Dustin wrote:
> FromTheRafters<erratic@nomail.afraid.org> wrote in
> news:jeaqah$qeq$1@dont-email.me:
>
>> Dustin wrote:
>>> Dustin<bughunter.dustin@gmail.com> wrote in
>>> news:Xns9FD38B634499DHHI2948AJD832@no:
>>>
>>>> FromTheRafters<erratic@nomail.afraid.org> wrote in
>>>> news:je9p7o$ocj$1@dont-email.me:
>>>>
>>>>> Virus Guy wrote:
>>>>>> http://www.telegraph.co.uk/technolog...18/Facebook-lo
>>>>>> ck s -down-45000-accounts-to-stop-worm-spreading.html
>>>>>>
>>>>>> Facebook locks down 45,000 accounts to stop 'worm' spreading
>>>>>>
>>>>>> Facebook has acted to stop the spread of a new variety of
>>>>>> malicious software that has stolen login details from 45,000
>>>>>> mostly British and French users.
>>>>>>
>>>>>> 1:43PM GMT 06 Jan 2012
>>>>>>
>>>>>> The Ramnit worm has been spreading since April 2010, but was only
>>>>>> recently adapted to target Facebook details, according to
>>>>>> computer security experts. It was previously used by cyber
>>>>>> criminals to steal login credentials for other services,
>>>>>> including online banking.
>>>>>>
>>>>>> A “worm” is distinct from a normal computer virus in that it can
>>>>>> reproduce itself without needing to attach itself to an existing
>>>>>> program. This ability means worms can spread very rapidly online.
>>>>>
>>>>> Nice that they mentioned this, but it is a distinction you'll
>>>>> likely like even less than the virus/malware dichotomy. To me, it
>>>>> is a somewhat less important distinction and remains 'fuzzy'.
>>>>
>>>> Not to me. Here's why...
>>>>
>>>> We'll just deal with file infectors for the sake of making this
>>>> less complicated. A virus requires a host..It will seek out an exe
>>>> that doesn't already have it's presence and install it. (Infecting
>>>> said exe file). this file has been modified to carry virus code.
>>>> Executing it later will cause the virus code and maybe the original
>>>> host to still run and further spread the virus. Simply deleting an
>>>> infected executable will not remove the virus; as many other
>>>> executables are likely containing it now. They have to be
>>>> identified and disinfected (if possible) if you wish to make use of
>>>> them again. You may or may not be able to restore them to the
>>>> original byte(s) depending on the virus which infected them and the
>>>> manner in which it used. A trojan OTH can be removed by deleting
>>>> it's exe once you locate it.
>>>>
>>>> A worm OTH, is really it's own program all self contained that
>>>> replicates by copying a complete copy of itself. For example, it
>>>> requires no host; it can readily create an exe called worm2.exe and
>>>> drop it's image right into it. When worm2.exe is later run by an
>>>> unsuspecting user on another computer, it drops worm3.exe; they're
>>>> both identical for this discussion (polymorphic worms do exist
>>>> tho)... and worm3 goes and does the same thing.
>>>>
>>>> A worm can be removed in a similiar fashion as a trojan once you
>>>> identify them all; you just delete them. Their is no host to
>>>> restore as they didn't infect anything.
>>>>
>>>> These are important distinctions if it's your intention to properly
>>>> identify the problem and repair the system with minimal
>>>> (preferrably none) data loss in the process.
>>>>
>>>>
>>>
>>> Minor followup:
>>>
>>> There are worm/virus combos. They drop an exe of themselves in a
>>> worm fashion. This is a new exe, so you can just delete it like you
>>> would a trojan. You will have to identify the viral code in other
>>> pre-existing executables and disinfect if possible to remove the
>>> virus portion. Failure to complete both steps will likely result in
>>> a reinfection of virus and worm.
>>>
>>> For simple examples, See Toadie and Irok viruses. They're old, all
>>> well known, and do exactly as I've described and are removed in the
>>> processes I've already outlined above. These are textbook real world
>>> examples which correctly fit the well established definitions above.
>>
>> I responded before reading your followup post, this aspect is what I
>> was getting at. It will still be called a worm despite the fact that
>> it also is a virus because it doesn't *need* to infect pre-existing
>> programs in order to survive and replicate.
>
> That's because these samples specifically perform two seperate functions
> in an effort to survive. They seek out other executables and infect
> them. (1-virus) They also drop an image of themselves which is as I
> said, a completely new executable that wasn't previously on your
> machine. (2-worm).
>
> The new worm executable can be deleted and it's done for; providing you
> seek out the viral code and deal with it too. The virus module has
> already replicated the entire program to your legit .exe files. You must
> now deal with that aspect or the worm can come right back. As can the
> virus re-infect previously cleaned files. Again tho, it's two seperate
> processes or subroutines (hell, think of them as two programs in one exe
> if you'd like) both intent on survival; working together to accomplish
> it. Attacking the host OS from multiple points. Get the exes, drop a
> fresh exe to spread my complete self to other computers via social
> engineering and their email/irc clients (in these cases).
>
> You could disable it's ability to seek out and infect exes and it would
> simply become a worm. You can likewise disable it's worm functions and
> it becomes a virus only.
>
> What's going on tho is really two seperate and distinct methods of
> retaining your presence. It's just being combined into the same
> executable.
>
>> That is why it seems a little fuzzy to me.
>
> you have to think of it as multiple technologies being applied in a
> combined effort to survive as a whole. They are viruses AND worms. They
> have specific routines for the specific replications. One relies on
> actually infecting previously existing files, one creates a new file and
> drops the image complete with working exe header to begin anew.
>
Agreed, and in that case the ideas of worm and virus are kept separate,
I like that. I used to think of it as a virus with a worm as a payload
*and* a worm with a virus as a payload. Each sort of carries the other
along in each its own spreading vector.
If that were the idea, it would be best to say that worms don't infect
other programs with copies of themselves instead of worms don't *need*
to do so. Because that word *need* is in there, it makes it look like
the worms are a subset of the replicating malware set which includes the
viruses - specifically they are ones that have an *additional* or
alternate method for spreading.
I'm not disagreeing with your viewpoint, I am only trying to explain why
the current definitions all seem to make a fuzzy picture - one could
just as easily say that a virus is a kind of worm that doesn't *need* to
create a file - and one could be just as wrong in so doing. Viruses *do*
infect programs with copies of themselves, and worms *don't* - it's much
simpler that way.
Reply With Quote