RE: MacOSX wormOct 29 2004 03:20PM Steven Hay (shay communitysavings ca)
I wonder if part of the "blurring" of these lines is that so many variants
alter the behavior of a worm/trojan using characteristics from others. This
seems to start to happen so much so that a .r (for example) variant could
really have a different classification than the original virus.
At any rate I tend to agree with John here that this separation of
classification is from an older time when these classifications were more
distinct. I now spend more time trying to learn how the thing works and
more importantly how to prevent it from hitting us than whether it is more
like a trojan than a worm...
-----Original Message-----
From: Stuart Staniford [mailto:stuart (at) nevisnetworks (dot) com [email concealed]]
Sent: October 28, 2004 4:02 PM
To: 'John Hansen'; focus-virus (at) securityfocus (dot) com [email concealed]
Subject: RE: MacOSX worm
Kevin O'Brien <kobrien (at) solutionscxo (dot) com [email concealed]> wrote:
>> What makes worms unique is the ability to spread
>> without user intervention.
and John Hansen responded:
> This is a defiinition of worm that I am not familiar with. I have
> always used Dr Vesselin Bontchev's definition:
>
> "Programs which are able to replicate themselves (usually
> across computer
> networks) as stand-alone programs (or sets of programs) and
> which do not
> depend on the existence of a host program are called computer worms.
> In some aspects, worms can be considered a special case of
> viruses. For
> instance, if under the term "host program" in the definition of the
> computer virus we understand the whole programming environment of a
> particular computer, then a worm is simply a virus which infects this
> environment."
I don't think most security folks have used the term this way in the last
few years (though they did used to). Eg, most people viewed Code Red and
Slammer as worms, even though neither were standalone programs that could
function without the executable they infected.
There seem to be two popular places to draw the line for "worms".
1) It's a worm if it can spread itself across the network and get itself
running on remote systems entirely without human help.
2) It's a worm if it's able to spread itself across the network without
human help, but not necessarily get itself running on the remote system
without human assistance (eg clicking attachments).
Both definitions include Code Red, Slammer, Blaster etc in the "worm" class.
The second definition includes a lot of email malware as worms, which the
first excludes. If one uses the first definition, there is typically a
definite computer vulnerability associated with the worm (or more than one),
whereas there may be no vulnerability associated with the second (email
malware tends to spread via human vulnerability, not computer
vulnerability).
I prefer the first definition, but both are certainly in wide current use.
Stuart.
Please note that Internet email is not always private, secure or reliable.
The sender accepts no liability for any damages caused by any virus
inadvertently transmitted with this email. Any opinion expressed in this
email is solely that of the author, unless clearly indicated otherwise.
This email, and any attachments, may contain confidential and/or proprietary
information that is intended only for use by the addressee. If you are not
the intended recipient, any use, dissemination, forwarding, printing, or
copying of this email is strictly prohibited. If you received this email in
error, please delete the email and advise the sender of the delivery error.
alter the behavior of a worm/trojan using characteristics from others. This
seems to start to happen so much so that a .r (for example) variant could
really have a different classification than the original virus.
At any rate I tend to agree with John here that this separation of
classification is from an older time when these classifications were more
distinct. I now spend more time trying to learn how the thing works and
more importantly how to prevent it from hitting us than whether it is more
like a trojan than a worm...
-----Original Message-----
From: Stuart Staniford [mailto:stuart (at) nevisnetworks (dot) com [email concealed]]
Sent: October 28, 2004 4:02 PM
To: 'John Hansen'; focus-virus (at) securityfocus (dot) com [email concealed]
Subject: RE: MacOSX worm
Kevin O'Brien <kobrien (at) solutionscxo (dot) com [email concealed]> wrote:
>> What makes worms unique is the ability to spread
>> without user intervention.
and John Hansen responded:
> This is a defiinition of worm that I am not familiar with. I have
> always used Dr Vesselin Bontchev's definition:
>
> "Programs which are able to replicate themselves (usually
> across computer
> networks) as stand-alone programs (or sets of programs) and
> which do not
> depend on the existence of a host program are called computer worms.
> In some aspects, worms can be considered a special case of
> viruses. For
> instance, if under the term "host program" in the definition of the
> computer virus we understand the whole programming environment of a
> particular computer, then a worm is simply a virus which infects this
> environment."
I don't think most security folks have used the term this way in the last
few years (though they did used to). Eg, most people viewed Code Red and
Slammer as worms, even though neither were standalone programs that could
function without the executable they infected.
There seem to be two popular places to draw the line for "worms".
1) It's a worm if it can spread itself across the network and get itself
running on remote systems entirely without human help.
2) It's a worm if it's able to spread itself across the network without
human help, but not necessarily get itself running on the remote system
without human assistance (eg clicking attachments).
Both definitions include Code Red, Slammer, Blaster etc in the "worm" class.
The second definition includes a lot of email malware as worms, which the
first excludes. If one uses the first definition, there is typically a
definite computer vulnerability associated with the worm (or more than one),
whereas there may be no vulnerability associated with the second (email
malware tends to spread via human vulnerability, not computer
vulnerability).
I prefer the first definition, but both are certainly in wide current use.
Stuart.
Please note that Internet email is not always private, secure or reliable.
The sender accepts no liability for any damages caused by any virus
inadvertently transmitted with this email. Any opinion expressed in this
email is solely that of the author, unless clearly indicated otherwise.
This email, and any attachments, may contain confidential and/or proprietary
information that is intended only for use by the addressee. If you are not
the intended recipient, any use, dissemination, forwarding, printing, or
copying of this email is strictly prohibited. If you received this email in
error, please delete the email and advise the sender of the delivery error.
[ reply ]