Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Virus
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: MacOSX worm

from [Kevin O'Brien] Network Security [Permanent Link]
Subject: RE: MacOSX worm
Date: Wed, 27 Oct 2004 09:40:29 -0600 
If it has no way of self propagating then it cannot be called a worm and is
more accurately classified as a virus.  Yes it can be spread by file sharing
as any other virus can.  What makes worms unique is the ability to spread
without user intervention.  

It looks like in this instance, the term "worm" is being used loosely.
Users must still swap files to spread the virus as was the case with media
sharing (floppy's, etc.) in the days before the Internet.



-----Original Message-----
From: Steven Trewick [mailto:STrewick@joplings.co.uk] 
Sent: Wednesday, October 27, 2004 2:26 AM
To: 'H Carvey'; focus-virus@securityfocus.com
Subject: RE: MacOSX worm




Well, the reg
http://www.theregister.co.uk/2004/10/25/mac_rootkit_opener/says

says the malware "contains a variety of destructive 
functionality including a keylogger and backdoor components."

The Symantec write up linked from the article
http://www.sophos.com/virusinfo/analyses/shrenepoa.htmlhas 
lists side effects including "Deletes files off the computer", and "Modifies
passwords", both of which could be considered 
destructive actions.

Perhaps the semantics in the reg article are a bit off, but
I hardly think they can be accused of spreading FUD.

You could always email them and ask for clarification, 
they are a fairly approachable lot.

As for the AV industry, I see no reason why they should downplay 
the threat (quite the opposite surely ?), but since the Symantec 
write up classifeis it as worm, and claims it spreads by file shares, 
and the user write ups at http://www.macintouch.com/opener.html
suggest something different again, perhaps the combined effect
*becomes* FUD

Same old same old.  

Steve


















-----Original Message-----
From: H Carvey [mailto:keydet89@yahoo.com]
Sent: 26 October 2004 17:09
To: focus-virus@securityfocus.com
Subject: MacOSX worm




SF has a Register article about Opener/Renepo-A.  The article
describes this as a "rootkit" (the term is, in fact, used in 
the title of the article), yet Sophos (linked in the article) 
classifies it as a worm.  Neither the Register article nor 
the Sophos write up describe any rootkit-like capabilities.

Here's the Symantec writeup: 
http://www.sarc.com/avcenter/venc/data/macos.renepo.b.html

The Register article calls the "rootkit" "destructive", yet
doesn't describe any destructive capabilities.  However, the 
Symantec writeup does.

So...what's the real deal?  Is the media spreading FUD, or is
the A/V community downplaying the effectiveness of this bit 
of malware?

Thanks,

Harlan Carvey
"Windows Forensics and Incident Recovery" http://www.windows-ir.com




The information contained in this e-mail is confidential and may be
privileged, it is intended for the addressee only. If you have received this
e-mail in error please delete it from your system. The statements and
opinions expressed in this message are those of the author and do not
necessarily reflect those of the company. Whilst Joplings Group operates an
e-mail anti-virus program it does not accept responsibility for any damage
whatsoever that is caused by viruses being passed. joplings.co.uk
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: MacOSX worm, M. Shirk
Next by Date:  Re: {BAD-DATE} MacOSX worm, "D. HÃhn"
Previous by Thread:  RE: MacOSX worm, Steven Trewick
Next by Thread:  Re: MacOSX worm, John Hansen
Indexes:  [Date] [Thread] [Top] [All Lists]