Dustin wrote:
> FromTheRafters<erratic@nomail.afraid.org> wrote in
> news:jeavr2$ifs$1@dont-email.me:
>
>> Dustin wrote:
>>> FromTheRafters<erratic@nomail.afraid.org> wrote in
>>> news:jeaqah$qeq$1@dont-email.me:
>>>
>>>> Dustin wrote:
>>>>> Dustin<bughunter.dustin@gmail.com> wrote in
>>>>> news:Xns9FD38B634499DHHI2948AJD832@no:
>>>>>
>>>>>> FromTheRafters<erratic@nomail.afraid.org> wrote in
>>>>>> news:je9p7o$ocj$1@dont-email.me:
>>>>>>
>>>>>>> Virus Guy wrote:
>>>>>>>> http://www.telegraph.co.uk/technolog...7618/Facebook-
>>>>>>>> lo ck s -down-45000-accounts-to-stop-worm-spreading.html
>>>>>>>>
>>>>>>>> Facebook locks down 45,000 accounts to stop 'worm' spreading
>>>>>>>>
>>>>>>>> Facebook has acted to stop the spread of a new variety of
>>>>>>>> malicious software that has stolen login details from 45,000
>>>>>>>> mostly British and French users.
>>>>>>>>
>>>>>>>> 1:43PM GMT 06 Jan 2012
>>>>>>>>
>>>>>>>> The Ramnit worm has been spreading since April 2010, but was
>>>>>>>> only recently adapted to target Facebook details, according to
>>>>>>>> computer security experts. It was previously used by cyber
>>>>>>>> criminals to steal login credentials for other services,
>>>>>>>> including online banking.
>>>>>>>>
>>>>>>>> A “worm” is distinct from a normal computer virus in that it
>>>>>>>> can reproduce itself without needing to attach itself to an
>>>>>>>> existing program. This ability means worms can spread very
>>>>>>>> rapidly online.
>>>>>>>
>>>>>>> Nice that they mentioned this, but it is a distinction you'll
>>>>>>> likely like even less than the virus/malware dichotomy. To me,
>>>>>>> it is a somewhat less important distinction and remains 'fuzzy'.
>>>>>>
>>>>>> Not to me. Here's why...
>>>>>>
>>>>>> We'll just deal with file infectors for the sake of making this
>>>>>> less complicated. A virus requires a host..It will seek out an
>>>>>> exe that doesn't already have it's presence and install it.
>>>>>> (Infecting said exe file). this file has been modified to carry
>>>>>> virus code. Executing it later will cause the virus code and
>>>>>> maybe the original host to still run and further spread the
>>>>>> virus. Simply deleting an infected executable will not remove the
>>>>>> virus; as many other executables are likely containing it now.
>>>>>> They have to be identified and disinfected (if possible) if you
>>>>>> wish to make use of them again. You may or may not be able to
>>>>>> restore them to the original byte(s) depending on the virus which
>>>>>> infected them and the manner in which it used. A trojan OTH can
>>>>>> be removed by deleting it's exe once you locate it.
>>>>>>
>>>>>> A worm OTH, is really it's own program all self contained that
>>>>>> replicates by copying a complete copy of itself. For example, it
>>>>>> requires no host; it can readily create an exe called worm2.exe
>>>>>> and drop it's image right into it. When worm2.exe is later run by
>>>>>> an unsuspecting user on another computer, it drops worm3.exe;
>>>>>> they're both identical for this discussion (polymorphic worms do
>>>>>> exist tho)... and worm3 goes and does the same thing.
>>>>>>
>>>>>> A worm can be removed in a similiar fashion as a trojan once you
>>>>>> identify them all; you just delete them. Their is no host to
>>>>>> restore as they didn't infect anything.
>>>>>>
>>>>>> These are important distinctions if it's your intention to
>>>>>> properly identify the problem and repair the system with minimal
>>>>>> (preferrably none) data loss in the process.
>>>>>>
>>>>>>
>>>>>
>>>>> Minor followup:
>>>>>
>>>>> There are worm/virus combos. They drop an exe of themselves in a
>>>>> worm fashion. This is a new exe, so you can just delete it like
>>>>> you would a trojan. You will have to identify the viral code in
>>>>> other pre-existing executables and disinfect if possible to remove
>>>>> the virus portion. Failure to complete both steps will likely
>>>>> result in a reinfection of virus and worm.
>>>>>
>>>>> For simple examples, See Toadie and Irok viruses. They're old, all
>>>>> well known, and do exactly as I've described and are removed in
>>>>> the processes I've already outlined above. These are textbook real
>>>>> world examples which correctly fit the well established
>>>>> definitions above.
>>>>
>>>> I responded before reading your followup post, this aspect is what
>>>> I was getting at. It will still be called a worm despite the fact
>>>> that it also is a virus because it doesn't *need* to infect
>>>> pre-existing programs in order to survive and replicate.
>>>
>>> That's because these samples specifically perform two seperate
>>> functions in an effort to survive. They seek out other executables
>>> and infect them. (1-virus) They also drop an image of themselves
>>> which is as I said, a completely new executable that wasn't
>>> previously on your machine. (2-worm).
>>>
>>> The new worm executable can be deleted and it's done for; providing
>>> you seek out the viral code and deal with it too. The virus module
>>> has already replicated the entire program to your legit .exe files.
>>> You must now deal with that aspect or the worm can come right back.
>>> As can the virus re-infect previously cleaned files. Again tho, it's
>>> two seperate processes or subroutines (hell, think of them as two
>>> programs in one exe if you'd like) both intent on survival; working
>>> together to accomplish it. Attacking the host OS from multiple
>>> points. Get the exes, drop a fresh exe to spread my complete self to
>>> other computers via social engineering and their email/irc clients
>>> (in these cases).
>>>
>>> You could disable it's ability to seek out and infect exes and it
>>> would simply become a worm. You can likewise disable it's worm
>>> functions and it becomes a virus only.
>>>
>>> What's going on tho is really two seperate and distinct methods of
>>> retaining your presence. It's just being combined into the same
>>> executable.
>>>
>>>> That is why it seems a little fuzzy to me.
>>>
>>> you have to think of it as multiple technologies being applied in a
>>> combined effort to survive as a whole. They are viruses AND worms.
>>> They have specific routines for the specific replications. One
>>> relies on actually infecting previously existing files, one creates
>>> a new file and drops the image complete with working exe header to
>>> begin anew.
>>>
>> Agreed, and in that case the ideas of worm and virus are kept
>> separate, I like that. I used to think of it as a virus with a worm
>> as a payload *and* a worm with a virus as a payload. Each sort of
>> carries the other along in each its own spreading vector.
>
> The payload has always been what the virus does besides the intentional
> act of replication. Not all viruses have payloads. Ie: A payload could
> be something as simple as a message coming across the screen, or your
> mp3 files being messed with. The payload in a virus sense is like an
> aircraft carrying a payload of bombs to drop.
>
> OTW, the payload is the diddy.. the package. The virus is a delivery
> system.
>
>> If that were the idea, it would be best to say that worms don't
>> infect other programs with copies of themselves instead of worms
>> don't *need* to do so. Because that word *need* is in there, it makes
>> it look like the worms are a subset of the replicating malware set
>> which includes the viruses - specifically they are ones that have an
>> *additional* or alternate method for spreading.
>
> Viruses need a host, worms don't; they literally create themselves a
> functional copy.. Both are simply replication systems. One relies on
> pre existing files, one doesn't.
>
>> I'm not disagreeing with your viewpoint, I am only trying to explain
>> why the current definitions all seem to make a fuzzy picture - one
>> could just as easily say that a virus is a kind of worm that doesn't
>> *need* to create a file - and one could be just as wrong in so doing.
>> Viruses *do* infect programs with copies of themselves, and worms
>> *don't* - it's much simpler that way.
>
> Some of the definitions are very muddy and thus cause this confusion. I
> hope I've helped to remove a little of it.
>
What you have done is confirmed that we see things the same way despite
what the modern definitions say about it. This 'Ramnit' is a good
example, as it is referred to variously as trojan, worm, and virus all
over the web. I understand that different components get different
detection names, and definitions for these various terms abound.
Thanks for your clarification.
Reply With Quote