John Hansen to David Gillett:
<<snip>>
Mr Kevin O'Brien insists that worms always spread without any user
intervention; like f.ex. Codered or Blaster. However, that is beside
the point - the most significant property of a worm is that it is
*standalone* - that it does replicate, but does not attach itself to
an existing program. ...
Hmmmm -- so how do you define "attach"?
Imagine a program that, when run (let's not worry for now _how_ it gets
run) studies the host system's current PATH environment variable and
locates a number of program files accessible to the current user.
Based on the path data and on some further, hardcoded logic about
default paths for the current host system, it copies itself, with the
same name and attributes as its newly located targets, to locations
"earlier" in the search path than the targets, thus expecting to get
executed instead of the targets.
It replicates (as it has made copies of itself), but it hasn't
"attached" itself to its targets, in any sense that "attached" is
meaningful to me. Thus I must conclude that you consider path-
execution priority companion "viruses" to be worms. For those who do
not know, in the AV research arena these have been almost exclusively
considered to be viruses from the outset.
In fact, thinking about it, deleting overwriters do not, in any way
that "attach" is meaningful to me, "attach" themselves to their targets
either. And yes, such have always been (unquestioningly) considered to
be viruses by AV researchers.
And most boot infectors fall into the same boat, though one or two folk
have tried to make the case that boot infectors are actually worms.
... Some researchers insist that this replication
needs to be over a computer network, ...
Nearly all researchers apart from the tiny number just mentioned who
claim boot infectors should be considered worms and me, claim
networking as a necessary part of worminess. (My inclination is that a
worm spreads by autonomous self-instantiation in the process space of
someone other than the 'user' under which the current ("launching")
instantiation is running. Thus, a pure network worm like CodeRed that
spreads from machine to machine is truly a "worm", as is something that
spreads through memory on a multi-user system, but from the process
space of one user to the process space of another user.)
... but there are researchers that
say that f.ex.making multiple copies of itself in different folders
is enough to call it a worm.
I've never, that I recall, struck this view. Can you cite an example
of a piece of malware fitting that description and a researcher arguing
for it being a worm?
Or are you referring to the so-called "P2P worms" where a program drops
copies of itself in "special" directories (usually those with names
that case-insensitively match "*shar*")?
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
