Facebook locks down 45,000 accounts to stop 'worm' spreading

[Virus Guy]

http://www.telegraph.co.uk/technolog...spreading.html

Facebook locks down 45,000 accounts to stop 'worm' spreading

Facebook has acted to stop the spread of a new variety of malicious
software that has stolen login details from 45,000 mostly British and
French users.

1:43PM GMT 06 Jan 2012

The Ramnit worm has been spreading since April 2010, but was only
recently adapted to target Facebook details, according to computer
security experts. It was previously used by cyber criminals to steal
login credentials for other services, including online banking.

A “worm” is distinct from a normal computer virus in that it can
reproduce itself without needing to attach itself to an existing
program. This ability means worms can spread very rapidly online.

The new threat to Facebook users was highlighted this week by Seculert,
an Israeli computer security firm. It said most of the users affected so
far are British or French.

“Our research lab identified a completely new 'financial' Ramnit variant
aimed at stealing Facebook login credentials,” the firm said in a blog
post.

“It was fairly straightforward to detect that over 45,000 Facebook login
credentials have been stolen worldwide, mostly from users in the United
Kingdom and France.”

According to Seculer, whoever is behind the new Ramnit variant is using
it the stolen login details to access victims’ Facebook accounts and
send malicious links to their friends.

“We suspect that the attackers behind Ramnit are using the stolen
credentials to log-in to victims' Facebook accounts and to transmit
malicious links to their friends, thereby magnifying the malware's
spread even further,” the firm said.

The personal information stolen from compromised Facebook accounts is
potentially valuable to cyber criminals and is sometimes traded on
online black markets.

Facebook said that it had learned of the new attack on its users last
week and has already taken action to defend them.

It said it had studied the 45,000 stolen login details and concluded
that most of it was out of date. However all affected users will be
forced to reset their password to improve security.

“Last week we received from external security researchers a set of user
credentials that had been harvested by a piece of malware,” a spokesman
said.

“Our security experts have reviewed the data, and while the majority of
the information was out-of-date, we have initiated remedial steps for
all affected users to ensure the security of their accounts.

“Thus far, we have not seen the virus propagating on Facebook itself,
but have begun working with our external partners to add protections to
our anti-virus systems to help users secure their devices.”

It said users should never click on strange links and should report any
suspicious activity.

[FromTheRafters]

Virus Guy wrote:
> http://www.telegraph.co.uk/technolog...spreading.html
>
> Facebook locks down 45,000 accounts to stop 'worm' spreading
>
> Facebook has acted to stop the spread of a new variety of malicious
> software that has stolen login details from 45,000 mostly British and
> French users.
>
> 1:43PM GMT 06 Jan 2012
>
> The Ramnit worm has been spreading since April 2010, but was only
> recently adapted to target Facebook details, according to computer
> security experts. It was previously used by cyber criminals to steal
> login credentials for other services, including online banking.
>
> A “worm” is distinct from a normal computer virus in that it can
> reproduce itself without needing to attach itself to an existing
> program. This ability means worms can spread very rapidly online.

Nice that they mentioned this, but it is a distinction you'll likely
like even less than the virus/malware dichotomy. To me, it is a somewhat
less important distinction and remains 'fuzzy'.

[...]

[Dustin]

FromTheRafters <erratic@nomail.afraid.org> wrote in
news:je9p7o$ocj$1@dont-email.me:

> Virus Guy wrote:
>> http://www.telegraph.co.uk/technolog...Facebook-locks
>> -down-45000-accounts-to-stop-worm-spreading.html
>>
>> Facebook locks down 45,000 accounts to stop 'worm' spreading
>>
>> Facebook has acted to stop the spread of a new variety of malicious
>> software that has stolen login details from 45,000 mostly British
>> and French users.
>>
>> 1:43PM GMT 06 Jan 2012
>>
>> The Ramnit worm has been spreading since April 2010, but was only
>> recently adapted to target Facebook details, according to computer
>> security experts. It was previously used by cyber criminals to steal
>> login credentials for other services, including online banking.
>>
>> A “worm” is distinct from a normal computer virus in that it can
>> reproduce itself without needing to attach itself to an existing
>> program. This ability means worms can spread very rapidly online.
>
> Nice that they mentioned this, but it is a distinction you'll likely
> like even less than the virus/malware dichotomy. To me, it is a
> somewhat less important distinction and remains 'fuzzy'.

Not to me. Here's why...

We'll just deal with file infectors for the sake of making this less
complicated. A virus requires a host..It will seek out an exe that
doesn't already have it's presence and install it. (Infecting said exe
file). this file has been modified to carry virus code. Executing it
later will cause the virus code and maybe the original host to still run
and further spread the virus. Simply deleting an infected executable
will not remove the virus; as many other executables are likely
containing it now. They have to be identified and disinfected (if
possible) if you wish to make use of them again. You may or may not be
able to restore them to the original byte(s) depending on the virus
which infected them and the manner in which it used. A trojan OTH can
be removed by deleting it's exe once you locate it.

A worm OTH, is really it's own program all self contained that
replicates by copying a complete copy of itself. For example, it
requires no host; it can readily create an exe called worm2.exe and drop
it's image right into it. When worm2.exe is later run by an unsuspecting
user on another computer, it drops worm3.exe; they're both identical for
this discussion (polymorphic worms do exist tho)... and worm3 goes and
does the same thing.

A worm can be removed in a similiar fashion as a trojan once you
identify them all; you just delete them. Their is no host to restore as
they didn't infect anything.

These are important distinctions if it's your intention to properly
identify the problem and repair the system with minimal (preferrably
none) data loss in the process.


--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts

[Dustin]

Dustin <bughunter.dustin@gmail.com> wrote in
news:Xns9FD38B634499DHHI2948AJD832@no:

> FromTheRafters <erratic@nomail.afraid.org> wrote in
> news:je9p7o$ocj$1@dont-email.me:
>
>> Virus Guy wrote:
>>> http://www.telegraph.co.uk/technolog.../Facebook-lock
>>> s -down-45000-accounts-to-stop-worm-spreading.html
>>>
>>> Facebook locks down 45,000 accounts to stop 'worm' spreading
>>>
>>> Facebook has acted to stop the spread of a new variety of malicious
>>> software that has stolen login details from 45,000 mostly British
>>> and French users.
>>>
>>> 1:43PM GMT 06 Jan 2012
>>>
>>> The Ramnit worm has been spreading since April 2010, but was only
>>> recently adapted to target Facebook details, according to computer
>>> security experts. It was previously used by cyber criminals to
>>> steal login credentials for other services, including online
>>> banking.
>>>
>>> A “worm” is distinct from a normal computer virus in that it can
>>> reproduce itself without needing to attach itself to an existing
>>> program. This ability means worms can spread very rapidly online.
>>
>> Nice that they mentioned this, but it is a distinction you'll likely
>> like even less than the virus/malware dichotomy. To me, it is a
>> somewhat less important distinction and remains 'fuzzy'.
>
> Not to me. Here's why...
>
> We'll just deal with file infectors for the sake of making this less
> complicated. A virus requires a host..It will seek out an exe that
> doesn't already have it's presence and install it. (Infecting said
> exe file). this file has been modified to carry virus code. Executing
> it later will cause the virus code and maybe the original host to
> still run and further spread the virus. Simply deleting an infected
> executable will not remove the virus; as many other executables are
> likely containing it now. They have to be identified and disinfected
> (if possible) if you wish to make use of them again. You may or may
> not be able to restore them to the original byte(s) depending on the
> virus which infected them and the manner in which it used. A trojan
> OTH can be removed by deleting it's exe once you locate it.
>
> A worm OTH, is really it's own program all self contained that
> replicates by copying a complete copy of itself. For example, it
> requires no host; it can readily create an exe called worm2.exe and
> drop it's image right into it. When worm2.exe is later run by an
> unsuspecting user on another computer, it drops worm3.exe; they're
> both identical for this discussion (polymorphic worms do exist
> tho)... and worm3 goes and does the same thing.
>
> A worm can be removed in a similiar fashion as a trojan once you
> identify them all; you just delete them. Their is no host to restore
> as they didn't infect anything.
>
> These are important distinctions if it's your intention to properly
> identify the problem and repair the system with minimal (preferrably
> none) data loss in the process.
>
>

Minor followup:

There are worm/virus combos. They drop an exe of themselves in a worm
fashion. This is a new exe, so you can just delete it like you would a
trojan. You will have to identify the viral code in other pre-existing
executables and disinfect if possible to remove the virus portion.
Failure to complete both steps will likely result in a reinfection of
virus and worm.

For simple examples, See Toadie and Irok viruses. They're old, all well
known, and do exactly as I've described and are removed in the processes
I've already outlined above. These are textbook real world examples
which correctly fit the well established definitions above.




--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts

[FromTheRafters]

Dustin wrote:
> FromTheRafters<erratic@nomail.afraid.org> wrote in
> news:je9p7o$ocj$1@dont-email.me:
>
>> Virus Guy wrote:
>>> http://www.telegraph.co.uk/technolog...Facebook-locks
>>> -down-45000-accounts-to-stop-worm-spreading.html
>>>
>>> Facebook locks down 45,000 accounts to stop 'worm' spreading
>>>
>>> Facebook has acted to stop the spread of a new variety of malicious
>>> software that has stolen login details from 45,000 mostly British
>>> and French users.
>>>
>>> 1:43PM GMT 06 Jan 2012
>>>
>>> The Ramnit worm has been spreading since April 2010, but was only
>>> recently adapted to target Facebook details, according to computer
>>> security experts. It was previously used by cyber criminals to steal
>>> login credentials for other services, including online banking.
>>>
>>> A “worm” is distinct from a normal computer virus in that it can
>>> reproduce itself without needing to attach itself to an existing
>>> program. This ability means worms can spread very rapidly online.
>>
>> Nice that they mentioned this, but it is a distinction you'll likely
>> like even less than the virus/malware dichotomy. To me, it is a
>> somewhat less important distinction and remains 'fuzzy'.
>
> Not to me. Here's why...
>
> We'll just deal with file infectors for the sake of making this less
> complicated. A virus requires a host..It will seek out an exe that
> doesn't already have it's presence and install it. (Infecting said exe
> file). this file has been modified to carry virus code. Executing it
> later will cause the virus code and maybe the original host to still run
> and further spread the virus. Simply deleting an infected executable
> will not remove the virus; as many other executables are likely
> containing it now. They have to be identified and disinfected (if
> possible) if you wish to make use of them again. You may or may not be
> able to restore them to the original byte(s) depending on the virus
> which infected them and the manner in which it used. A trojan OTH can
> be removed by deleting it's exe once you locate it.

Understood, and I agree.

> A worm OTH, is really it's own program all self contained that
> replicates by copying a complete copy of itself. For example, it
> requires no host;

"Requires" no host in order to spread, agreed. Of course that doesn't
mean it can't virally infect a program file or files for purposes other
than the spreading. It can, for instance, infect as a method aimed at
persistence.

Such a program doesn't *need* to use a host executable to *spread* and
so is a worm by the definition provided in that article (and that idea
is echoed in many other places).

In that scenario, you still need to look for virally infected programs
even though you are dealing with what is called a worm (blended threat
actually).

> it can readily create an exe called worm2.exe and drop
> it's image right into it. When worm2.exe is later run by an unsuspecting
> user on another computer, it drops worm3.exe; they're both identical for
> this discussion (polymorphic worms do exist tho)... and worm3 goes and
> does the same thing.

Understood.

> A worm can be removed in a similiar fashion as a trojan once you
> identify them all; you just delete them. Their is no host to restore as
> they didn't infect anything.

I disagree. According to all of the definitions I have found worms are
not precluded from also being viruses. It is often stated as 'a worm
does not *need* to infect in order to propagate'. I have not seen a
definition that states that a worm *must not* infect a program with a
copy of itself. It is still a worm even if it is also a virus.

I also understand that the "worms" we are talking about are not the true
worms of the computer science realm but are the modern wormlike programs
often requiring the user clicking on something he or she shouldn't have.

> These are important distinctions if it's your intention to properly
> identify the problem and repair the system with minimal (preferrably
> none) data loss in the process.

Absolutely! My point was that there are other distinctions besides the
dichotomy between the non-replicating "trojan" and the replicating
"virus" and "worm". VG may eventually understand why it is important to
distinguish the differing types of malware, especially as you pointed
out where removal of the malware or the avoidance of the malware is the
issue. Different measures need to be taken for different malware types.

[FromTheRafters]

Dustin wrote:
> Dustin<bughunter.dustin@gmail.com> wrote in
> news:Xns9FD38B634499DHHI2948AJD832@no:
>
>> FromTheRafters<erratic@nomail.afraid.org> wrote in
>> news:je9p7o$ocj$1@dont-email.me:
>>
>>> Virus Guy wrote:
>>>> http://www.telegraph.co.uk/technolog.../Facebook-lock
>>>> s -down-45000-accounts-to-stop-worm-spreading.html
>>>>
>>>> Facebook locks down 45,000 accounts to stop 'worm' spreading
>>>>
>>>> Facebook has acted to stop the spread of a new variety of malicious
>>>> software that has stolen login details from 45,000 mostly British
>>>> and French users.
>>>>
>>>> 1:43PM GMT 06 Jan 2012
>>>>
>>>> The Ramnit worm has been spreading since April 2010, but was only
>>>> recently adapted to target Facebook details, according to computer
>>>> security experts. It was previously used by cyber criminals to
>>>> steal login credentials for other services, including online
>>>> banking.
>>>>
>>>> A “worm” is distinct from a normal computer virus in that it can
>>>> reproduce itself without needing to attach itself to an existing
>>>> program. This ability means worms can spread very rapidly online.
>>>
>>> Nice that they mentioned this, but it is a distinction you'll likely
>>> like even less than the virus/malware dichotomy. To me, it is a
>>> somewhat less important distinction and remains 'fuzzy'.
>>
>> Not to me. Here's why...
>>
>> We'll just deal with file infectors for the sake of making this less
>> complicated. A virus requires a host..It will seek out an exe that
>> doesn't already have it's presence and install it. (Infecting said
>> exe file). this file has been modified to carry virus code. Executing
>> it later will cause the virus code and maybe the original host to
>> still run and further spread the virus. Simply deleting an infected
>> executable will not remove the virus; as many other executables are
>> likely containing it now. They have to be identified and disinfected
>> (if possible) if you wish to make use of them again. You may or may
>> not be able to restore them to the original byte(s) depending on the
>> virus which infected them and the manner in which it used. A trojan
>> OTH can be removed by deleting it's exe once you locate it.
>>
>> A worm OTH, is really it's own program all self contained that
>> replicates by copying a complete copy of itself. For example, it
>> requires no host; it can readily create an exe called worm2.exe and
>> drop it's image right into it. When worm2.exe is later run by an
>> unsuspecting user on another computer, it drops worm3.exe; they're
>> both identical for this discussion (polymorphic worms do exist
>> tho)... and worm3 goes and does the same thing.
>>
>> A worm can be removed in a similiar fashion as a trojan once you
>> identify them all; you just delete them. Their is no host to restore
>> as they didn't infect anything.
>>
>> These are important distinctions if it's your intention to properly
>> identify the problem and repair the system with minimal (preferrably
>> none) data loss in the process.
>>
>>
>
> Minor followup:
>
> There are worm/virus combos. They drop an exe of themselves in a worm
> fashion. This is a new exe, so you can just delete it like you would a
> trojan. You will have to identify the viral code in other pre-existing
> executables and disinfect if possible to remove the virus portion.
> Failure to complete both steps will likely result in a reinfection of
> virus and worm.
>
> For simple examples, See Toadie and Irok viruses. They're old, all well
> known, and do exactly as I've described and are removed in the processes
> I've already outlined above. These are textbook real world examples
> which correctly fit the well established definitions above.

I responded before reading your followup post, this aspect is what I was
getting at. It will still be called a worm despite the fact that it also
is a virus because it doesn't *need* to infect pre-existing programs in
order to survive and replicate.

That is why it seems a little fuzzy to me.

[Dustin]

FromTheRafters <erratic@nomail.afraid.org> wrote in
news:jeaqah$qeq$1@dont-email.me:

> Dustin wrote:
>> Dustin<bughunter.dustin@gmail.com> wrote in
>> news:Xns9FD38B634499DHHI2948AJD832@no:
>>
>>> FromTheRafters<erratic@nomail.afraid.org> wrote in
>>> news:je9p7o$ocj$1@dont-email.me:
>>>
>>>> Virus Guy wrote:
>>>>> http://www.telegraph.co.uk/technolog...18/Facebook-lo
>>>>> ck s -down-45000-accounts-to-stop-worm-spreading.html
>>>>>
>>>>> Facebook locks down 45,000 accounts to stop 'worm' spreading
>>>>>
>>>>> Facebook has acted to stop the spread of a new variety of
>>>>> malicious software that has stolen login details from 45,000
>>>>> mostly British and French users.
>>>>>
>>>>> 1:43PM GMT 06 Jan 2012
>>>>>
>>>>> The Ramnit worm has been spreading since April 2010, but was only
>>>>> recently adapted to target Facebook details, according to
>>>>> computer security experts. It was previously used by cyber
>>>>> criminals to steal login credentials for other services,
>>>>> including online banking.
>>>>>
>>>>> A “worm” is distinct from a normal computer virus in that it can
>>>>> reproduce itself without needing to attach itself to an existing
>>>>> program. This ability means worms can spread very rapidly online.
>>>>
>>>> Nice that they mentioned this, but it is a distinction you'll
>>>> likely like even less than the virus/malware dichotomy. To me, it
>>>> is a somewhat less important distinction and remains 'fuzzy'.
>>>
>>> Not to me. Here's why...
>>>
>>> We'll just deal with file infectors for the sake of making this
>>> less complicated. A virus requires a host..It will seek out an exe
>>> that doesn't already have it's presence and install it. (Infecting
>>> said exe file). this file has been modified to carry virus code.
>>> Executing it later will cause the virus code and maybe the original
>>> host to still run and further spread the virus. Simply deleting an
>>> infected executable will not remove the virus; as many other
>>> executables are likely containing it now. They have to be
>>> identified and disinfected (if possible) if you wish to make use of
>>> them again. You may or may not be able to restore them to the
>>> original byte(s) depending on the virus which infected them and the
>>> manner in which it used. A trojan OTH can be removed by deleting
>>> it's exe once you locate it.
>>>
>>> A worm OTH, is really it's own program all self contained that
>>> replicates by copying a complete copy of itself. For example, it
>>> requires no host; it can readily create an exe called worm2.exe and
>>> drop it's image right into it. When worm2.exe is later run by an
>>> unsuspecting user on another computer, it drops worm3.exe; they're
>>> both identical for this discussion (polymorphic worms do exist
>>> tho)... and worm3 goes and does the same thing.
>>>
>>> A worm can be removed in a similiar fashion as a trojan once you
>>> identify them all; you just delete them. Their is no host to
>>> restore as they didn't infect anything.
>>>
>>> These are important distinctions if it's your intention to properly
>>> identify the problem and repair the system with minimal
>>> (preferrably none) data loss in the process.
>>>
>>>
>>
>> Minor followup:
>>
>> There are worm/virus combos. They drop an exe of themselves in a
>> worm fashion. This is a new exe, so you can just delete it like you
>> would a trojan. You will have to identify the viral code in other
>> pre-existing executables and disinfect if possible to remove the
>> virus portion. Failure to complete both steps will likely result in
>> a reinfection of virus and worm.
>>
>> For simple examples, See Toadie and Irok viruses. They're old, all
>> well known, and do exactly as I've described and are removed in the
>> processes I've already outlined above. These are textbook real world
>> examples which correctly fit the well established definitions above.
>
> I responded before reading your followup post, this aspect is what I
> was getting at. It will still be called a worm despite the fact that
> it also is a virus because it doesn't *need* to infect pre-existing
> programs in order to survive and replicate.

That's because these samples specifically perform two seperate functions
in an effort to survive. They seek out other executables and infect
them. (1-virus) They also drop an image of themselves which is as I
said, a completely new executable that wasn't previously on your
machine. (2-worm).

The new worm executable can be deleted and it's done for; providing you
seek out the viral code and deal with it too. The virus module has
already replicated the entire program to your legit .exe files. You must
now deal with that aspect or the worm can come right back. As can the
virus re-infect previously cleaned files. Again tho, it's two seperate
processes or subroutines (hell, think of them as two programs in one exe
if you'd like) both intent on survival; working together to accomplish
it. Attacking the host OS from multiple points. Get the exes, drop a
fresh exe to spread my complete self to other computers via social
engineering and their email/irc clients (in these cases).

You could disable it's ability to seek out and infect exes and it would
simply become a worm. You can likewise disable it's worm functions and
it becomes a virus only.

What's going on tho is really two seperate and distinct methods of
retaining your presence. It's just being combined into the same
executable.

> That is why it seems a little fuzzy to me.

you have to think of it as multiple technologies being applied in a
combined effort to survive as a whole. They are viruses AND worms. They
have specific routines for the specific replications. One relies on
actually infecting previously existing files, one creates a new file and
drops the image complete with working exe header to begin anew.



--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts

[FromTheRafters]

Dustin wrote:
> FromTheRafters<erratic@nomail.afraid.org> wrote in
> news:jeaqah$qeq$1@dont-email.me:
>
>> Dustin wrote:
>>> Dustin<bughunter.dustin@gmail.com> wrote in
>>> news:Xns9FD38B634499DHHI2948AJD832@no:
>>>
>>>> FromTheRafters<erratic@nomail.afraid.org> wrote in
>>>> news:je9p7o$ocj$1@dont-email.me:
>>>>
>>>>> Virus Guy wrote:
>>>>>> http://www.telegraph.co.uk/technolog...18/Facebook-lo
>>>>>> ck s -down-45000-accounts-to-stop-worm-spreading.html
>>>>>>
>>>>>> Facebook locks down 45,000 accounts to stop 'worm' spreading
>>>>>>
>>>>>> Facebook has acted to stop the spread of a new variety of
>>>>>> malicious software that has stolen login details from 45,000
>>>>>> mostly British and French users.
>>>>>>
>>>>>> 1:43PM GMT 06 Jan 2012
>>>>>>
>>>>>> The Ramnit worm has been spreading since April 2010, but was only
>>>>>> recently adapted to target Facebook details, according to
>>>>>> computer security experts. It was previously used by cyber
>>>>>> criminals to steal login credentials for other services,
>>>>>> including online banking.
>>>>>>
>>>>>> A “worm” is distinct from a normal computer virus in that it can
>>>>>> reproduce itself without needing to attach itself to an existing
>>>>>> program. This ability means worms can spread very rapidly online.
>>>>>
>>>>> Nice that they mentioned this, but it is a distinction you'll
>>>>> likely like even less than the virus/malware dichotomy. To me, it
>>>>> is a somewhat less important distinction and remains 'fuzzy'.
>>>>
>>>> Not to me. Here's why...
>>>>
>>>> We'll just deal with file infectors for the sake of making this
>>>> less complicated. A virus requires a host..It will seek out an exe
>>>> that doesn't already have it's presence and install it. (Infecting
>>>> said exe file). this file has been modified to carry virus code.
>>>> Executing it later will cause the virus code and maybe the original
>>>> host to still run and further spread the virus. Simply deleting an
>>>> infected executable will not remove the virus; as many other
>>>> executables are likely containing it now. They have to be
>>>> identified and disinfected (if possible) if you wish to make use of
>>>> them again. You may or may not be able to restore them to the
>>>> original byte(s) depending on the virus which infected them and the
>>>> manner in which it used. A trojan OTH can be removed by deleting
>>>> it's exe once you locate it.
>>>>
>>>> A worm OTH, is really it's own program all self contained that
>>>> replicates by copying a complete copy of itself. For example, it
>>>> requires no host; it can readily create an exe called worm2.exe and
>>>> drop it's image right into it. When worm2.exe is later run by an
>>>> unsuspecting user on another computer, it drops worm3.exe; they're
>>>> both identical for this discussion (polymorphic worms do exist
>>>> tho)... and worm3 goes and does the same thing.
>>>>
>>>> A worm can be removed in a similiar fashion as a trojan once you
>>>> identify them all; you just delete them. Their is no host to
>>>> restore as they didn't infect anything.
>>>>
>>>> These are important distinctions if it's your intention to properly
>>>> identify the problem and repair the system with minimal
>>>> (preferrably none) data loss in the process.
>>>>
>>>>
>>>
>>> Minor followup:
>>>
>>> There are worm/virus combos. They drop an exe of themselves in a
>>> worm fashion. This is a new exe, so you can just delete it like you
>>> would a trojan. You will have to identify the viral code in other
>>> pre-existing executables and disinfect if possible to remove the
>>> virus portion. Failure to complete both steps will likely result in
>>> a reinfection of virus and worm.
>>>
>>> For simple examples, See Toadie and Irok viruses. They're old, all
>>> well known, and do exactly as I've described and are removed in the
>>> processes I've already outlined above. These are textbook real world
>>> examples which correctly fit the well established definitions above.
>>
>> I responded before reading your followup post, this aspect is what I
>> was getting at. It will still be called a worm despite the fact that
>> it also is a virus because it doesn't *need* to infect pre-existing
>> programs in order to survive and replicate.
>
> That's because these samples specifically perform two seperate functions
> in an effort to survive. They seek out other executables and infect
> them. (1-virus) They also drop an image of themselves which is as I
> said, a completely new executable that wasn't previously on your
> machine. (2-worm).
>
> The new worm executable can be deleted and it's done for; providing you
> seek out the viral code and deal with it too. The virus module has
> already replicated the entire program to your legit .exe files. You must
> now deal with that aspect or the worm can come right back. As can the
> virus re-infect previously cleaned files. Again tho, it's two seperate
> processes or subroutines (hell, think of them as two programs in one exe
> if you'd like) both intent on survival; working together to accomplish
> it. Attacking the host OS from multiple points. Get the exes, drop a
> fresh exe to spread my complete self to other computers via social
> engineering and their email/irc clients (in these cases).
>
> You could disable it's ability to seek out and infect exes and it would
> simply become a worm. You can likewise disable it's worm functions and
> it becomes a virus only.
>
> What's going on tho is really two seperate and distinct methods of
> retaining your presence. It's just being combined into the same
> executable.
>
>> That is why it seems a little fuzzy to me.
>
> you have to think of it as multiple technologies being applied in a
> combined effort to survive as a whole. They are viruses AND worms. They
> have specific routines for the specific replications. One relies on
> actually infecting previously existing files, one creates a new file and
> drops the image complete with working exe header to begin anew.
>
Agreed, and in that case the ideas of worm and virus are kept separate,
I like that. I used to think of it as a virus with a worm as a payload
*and* a worm with a virus as a payload. Each sort of carries the other
along in each its own spreading vector.

If that were the idea, it would be best to say that worms don't infect
other programs with copies of themselves instead of worms don't *need*
to do so. Because that word *need* is in there, it makes it look like
the worms are a subset of the replicating malware set which includes the
viruses - specifically they are ones that have an *additional* or
alternate method for spreading.

I'm not disagreeing with your viewpoint, I am only trying to explain why
the current definitions all seem to make a fuzzy picture - one could
just as easily say that a virus is a kind of worm that doesn't *need* to
create a file - and one could be just as wrong in so doing. Viruses *do*
infect programs with copies of themselves, and worms *don't* - it's much
simpler that way.

[Dustin]

FromTheRafters <erratic@nomail.afraid.org> wrote in
news:jeavr2$ifs$1@dont-email.me:

> Dustin wrote:
>> FromTheRafters<erratic@nomail.afraid.org> wrote in
>> news:jeaqah$qeq$1@dont-email.me:
>>
>>> Dustin wrote:
>>>> Dustin<bughunter.dustin@gmail.com> wrote in
>>>> news:Xns9FD38B634499DHHI2948AJD832@no:
>>>>
>>>>> FromTheRafters<erratic@nomail.afraid.org> wrote in
>>>>> news:je9p7o$ocj$1@dont-email.me:
>>>>>
>>>>>> Virus Guy wrote:
>>>>>>> http://www.telegraph.co.uk/technolog...7618/Facebook-
>>>>>>> lo ck s -down-45000-accounts-to-stop-worm-spreading.html
>>>>>>>
>>>>>>> Facebook locks down 45,000 accounts to stop 'worm' spreading
>>>>>>>
>>>>>>> Facebook has acted to stop the spread of a new variety of
>>>>>>> malicious software that has stolen login details from 45,000
>>>>>>> mostly British and French users.
>>>>>>>
>>>>>>> 1:43PM GMT 06 Jan 2012
>>>>>>>
>>>>>>> The Ramnit worm has been spreading since April 2010, but was
>>>>>>> only recently adapted to target Facebook details, according to
>>>>>>> computer security experts. It was previously used by cyber
>>>>>>> criminals to steal login credentials for other services,
>>>>>>> including online banking.
>>>>>>>
>>>>>>> A “worm” is distinct from a normal computer virus in that it
>>>>>>> can reproduce itself without needing to attach itself to an
>>>>>>> existing program. This ability means worms can spread very
>>>>>>> rapidly online.
>>>>>>
>>>>>> Nice that they mentioned this, but it is a distinction you'll
>>>>>> likely like even less than the virus/malware dichotomy. To me,
>>>>>> it is a somewhat less important distinction and remains 'fuzzy'.
>>>>>
>>>>> Not to me. Here's why...
>>>>>
>>>>> We'll just deal with file infectors for the sake of making this
>>>>> less complicated. A virus requires a host..It will seek out an
>>>>> exe that doesn't already have it's presence and install it.
>>>>> (Infecting said exe file). this file has been modified to carry
>>>>> virus code. Executing it later will cause the virus code and
>>>>> maybe the original host to still run and further spread the
>>>>> virus. Simply deleting an infected executable will not remove the
>>>>> virus; as many other executables are likely containing it now.
>>>>> They have to be identified and disinfected (if possible) if you
>>>>> wish to make use of them again. You may or may not be able to
>>>>> restore them to the original byte(s) depending on the virus which
>>>>> infected them and the manner in which it used. A trojan OTH can
>>>>> be removed by deleting it's exe once you locate it.
>>>>>
>>>>> A worm OTH, is really it's own program all self contained that
>>>>> replicates by copying a complete copy of itself. For example, it
>>>>> requires no host; it can readily create an exe called worm2.exe
>>>>> and drop it's image right into it. When worm2.exe is later run by
>>>>> an unsuspecting user on another computer, it drops worm3.exe;
>>>>> they're both identical for this discussion (polymorphic worms do
>>>>> exist tho)... and worm3 goes and does the same thing.
>>>>>
>>>>> A worm can be removed in a similiar fashion as a trojan once you
>>>>> identify them all; you just delete them. Their is no host to
>>>>> restore as they didn't infect anything.
>>>>>
>>>>> These are important distinctions if it's your intention to
>>>>> properly identify the problem and repair the system with minimal
>>>>> (preferrably none) data loss in the process.
>>>>>
>>>>>
>>>>
>>>> Minor followup:
>>>>
>>>> There are worm/virus combos. They drop an exe of themselves in a
>>>> worm fashion. This is a new exe, so you can just delete it like
>>>> you would a trojan. You will have to identify the viral code in
>>>> other pre-existing executables and disinfect if possible to remove
>>>> the virus portion. Failure to complete both steps will likely
>>>> result in a reinfection of virus and worm.
>>>>
>>>> For simple examples, See Toadie and Irok viruses. They're old, all
>>>> well known, and do exactly as I've described and are removed in
>>>> the processes I've already outlined above. These are textbook real
>>>> world examples which correctly fit the well established
>>>> definitions above.
>>>
>>> I responded before reading your followup post, this aspect is what
>>> I was getting at. It will still be called a worm despite the fact
>>> that it also is a virus because it doesn't *need* to infect
>>> pre-existing programs in order to survive and replicate.
>>
>> That's because these samples specifically perform two seperate
>> functions in an effort to survive. They seek out other executables
>> and infect them. (1-virus) They also drop an image of themselves
>> which is as I said, a completely new executable that wasn't
>> previously on your machine. (2-worm).
>>
>> The new worm executable can be deleted and it's done for; providing
>> you seek out the viral code and deal with it too. The virus module
>> has already replicated the entire program to your legit .exe files.
>> You must now deal with that aspect or the worm can come right back.
>> As can the virus re-infect previously cleaned files. Again tho, it's
>> two seperate processes or subroutines (hell, think of them as two
>> programs in one exe if you'd like) both intent on survival; working
>> together to accomplish it. Attacking the host OS from multiple
>> points. Get the exes, drop a fresh exe to spread my complete self to
>> other computers via social engineering and their email/irc clients
>> (in these cases).
>>
>> You could disable it's ability to seek out and infect exes and it
>> would simply become a worm. You can likewise disable it's worm
>> functions and it becomes a virus only.
>>
>> What's going on tho is really two seperate and distinct methods of
>> retaining your presence. It's just being combined into the same
>> executable.
>>
>>> That is why it seems a little fuzzy to me.
>>
>> you have to think of it as multiple technologies being applied in a
>> combined effort to survive as a whole. They are viruses AND worms.
>> They have specific routines for the specific replications. One
>> relies on actually infecting previously existing files, one creates
>> a new file and drops the image complete with working exe header to
>> begin anew.
>>
> Agreed, and in that case the ideas of worm and virus are kept
> separate, I like that. I used to think of it as a virus with a worm
> as a payload *and* a worm with a virus as a payload. Each sort of
> carries the other along in each its own spreading vector.

The payload has always been what the virus does besides the intentional
act of replication. Not all viruses have payloads. Ie: A payload could
be something as simple as a message coming across the screen, or your
mp3 files being messed with. The payload in a virus sense is like an
aircraft carrying a payload of bombs to drop.

OTW, the payload is the diddy.. the package. The virus is a delivery
system.

> If that were the idea, it would be best to say that worms don't
> infect other programs with copies of themselves instead of worms
> don't *need* to do so. Because that word *need* is in there, it makes
> it look like the worms are a subset of the replicating malware set
> which includes the viruses - specifically they are ones that have an
> *additional* or alternate method for spreading.

Viruses need a host, worms don't; they literally create themselves a
functional copy. . Both are simply replication systems. One relies on
pre existing files, one doesn't.

> I'm not disagreeing with your viewpoint, I am only trying to explain
> why the current definitions all seem to make a fuzzy picture - one
> could just as easily say that a virus is a kind of worm that doesn't
> *need* to create a file - and one could be just as wrong in so doing.
> Viruses *do* infect programs with copies of themselves, and worms
> *don't* - it's much simpler that way.

Some of the definitions are very muddy and thus cause this confusion. I
hope I've helped to remove a little of it.


--
Character is doing the right thing when nobody's looking. There are too
many people who think that the only thing that's right is to get by, and
the only thing that's wrong is to get caught. - J.C. Watts

[FromTheRafters]

Dustin wrote:
> FromTheRafters<erratic@nomail.afraid.org> wrote in
> news:jeavr2$ifs$1@dont-email.me:
>
>> Dustin wrote:
>>> FromTheRafters<erratic@nomail.afraid.org> wrote in
>>> news:jeaqah$qeq$1@dont-email.me:
>>>
>>>> Dustin wrote:
>>>>> Dustin<bughunter.dustin@gmail.com> wrote in
>>>>> news:Xns9FD38B634499DHHI2948AJD832@no:
>>>>>
>>>>>> FromTheRafters<erratic@nomail.afraid.org> wrote in
>>>>>> news:je9p7o$ocj$1@dont-email.me:
>>>>>>
>>>>>>> Virus Guy wrote:
>>>>>>>> http://www.telegraph.co.uk/technolog...7618/Facebook-
>>>>>>>> lo ck s -down-45000-accounts-to-stop-worm-spreading.html
>>>>>>>>
>>>>>>>> Facebook locks down 45,000 accounts to stop 'worm' spreading
>>>>>>>>
>>>>>>>> Facebook has acted to stop the spread of a new variety of
>>>>>>>> malicious software that has stolen login details from 45,000
>>>>>>>> mostly British and French users.
>>>>>>>>
>>>>>>>> 1:43PM GMT 06 Jan 2012
>>>>>>>>
>>>>>>>> The Ramnit worm has been spreading since April 2010, but was
>>>>>>>> only recently adapted to target Facebook details, according to
>>>>>>>> computer security experts. It was previously used by cyber
>>>>>>>> criminals to steal login credentials for other services,
>>>>>>>> including online banking.
>>>>>>>>
>>>>>>>> A “worm” is distinct from a normal computer virus in that it
>>>>>>>> can reproduce itself without needing to attach itself to an
>>>>>>>> existing program. This ability means worms can spread very
>>>>>>>> rapidly online.
>>>>>>>
>>>>>>> Nice that they mentioned this, but it is a distinction you'll
>>>>>>> likely like even less than the virus/malware dichotomy. To me,
>>>>>>> it is a somewhat less important distinction and remains 'fuzzy'.
>>>>>>
>>>>>> Not to me. Here's why...
>>>>>>
>>>>>> We'll just deal with file infectors for the sake of making this
>>>>>> less complicated. A virus requires a host..It will seek out an
>>>>>> exe that doesn't already have it's presence and install it.
>>>>>> (Infecting said exe file). this file has been modified to carry
>>>>>> virus code. Executing it later will cause the virus code and
>>>>>> maybe the original host to still run and further spread the
>>>>>> virus. Simply deleting an infected executable will not remove the
>>>>>> virus; as many other executables are likely containing it now.
>>>>>> They have to be identified and disinfected (if possible) if you
>>>>>> wish to make use of them again. You may or may not be able to
>>>>>> restore them to the original byte(s) depending on the virus which
>>>>>> infected them and the manner in which it used. A trojan OTH can
>>>>>> be removed by deleting it's exe once you locate it.
>>>>>>
>>>>>> A worm OTH, is really it's own program all self contained that
>>>>>> replicates by copying a complete copy of itself. For example, it
>>>>>> requires no host; it can readily create an exe called worm2.exe
>>>>>> and drop it's image right into it. When worm2.exe is later run by
>>>>>> an unsuspecting user on another computer, it drops worm3.exe;
>>>>>> they're both identical for this discussion (polymorphic worms do
>>>>>> exist tho)... and worm3 goes and does the same thing.
>>>>>>
>>>>>> A worm can be removed in a similiar fashion as a trojan once you
>>>>>> identify them all; you just delete them. Their is no host to
>>>>>> restore as they didn't infect anything.
>>>>>>
>>>>>> These are important distinctions if it's your intention to
>>>>>> properly identify the problem and repair the system with minimal
>>>>>> (preferrably none) data loss in the process.
>>>>>>
>>>>>>
>>>>>
>>>>> Minor followup:
>>>>>
>>>>> There are worm/virus combos. They drop an exe of themselves in a
>>>>> worm fashion. This is a new exe, so you can just delete it like
>>>>> you would a trojan. You will have to identify the viral code in
>>>>> other pre-existing executables and disinfect if possible to remove
>>>>> the virus portion. Failure to complete both steps will likely
>>>>> result in a reinfection of virus and worm.
>>>>>
>>>>> For simple examples, See Toadie and Irok viruses. They're old, all
>>>>> well known, and do exactly as I've described and are removed in
>>>>> the processes I've already outlined above. These are textbook real
>>>>> world examples which correctly fit the well established
>>>>> definitions above.
>>>>
>>>> I responded before reading your followup post, this aspect is what
>>>> I was getting at. It will still be called a worm despite the fact
>>>> that it also is a virus because it doesn't *need* to infect
>>>> pre-existing programs in order to survive and replicate.
>>>
>>> That's because these samples specifically perform two seperate
>>> functions in an effort to survive. They seek out other executables
>>> and infect them. (1-virus) They also drop an image of themselves
>>> which is as I said, a completely new executable that wasn't
>>> previously on your machine. (2-worm).
>>>
>>> The new worm executable can be deleted and it's done for; providing
>>> you seek out the viral code and deal with it too. The virus module
>>> has already replicated the entire program to your legit .exe files.
>>> You must now deal with that aspect or the worm can come right back.
>>> As can the virus re-infect previously cleaned files. Again tho, it's
>>> two seperate processes or subroutines (hell, think of them as two
>>> programs in one exe if you'd like) both intent on survival; working
>>> together to accomplish it. Attacking the host OS from multiple
>>> points. Get the exes, drop a fresh exe to spread my complete self to
>>> other computers via social engineering and their email/irc clients
>>> (in these cases).
>>>
>>> You could disable it's ability to seek out and infect exes and it
>>> would simply become a worm. You can likewise disable it's worm
>>> functions and it becomes a virus only.
>>>
>>> What's going on tho is really two seperate and distinct methods of
>>> retaining your presence. It's just being combined into the same
>>> executable.
>>>
>>>> That is why it seems a little fuzzy to me.
>>>
>>> you have to think of it as multiple technologies being applied in a
>>> combined effort to survive as a whole. They are viruses AND worms.
>>> They have specific routines for the specific replications. One
>>> relies on actually infecting previously existing files, one creates
>>> a new file and drops the image complete with working exe header to
>>> begin anew.
>>>
>> Agreed, and in that case the ideas of worm and virus are kept
>> separate, I like that. I used to think of it as a virus with a worm
>> as a payload *and* a worm with a virus as a payload. Each sort of
>> carries the other along in each its own spreading vector.
>
> The payload has always been what the virus does besides the intentional
> act of replication. Not all viruses have payloads. Ie: A payload could
> be something as simple as a message coming across the screen, or your
> mp3 files being messed with. The payload in a virus sense is like an
> aircraft carrying a payload of bombs to drop.
>
> OTW, the payload is the diddy.. the package. The virus is a delivery
> system.
>
>> If that were the idea, it would be best to say that worms don't
>> infect other programs with copies of themselves instead of worms
>> don't *need* to do so. Because that word *need* is in there, it makes
>> it look like the worms are a subset of the replicating malware set
>> which includes the viruses - specifically they are ones that have an
>> *additional* or alternate method for spreading.
>
> Viruses need a host, worms don't; they literally create themselves a
> functional copy. . Both are simply replication systems. One relies on
> pre existing files, one doesn't.
>
>> I'm not disagreeing with your viewpoint, I am only trying to explain
>> why the current definitions all seem to make a fuzzy picture - one
>> could just as easily say that a virus is a kind of worm that doesn't
>> *need* to create a file - and one could be just as wrong in so doing.
>> Viruses *do* infect programs with copies of themselves, and worms
>> *don't* - it's much simpler that way.
>
> Some of the definitions are very muddy and thus cause this confusion. I
> hope I've helped to remove a little of it.
>
What you have done is confirmed that we see things the same way despite
what the modern definitions say about it. This 'Ramnit' is a good
example, as it is referred to variously as trojan, worm, and virus all
over the web. I understand that different components get different
detection names, and definitions for these various terms abound.

Thanks for your clarification.