Posted by David Harley on March 21, 2016.
This is something of a twist on an old favourite – a virus hoax that I saw posted by an acquaintance recently on a social media site. Bizarrely, virus hoaxes seem to be surviving in the modern world even though malicious software that meets the technical definition of a computer virus is actually quite rare. However, Facebook and its siblings seem to have taken over from email as the natural home of hoaxes nowadays. This particular hoax is also reported to be circulating on SMS.
Tell all contacts from your list not to accept a video called the “Sonia disowns Rahul “. It is a virus formats your mobile. Beware it is very dangerous. They announced it today on the radio. Fwd this msg to as that many as you can
Hoax watchers will recognize the approach to hoaxing, if not this particular variant, from way back. For denizens of Facebook, though, there’s no need to go back as far as I do: the very similar ‘Dance of the Pope’ hoax from 2015 looks something like this:
URGENT: Tell all contacts from your list not to accept a video called the dance of the Pope. It is a virus that formats your mobile. Beware it is very dangerous. They announced it today on the radio. Pass on to as many as you can. It was announced on the radio in USA.
It’s hard to imagine that the recent hoax doesn’t deliberately borrow from the older one.
But virus hoaxes are almost as old as the Internet. In 1988, Jeffrey Mogul coined an example of a hypothetical ‘meta-virus’, of which he observed:
The beauty of this “meta-virus” is that it took me about two minutes to make it really scary and I didn’t even have to write any code.
Moral: don’t join witch-hunts until you trust the witch-hunter more than you distrust the alleged witch.
Mogul’s intention was not to deceive, but to warn of the potential for confusion (and worse) arising from ‘virus paranoia’. But his warning was timely.
Just a few months later, a VIRUS-L post by ‘Mike RoChenle’ described a totally mythical ‘modem virus’, and came packed with technobabble, clearly designed to confuse the unwary and non-technical.
Kenneth van Wyk commented subsequently:
In addition to the fact that the reported virus is highly incredible, as was pointed out by several of our readers, it’s even more unlikely that someone would have the name Mike RoChenle (read: Micro Channel).
Thus […], I’d like for everyone to assume that the reported virus was a hoax.
[…] I would like to ask all persons submitting messages, particularly when forwarding messages from other sources (as was the case here), to confirm their sources of information, within reason.
In 1994, the Good Times virus hoax unleashed a tsunami of virus hoaxes that had a major impact on the directions my own career took. I was already engaged in research into real viruses (and other malware, though in those days nearly all malware consisted of true viruses and the occasional worm), but I found myself drawn also into dealing with virus hoaxes and other chain letters. As you might gather from the number of hoax-related conference papers I’ve written, listed at the end of this article. As for blog articles on the subject, I’m not even going to try to list them.
To be fair, it may be that not all virus hoaxes originate with a single individual intending to deceive. Some seem to have arisen because someone misinterpreted a different kind of problem as being caused by a virus. As the message is passed on, it acquires extra layers of misconception and in some cases deliberate and malicious embroidery.
I could spend a lot of time waxing nostalgic about the virus hoaxes that have crossed my radar over the years. I could spend even more time talking about the historical, social and motivational aspects of hoaxing, chain letters and memetics, and how they apply to the narrower field of virus hoaxes, but for now, let’s focus on what we can learn from this particular type of virus hoax.
There’s a broad range of hoaxes that say, in effect, ‘if you open an email/video/graphic/whatever from a particular person or with a specific filename or subject, your phone/computer/hard disk will be hacked or destroyed. This is just one more. And we can, as regular hoax-busting sites like Hoax-slayer and Snopes have done, point out some of its improbabilities.
What about detecting hoaxes in general? Here’s a list suggested by Padgett Peterson that I quoted in a much earlier paper, and which still works with a bare minimum of modification.
“First you must separate the actual warning from the mass of forwarding that usually accompanies them. Then look for these:
1) No date on warning (to keep it alive) [‘This morning…’ or ‘Yesterday…’ doesn’t count!]
2) No identifiable originator [If the hoaxer quotes an easily verified source people might actually check it out, either from caution or from simple curiosity. So he’d rather rely on the expectation that the victims will receive the message from someone whose good intentions they will take for granted. But trusting the person doesn’t mean you should trust the message he or she is passing on.]
3) No identification of affected platform, just “E-Mail”. [Back in the days of this pre-Facebook, pre-Twitter discussion, email was the universal means of electronic communication. But the point here was that just as the hoaxes discussed in this article don’t distinguish between mobile phones, nor did older hoaxes distinguish between devices running MS-DOS, Mac OS, Windows and so on. The hoaxer assumed that victims wouldn’t know enough to realize how improbable a universal virus would be.]
4) Immediate catastrophic damage on opening – typically affects “entire disk” [So in this case we can substitute ‘trashes phone’, but the principle remains the same.]
5) No means of recovery [Curiously, no virus hoax ever claims that the mythical virus will do something relatively mild or even amusing. It always has to have some catastrophic payload.]
6) No reporting agency
7) Advises to “forward to everyone you know”
Occasionally will contain agency (CERT/CIAC/FCC) heading but no internal point of contact or preparer will be identified. [Hoaxes have frequently tried to acquire ‘credibility by association’ by claiming to quote an impressive-sounding authority which may or may not exist.]
If four of the seven heuristic signs are there, you probably have a hoax.”
There are other indicators noted by myself and others, but these have tended to be specific to a certain era of virus hoaxing.
However, Padgett’s suggestions do a good job of equipping a receptive user with heuristics which will catch any chain letter and most hoaxes. (Most hoaxes are just a special case of chain letter). Most of these indicators work because most composers of hoax virus alerts are unimaginative or lazy, and endlessly recycle. A disquieting aspect of parodies of hoaxes – some of which have been quite creative and amusing– is that even they, like ‘real’ hoaxes, have been plundered for subsequent hoaxes. Which is why hoax parodies like the Bad Times ‘warning’ are often listed in hoax databases as if they were consciously malicious.
So, you may wonder, what did I do about the hoax posting I saw on Facebook? I’ve learned over the years that telling people they’ve been taken in by a hoax doesn’t necessarily make you more popular. Sometimes, a hoax victim prefers to continue to believe the hoax rather than accept that he or she has been duped, and may even become actively hostile. Still, I commented as gently as I could, saying that it is indeed a good idea to be cautious when using mobile devices, but that in this case I believed the alert to be a hoax, including a link to one of the many articles on the web that debunked it. The only person who responded even indirectly announced their intention of sharing it just in case it turned out to be true. Sadly, this isn’t a unique experience. So I guess chain messages are going to plague us for a good while yet. But I still think that the responsible course of action in such a case is to try to hamper a hoax from spreading by letting people know what it is that they’re spreading.
Here are some previous examples of my writing somewhat related to the subject. However, I’ll probably come back to the topic with some more up-to-date material.
ESET Senior Research Fellow