Kevin O'Brien <kobrien@solutionscxo.com> wrote:
What makes worms unique is the ability to spread
without user intervention.
and John Hansen responded:
This is a defiinition of worm that I am not familiar with. I have
always used Dr Vesselin Bontchev's definition:
"Programs which are able to replicate themselves (usually
across computer
networks) as stand-alone programs (or sets of programs) and
which do not
depend on the existence of a host program are called computer worms.
In some aspects, worms can be considered a special case of
viruses. For
instance, if under the term "host program" in the definition of the
computer virus we understand the whole programming environment of a
particular computer, then a worm is simply a virus which infects this
environment."
I don't think most security folks have used the term this way in the last
few years (though they did used to). Eg, most people viewed Code Red and
Slammer as worms, even though neither were standalone programs that could
function without the executable they infected.
There seem to be two popular places to draw the line for "worms".
1) It's a worm if it can spread itself across the network and get itself
running on remote systems entirely without human help.
2) It's a worm if it's able to spread itself across the network without
human help, but not necessarily get itself running on the remote system
without human assistance (eg clicking attachments).
Both definitions include Code Red, Slammer, Blaster etc in the "worm" class.
The second definition includes a lot of email malware as worms, which the
first excludes. If one uses the first definition, there is typically a
definite computer vulnerability associated with the worm (or more than one),
whereas there may be no vulnerability associated with the second (email
malware tends to spread via human vulnerability, not computer
vulnerability).
I prefer the first definition, but both are certainly in wide current use.
Stuart.
