Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Virus
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: MacOSX worm

from [Nick FitzGerald] Network Security [Permanent Link]
Subject: RE: MacOSX worm
Date: Sat, 30 Oct 2004 11:53:11 +1300 
Stuart Staniford to John Hansen:


This is a defiinition of worm that I am not familiar with. I have
always used Dr Vesselin Bontchev's definition:

<<snip Vess' definition>>

I don't think most security folks have used the term this way in the last
few years (though they did used to).  ...


As a possibly interesting point of "cultural difference", while I'll 
accept your claim about "security folks", I'll note that among the sub-
group of those with whom I'm much more familiar -- antivirus 
researchers -- the main distinction in Vess' definition, although not 
necessarily the full definition, is by far the majority view.


...  Eg, most people viewed Code Red and
Slammer as worms, even though neither were standalone programs that could
function without the executable they infected.

There seem to be two popular places to draw the line for "worms".

1) It's a worm if it can spread itself across the network and get itself
running on remote systems entirely without human help.

2) It's a worm if it's able to spread itself across the network without
human help, but not necessarily get itself running on the remote system
without human assistance (eg clicking attachments).

Both definitions include Code Red, Slammer, Blaster ...


There are differences ever here though -- Blaster makes a file-system 
bound copy of itself which can be restarted when the OS does.  To me, a 
"pure worm" has no necessary file-system components (except possibly as 
the initial injection vector), so CodeRed and Slammer yes, Blaster no.


... etc in the "worm" class.
The second definition includes a lot of email malware as worms, which the
first excludes.  If one uses the first definition, there is typically a
definite computer vulnerability associated with the worm (or more than one),
whereas there may be no vulnerability associated with the second (email
malware tends to spread via human vulnerability, not computer
vulnerability).

I prefer the first definition, ...


As do I...


... but both are certainly in wide current use.


...though not in AV.  That said, the "egg on face" effect of CodeRed 
(all the AV vendors had to explain about a million times a day for 
several weeks "Yes, CodeRed is a worm we cannot do anything about") was 
such that some have been ever so slightly trying to work themselves 
away from the "worm is anything that spreads across a network 
connection" type position...


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: MacOSX worm, Nick FitzGerald
Next by Date:  Re: MacOSX worm, Nick FitzGerald
Previous by Thread:  Re: MacOSX worm, Nick FitzGerald
Next by Thread:  RE: MacOSX worm, Stuart Staniford
Indexes:  [Date] [Thread] [Top] [All Lists]