|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
Re: Internet worm / definitions
Date: Fri May 16 2003 - 09:29:49 EDT
('binary' encoding is not supported, stored as-is)
In-Reply-To: <20030515153824.7e4345d3.joao@bowtie.nl>
Put ten experts in a room and ask this question and you're likely to get ten different answers, but I always try to use the "classic" malware definitions as follows:
Trojan Horses are malware that don't actively spread on their own; they have to be distributed or downloaded manually. A computer infected with a Trojan typically won't spread the Trojan to other systems. Trojans will typically do damage by deleting files, stealing passwords, or opening a backdoor for unauthorized users to gain access to infected systems.
Worms are capable of spreading under their own "power", either by copying themselves over a network and executing themselves on other hosts (e.g. Code Red, Slammer), or via automated mass mailing (e.g. Klez, Sobig). Some worms immediately infect a host system upon receipt; others have to be launched by the user (many mass mailers).
Viruses spread by infecting other host files or other executable code on the system (boot sector for example). The only way a true virus can spread from system to system is if infected host files are shared, say over a network or via removable disks.
As someone else here said, viruses infect files, and worms infect systems. This is a good way to think of it.
Where it gets hairy is that a lot of malware doesn't neatly fit into just one of these categories. Some have characteristics common to more than one type. I'll mention two examples here:
- The Magistr virus. Is it a virus, a worm, or both? Well, when you launch it, it finds one or more host executables to infect, and actually inserts itself into those executables. Therefore, it's a virus. But once it does that, it emails one of the infected executables out to addresses it finds on the computer. So, it's also a worm. You could call it a virus or a worm and you would be correct. Same for Melissa, which is a MS Word macro virus that also has mass mailing capabilities.
- The Cult.C worm, aka IRC Sdbot. I received numerous copies of this one in email attachments a week or so ago. My copy of NAV dutifully reported the attachments as containing W32.HLLW.Cult.C@mm. So, at first glance, it appears to be just another email worm. But, on further examination, it appears to be a variant of the IRC Sdbot trojan with a mass mailer that is triggered by script kiddies via IRC. So this one could be considered a backdoor trojan, or an email worm that uses a trigger to mass email itself.
There are also numerous examples of one type of malware acting as a carrier for another. For example, the Klez worm carries and drops the Elkern virus on infected systems. The Nebiwo worm drops various Trojans. The Kuang2 (aka Weird) virus also drops a backdoor Trojan.
>
>Various organisations, virus professionals, classify
almost all modern
>virusses as being an "Internet Worm"..
thinking might
>imply that only virusses that send them selves
automatically
>without user intervention should be called worm.
users, by means
>of opening atachements, are called Internet worms..
i.e. mass-mailing
>virus? Or is any via internet-transported virus a
worm per definition ?
>
>Thanks for explaining in advance.
- Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.
To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-focus-virus
Received on Fri May 16 10:12:05 2003
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:39 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |