases as if they were consciously malicious.

Conclusion

So, you may wonder, what did I do about the hoax posting I saw on Facebook? I’ve learned over the years that telling people they’ve been taken in by a hoax doesn’t necessarily make you more popular. Sometimes, a hoax victim prefers to continue to believe the hoax rather than accept that he or she has been duped, and may even become actively hostile. Still, I commented as gently as I could, saying that it is indeed a good idea to be cautious when using mobile devices, but that in this case I believed the alert to be a hoax, including a link to one of the many articles on the web that debunked it. The only person who responded even indirectly announced their intention of sharing it just in case it turned out to be true. Sadly, this isn’t a unique experience. So I guess chain messages are going to plague us for a good while yet. But I still think that the responsible course of action in such a case is to try to hamper a hoax from spreading by letting people know what it is that they’re spreading.

Here are some previous examples of my writing somewhat related to the subject. However, I’ll probably come back to the topic with some more up-to-date material.

David Harley
ESET Senior Research Fellow


Share This:
Facebooktwittergoogle_plusredditpinterestlinkedinmail

3 thoughts on “Virus hoaxes still thrive while ‘Sonia disowns Rahul’

  1. Roselynn Kingsbury on said:

    thank you! It’s very tempting to pass this stuff on if you’re dealing with a problem with your phone (I’m currently dealing with the ‘screen overlay’ problem), but critical thinking can save a lot of grief.

  2. thanks for the article on hoaxes..I received the Sonia hoax & immediately checked Snopes.com then Google. It didn’t ring true..guess Iv’e seen quite a few of these virus warnings enough to make me check them out. I’m not that great on the computer but I appreciate your expertise on these matters.
    Thank you
    sincerely..M.J.Berling

  3. James Sr. on said:

    Thanks for the FYI! I’m happy to know there is people like you who care to take the time to educate the lazy mind!! Keep up the good work! James Sr.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: David Harley | Tags: , , , ,