Virus - Worm rant

Art · Feb 9, 2006

The subject started several days ago on a private list. Normally, I
don't get particularly interested in malware definitions and
delineations, preferring to leave that to researchers and other
experts. But in this case, I felt that the experts have been and
are totally confusing people unnecessesarily. So I set out to see if I
could make virus-worm distinctions clear in my own mind and then
communicate my thoughts to others. My evolving rant is here:

http://home.epix.net/~artnpeg/VW.html

Art
http://home.epix.net/~artnpeg

Ron Lopshire · Feb 10, 2006

Art said:
The subject started several days ago on a private list. Normally, I
don't get particularly interested in malware definitions and
delineations, preferring to leave that to researchers and other
experts. But in this case, I felt that the experts have been and
are totally confusing people unnecessesarily. So I set out to see if I
could make virus-worm distinctions clear in my own mind and then
communicate my thoughts to others. My evolving rant is here:

http://home.epix.net/~artnpeg/VW.html

Art,

Here you go:

Malware Evolution: 2005
(http://www.viruslist.com/en/analysis?pubid=178949694)

,---quote------

The report is aimed at security professionals who have an interest in
malicious programs. Users with an interest in computer viruses may
also find it of use.

* TrojWare — Trojan programs
* VirWare — worms and viruses
* MalWare — other malicious programs
* Other trends
o Internet banking
o Malicious code for new platforms and multi-platform
malicious code
o AdWare
* Conclusion

2005 brought significant changes in the world of malicious code. By
the end of the year, Kaspersky Lab analysts were detecting, on
average, 6368 malicious programs per month. This is a rise of 117%
over 2005 as a whole, and exceeds last year's figures by 24%. This
increase highlights the continuing increase in the demand for
malicious code.

The Kaspersky Lab system for classifying malicious programs contains
three classes of malicious program:

* TrojWare: Trojan programs which are unable to replicate
independently (backdoors, rootkits and all types of Trojans)
* VirWare: malicious programs which are able to replicate
independently (e.g. viruses and worms)
* MalWare: programs which are actively used to create malicious
programs and organize attacks

,---endquote------

And as Dave and I were talking about a couple of days ago, consistency
in nomenclature would be nice.

Ron

kurt wismer · Feb 10, 2006

Art said:
The subject started several days ago on a private list. Normally, I
don't get particularly interested in malware definitions and
delineations, preferring to leave that to researchers and other
experts. But in this case, I felt that the experts have been and
are totally confusing people unnecessesarily. So I set out to see if I
could make virus-worm distinctions clear in my own mind and then
communicate my thoughts to others. My evolving rant is here:

http://home.epix.net/~artnpeg/VW.html

a) the confusion about the use of the word "host" in frisk's definition
is unwarranted... the context makes it clear that it is a host that can
be executed... you cannot execute a system, but you can execute a program...

b) modifying wsock32.dll in the way ska does is file infection - calls
to wsock32.dll result in ska's self-replicative code being executed...
it doesn't matter what kind of self-replication results so long as it
was triggered by an infected host program...

Art · Feb 10, 2006

a) the confusion about the use of the word "host" in frisk's definition
is unwarranted...

In your opinion, not mine.

the context makes it clear that it is a host that can
be executed... you cannot execute a system, but you can execute a program...

A system is a host for worms. So it's no wonder I had to do a
double-take and try to figure out what in the hell was meant. It is
damn confusing if "host" is used without qualifiers such as "host
program" (viruses) and "host system" (worms).

b) modifying wsock32.dll in the way ska does is file infection - calls
to wsock32.dll result in ska's self-replicative code being executed...
it doesn't matter what kind of self-replication results so long as it
was triggered by an infected host program...

We disagree. It matters very much. Ska is a worm through and through,
and the modified wsock32.lll is not a virus since it doesn't spread to
other programs. As I've stated in our private list discussions, it
seems to me the word definitiions could use some work to make the
delineations clearer. Calling ska a virus (or even a hybrid) is part
of the confusion and nonsense that I'd like to get rid of.

Art

http://home.epix.net/~artnpeg

kurt wismer · Feb 11, 2006

a) the confusion about the use of the word "host" in frisk's definition
is unwarranted...

In your opinion, not mine.

the context makes it clear that it is a host that can
be executed... you cannot execute a system, but you can execute a program...

A system is a host for worms. So it's no wonder I had to do a
double-take and try to figure out what in the hell was meant. It is
damn confusing if "host" is used without qualifiers such as "host
program" (viruses) and "host system" (worms).[/QUOTE]

it *was* qualified... it was an *executable* host...

We disagree. It matters very much. Ska is a worm through and through,
and the modified wsock32.lll is not a virus since it doesn't spread to
other programs.

of course wsock32.dll isn't a virus, it's the infected *host*... ska.dll
is the infector, wsock32.dll is the infectee...

As I've stated in our private list discussions, it
seems to me the word definitiions could use some work to make the
delineations clearer. Calling ska a virus (or even a hybrid) is part
of the confusion and nonsense that I'd like to get rid of.

confusing nonsense would be saying ska isn't a virus because wsock32.dll
isn't a virus when wsock32.dll isn't even part of ska...

Art · Feb 11, 2006

of course wsock32.dll isn't a virus, it's the infected *host*... ska.dll
is the infector, wsock32.dll is the infectee...

The modified dll spawns worms, not viruses (as I've already argued on
the private list).

confusing nonsense would be saying ska isn't a virus because wsock32.dll
isn't a virus when wsock32.dll isn't even part of ska...

Confusing nonsense is calling a worm a virus.

Art
http://home.epix.net/~artnpeg

kurt wismer · Feb 12, 2006

Art said:
The modified dll spawns worms, not viruses (as I've already argued on
the private list).

it spawns worm/virus hybrids...

it's a self-replicator that infects a host program... that is enough for
most people to call it a virus...

what comes out is capable of infecting a host program on another system,
so it too is viral...

Confusing nonsense is calling a worm a virus.

yes, subsets can be so confusing... good thing we only have one kind of
apple and one kind of orange...

Dustin Cook · Feb 13, 2006

kurt said:
it spawns worm/virus hybrids...

Hmm. I have to agree with Art in this case. The infected dll file (if
you want to call it infected) simply passes along worm binaries. No
infection in the strictest sense of the word actually takes place.

it's a self-replicator that infects a host program... that is enough for
most people to call it a virus...

But the host program does not pass the infections to others. Ie: It's
non replicative. It would be an intended virus at best. Since anything
past 1st generation doesn't replicate.

what comes out is capable of infecting a host program on another system,
so it too is viral...

No, it's a worm. The program that comes out doesn't infect further
files on the host system. And the files which are modified are not able
to pass the worm body along on their own. It's a self contained worm,
not a virus.

yes, subsets can be so confusing... good thing we only have one kind of
apple and one kind of orange...

Viruses must infect! Worms do not infect. Patching the wsock32.dll is
not infecting it. The wsock32.dll when called after patching does not
infect other dlls on the system. In fact, it doesn't infect anything at
all.

I think sometimes these so called subsets only add to the confusion.
Virus must infect the host! And the infectees must continue to infect
others. If this does not take place, then the virus is considered an
intended. It intended to infect, but for whatever reason does not do
so. IE: it's a dud.

A worm is a self contained program, it doesn't actually infect other
programs.

Regards,
Dustin Cook
http://bughunter.atspace.org

kurt wismer · Feb 14, 2006

Dustin said:
kurt wismer wrote: [snip]

it's a self-replicator that infects a host program... that is enough for
most people to call it a virus...

Click to expand...

But the host program does not pass the infections to others. Ie: It's
non replicative. It would be an intended virus at best. Since anything
past 1st generation doesn't replicate.

dustin, dustin, dustin (now i know why people call you dustbin - my
spelling checker doesn't like your name for some reason).... since when
are host programs supposed to replicate? of course it doesn't
replicate... it's ska that self-replicates, and the self-replicative
code is called by the infected wsock32.dll...

No, it's a worm. The program that comes out doesn't infect further
files on the host system.

viruses don't need to infect more than one file per system... have you
never heard of lehigh?

And the files which are modified are not able
to pass the worm body along on their own.

the files that are modified *call* the worm body... that's why it's
called infection... 'an attempt to execute the host program causes the
virus to be executed as well or instead of the host program'...

It's a self contained worm,
not a virus.

it's a worm/virus hybrid...

Viruses must infect! Worms do not infect. Patching the wsock32.dll is
not infecting it. The wsock32.dll when called after patching does not
infect other dlls on the system. In fact, it doesn't infect anything at
all.

to be infected, the host simply has to call the virus' code... the virus
*can* infect dlls, however it is specific enough that there is only ever
one dll per system that poses a valid target...

I think sometimes these so called subsets only add to the confusion.

subsets only really enter into the discussion if we're talking about the
mathematical definition of virus, and that definition doesn't include
infection...

Virus must infect the host!

ska does...

And the infectees must continue to infect
others.

host programs do not infect things - this is a conceptual shortcut
you've made at some point that may speed up certain discussions but
which is not strictly true...

infectees must call the virus and the virus must make a possibly evolved
copy of itself under certain conditions and that possibly evolved copy
must be able to infect other host programs... all of these conditions
are met with ska...

[snip]

A worm is a self contained program, it doesn't actually infect other
programs.

some do... ska isn't the only example...

Art · Feb 14, 2006

viruses don't need to infect more than one file per system... have you
never heard of lehigh?

Poor example. By infecting command.com the virus was presumably able
to infect many other programs on the victim machine.

I still think there there's something wrong conceptually with
considering SKA to be a hybrid instead of just a worm. It's one of
those problems that when I think about it, it feels like a answer is
on the tip of my tongue but I can't yet spit it out. Replacing the dll
with a patched version for the purpose of spreading as a worm doesn't
strike me conceptually as virus infection or viral behaviour. Yet
virus defs don't exclude such a thing. Something could be done, I'm
sure, with worm/virus definitions to more sufficiently delineate. But
then I ask myself "what's the point"? It's way too late. So screw it.

Art
http://home.epix.net/~artnpeg

Art · Feb 14, 2006

Poor example. By infecting command.com the virus was presumably able
to infect many other programs on the victim machine.

Whoops. I see it did just infect command.coms on disks and drives.
Sorry 'bout that. It is actually a good example.

Art
http://home.epix.net/~artnpeg

kurt wismer · Feb 15, 2006

Art wrote:
[snip]

I still think there there's something wrong conceptually with
considering SKA to be a hybrid instead of just a worm. It's one of
those problems that when I think about it, it feels like a answer is
on the tip of my tongue but I can't yet spit it out. Replacing the dll
with a patched version for the purpose of spreading as a worm doesn't
strike me conceptually as virus infection or viral behaviour. Yet
virus defs don't exclude such a thing. Something could be done, I'm
sure, with worm/virus definitions to more sufficiently delineate. But
then I ask myself "what's the point"? It's way too late. So screw it.

i think the point (or perhaps counterpoint would be more appropriate) is
that there is no clear delineation and there can never really be one...
even if you tweaked the definitions so that ska itself is only a worm
rather than a worm/virus hybrid, there are others that will always be
both... they underscore the point that clear delineation is not really
appropriate and doesn't reflect reality... ska just happens to exist at
one of the blurrier points...

Virus - Worm rant

Art

Ron Lopshire

kurt wismer

Art

kurt wismer

Art

kurt wismer

Dustin Cook

kurt wismer

Art

Art

kurt wismer