Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Virus
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: MacOSX worm

from [Nick FitzGerald] Network Security [Permanent Link]
Subject: Re: MacOSX worm
Date: Sat, 30 Oct 2004 11:53:11 +1300 
John Hansen to Kevin O'Brien:


If it has no way of self propagating then it cannot be called a worm and is
more accurately classified as a virus.  Yes it can be spread by file sharing
as any other virus can.  What makes worms unique is the ability to spread
without user intervention.


This is a defiinition of worm that I am not familiar with.  ...


I believe the distinction that Kevin was making is one I also hold, 
although many consider it a pedantic, rather than semantic, 
distinction.

Very loosely, if a "program" is "self propagating" it contains some 
code that was clearly designed to "deliberately" move a copy to another 
target system.  Some add the further requirement that it must also 
plant itself in/on the target in such a way that it will automatically 
be executed by that system at some point.

Recursive self-replication has always been "enough" for a program (or 
more precisely, a code sequence) to be considered viral, but that can 
be entirely constrained within the confines of a single host system.

Hopefully that was the distinction Kevin had in mind, and even if it is 
not, it should clarify the distinction a lot of folk make between self-
replication and self-propagation.


...  I have
always used Dr Vesselin Bontchev's definition:

"Programs which are able to replicate themselves (usually across computer
networks) as stand-alone programs (or sets of programs) and which do not
depend on the existence of a host program are called computer worms.
In some aspects, worms can be considered a special case of viruses. For
instance, if under the term "host program" in the definition of the
computer virus we understand the whole programming environment of a
particular computer, then a worm is simply a virus which infects this
environment."

- Bontchev, 1998

The last years the term "virus" has loosened up a bit from its first
usage (which was what we can call parasitic viruses) and now covers
all replicating programs. So, worms are a subset of viruses.


Note two things...

1.  Vess has _always_ maintained that worms are a subset of viruses.  
Speaking less formally than when writing his thesis, he almost 
invariably starts defining "worm" by saying or writing "A worm is a 
virus that..." and that is a _VERY_ commonly held view in the antivirus 
research camp (and one I strongly disagree with).  To most AV 
researchers, worms have always been a subset of viruses.

2.  I think your use of "parasitic virus" is incorrect.  Some WordBasic 
and VBA macro viruses are parasitic and some (in fact, nearly all VBA 
viruses) are not, yet all macro viruses fit the traditional definition 
of computer virus from the best part of a decade before the first macro 
viruses were ever written.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: MacOSX worm, Nick FitzGerald
Next by Date:  Re: Strange Spyware or virus or processes, Mark Ahlers
Previous by Thread:  RE: MacOSX worm, Stuart Staniford
Next by Thread:  Adware/Spyware (maybe a virus) that limits connectivity for windows network interface, Dan Denton
Indexes:  [Date] [Thread] [Top] [All Lists]