return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

ICG Risk Blog - [ Hoax spam helps mask the many Battle Cruisers, Death Rays and intergalactic plagues that can get you ]

Hoax spam helps mask the many Battle Cruisers, Death Rays and intergalactic plagues that can get you

  #

Chain letter hoax spam has dangers all their own as they radiate outward absorbing bandwidth without merit and distracting unwary recipients from good practice. Depending upon their content and construction, they are either noise or spurious signals (sprignals) masking genuine threats.

I received the fifth forwarding of just such a histrionic spam sent to me by a Mac user who had not done enough research to learn that the worm in the forwarded note was a Win32 payload targeting Microsoft PCs.

Replying to all in order to try to calm matters and prevent further forwarding I wrote:

Whoa now, lets not get carried away

I feel like Tommy Lee Jones as Agent K in Men in Black when his new partner, Will Smith's Agent J, is unhinging about an incipient alien threat to destroy the Earth in the next thirty minutes:

Agent K: We do not discharge our weapons in view of the public!

Agent J: We ain't got time for this cover-up bullshit! Have you forgotten? There's an alien battle cruiser--

Agent K: There's always an alien battle cruiser or a Korilian death ray or an intergalactic plague about to wipe out life on this planet. The only way people get on with their happy lives is they do... not... know about it!

The threat you are describing - which does not affect Macs - is one of the Warezov variants. They left that out of your scare memo.

Warezov is only one of a few hundred major worms and trojans now circulating, i.e., just one of the many Battle Cruisers, Death Rays and intergalactic plagues that can get you.

If you have robust AV tools, religiously keep them up to date, assiduously avoid opening almost any attachment, and don't go to the dark web where things lurk for which no detection signature has been created, you stand a reasonable chance on non-infection. Add to that, make frequent backups. That's all you get today. No guarantees.

Yes, Warezov is a nasty bit of work, but it has been in the wild for some time. Dwelling on Warezov draws attention away from newer, more interesting attacks like Mocmex which is capable of extremely nasty work but seems to be circulating now as proof of function for a much more potent future attack. Its initial distribution pattern is new however: digital photo frames. Once you return your jump drive back to the mother ship, you're infected, a nice midtech approach off the usual infection path. Mocmex is also a W32 product so Mac users are not affected. I worry more about items such as Disk Wizard (more here), another Win32 attack.

Spotting hoaxes on the fly

While human nature will doubtless continue to propagate hoaxes which share many characteristics with rumors, it is worth the effort to educate. My primary litmus tests for hoaxes is its "too good to be true, too perfect, too pat" property in which you are given both rationale and urgency to act. It is something that people want to be true, and when it is not, they embellish it before sending it on.

Another test is how many comments of that caliber appear in the same fervent message. (Repeated urgency is another test.) One among many sentences in this spam that failed the sniff test was:

Subsequently you will LOSE EVERYTHING IN YOUR PC, And the person who sent it to you will gain access to your name, e-mail and password.

Googling that phrase almost immediately led to an initial 2002 write-up by Symantec titled the Life is beautiful Hoax by George Koris describing a hoax about a supposed virus masquerading as a PowerPoint document. Koris' summary was "Please ignore any messages regarding this hoax and do not pass on messages. Passing on messages about the hoax only serves to further propagate it." And still it lives.

By 2006, the Mail Server Report email with a valid payload in a .zip file began circulating claiming that "a worm was detected in an email you sent. You are asked to use the attached file to install updates that will eliminate the virus it has supposedly detected." The attack payload was a Warezov variant.

By March 2008 a warning began circulating that erroneously linked the 'Mail Server Report' worm with elements of the 'Life is Beautiful' virus hoax and claimed that the resulting amalgam "HAS BEEN CONFIRMED BY SNOPES." The primary element that Snopes was confirming was the amalgamated texts, but that will suffice for the gullible.

The 'confirmation' bona fides in the forwarded item I received now carried two 'certifications,' one ostensibly from Snopes and the second from Truth or Fiction. (This is another hoax characteristic: paste-on embellishments.). One wishes forwarders along the line had done similar research.

Hoaxes are not harmless

I do not consider these hoaxes harmless. I surmise, but do not have proof at hand, that many of the credulous that forward this spam class, thinking that they are doing good, do greater harm by ignoring their update cycle (if they update at all) of their PC software, peripherals and second tier applications in addition to their operating system, mail system and web browser.

As a first step, Hoax-Slayer has this comment regarding hoaxes that I recommend to all:

Before forwarding a virus warning email, it is always a good idea to check that the information in the message is valid. Virus hoaxes are quite common, and like this one, they tend to circulate for years after they are first launched. In other cases, virus warnings that may have been originally true circulate long after the described virus has ceased to be a significant threat. Virus hoaxes and outdated warnings are no help to anybody. All they do is waste time, cause confusion and needlessly clutter inboxes. Such problems mean that forwarding warning emails may not be the best way to help battle viruses and other computer security threats.

The credulous that forward hoaxes or misplaced warnings consume reader mindset and network bandwidth. Worse, they reduce recipients' ability to pay attention to things that are serious, that will likely cause damage. They become part of the signals, sprignals and noise in the communications environment. From The value of counter-deception and early sprignal detection in political elections:

Roberta Wohlstetter pioneered intelligence warning systems by applying Claude Shannon's telecommunication concept of signals and noise and his design of information systems to send and receive signals amid noise. Wohlstetter's Pearl Harbor concluded that the problem was "too much noise" rather than a lack of data, i.e., it was analysis that failed: "We failed to anticipate Pearl Harbor not for want of the relevant materials, but because of a plethora of irrelevant ones."

Contributing causes were invalid assumptions, faulty appraisal and dissemination of intelligence, and inadequate security measures. Behind these was a lack of war-mindedness at this Pacific base halfway around the world from areas where momentous events were happening. Adm. Husband E. Kimmel, the Pacific Fleet commander, admits to it: "We did not know that in the Atlantic a state of undeclared war existed (Admiral Kimmel's Story, p. 2, New York 1955). The War and Navy departments also shared in responsibility for the disaster, not only by withholding intelligence but by assigning low priorities to critical equipment for ships and units in the Hawaiian area.

Pierre Wack drives home this need of awareness of one's greater surroundings in his discourse on scenarios, what he calls the "gentle art of reperceiving."

In times of rapid change, [companies] effectiveness and speed in identifying and transforming information of strategic significance into strategic initiatives differ just as much [as their skill in turning research into product]. Today, however, such a capacity is critical. Unless companies are careful, novel information outside the span of managerial expectations may not penetrate the core of decision makers' minds, where possible futures are rehearsed and judgment exercised.

As Roberta Wohlstetter points out, "To discriminate significant sounds against this background of noise, one has to be listening for something or for one of several things. One needs not only an ear but a variety of hypotheses that guide observation". Indeed, the Japanese commander of the Pearl Harbor attack, Mitsuo Fuchida, surprised at having achieved surprise, asked, "Had these Americans never heard of Port Arthur?" (the event preceding the Russo-Japanese War of 1904 -- and famous in Japan -- when the Japanese navy destroyed the Russian Pacific fleet at anchor in Port Arthur in a surprise attack).

Barton Whaley used the model in his analysis of Soviet attempts to predict an impending German attack, Operation BARBAROSSA. Whaley's first analysis cited 12 cases of strategic surprise to which William Harris believed that "the Russian warning intelligence challenge in 1941 was to differentiate genuine "signals" of impending invasion from "spurious signals" from deception planners (defensive military preparations and deployments, non-hostile intent, etc.) within the context of other information "noise."" As a "minimum of 8 or 9 of these 12 warning challenges involves deliberate "signals" designed to lull or defeat warning systems," Harris suggested that Whaley "utilize a tripartite model: signals, spurious signals (sprignals), and noise."*

Hoaxes can either be noise or sprignals. Neither is useful in addressing the payload signals.

Chinese hackers would like to introduce you to Disk Wizard and the Mechanical Dog
Published by Heike
The Dark Visitor
March 27, 2008

Virus from China the gift that keeps on giving
Deborah Gage
San Francisco Chronicle
February 15, 2008

Mail Server Report
Example: [Collected via e-mail, 2006]
by Barbara and David P. Mikkelson
Snopes

Life is beautiful Hoax
Discovered: January 15, 2002
TECHNICAL DETAILS
Writeup By: George Koris
Symantec
Updated: February 13, 2007 11:59:14 AM

Men In Black Script - Dialogue Transcript
Transcript that was painstakingly transcribed using the screenplay and/or viewings of Men In Black

Men In Black
by Ed Solomon
IMSDb

Gordon Housworth



Cybersecurity Public  InfoT Public  Infrastructure Defense Public  Risk Containment and Pricing Public  

discussion

  discuss this article


<<  |  August 2019  |  >>
SunMonTueWedThuFriSat
28293031123
45678910
11121314151617
18192021222324
25262728293031
1234567
view our rss feed