What exactly is "koobworm" ???

  • Thread starter Thread starter Virus Guy
  • Start date Start date
Virus Guy said:
No.
Click to expand...

Yes, it uses network replication (typical of many worms)
It does not place a copy of itself on the server that it advertises
via
it's spam links or postings.
Click to expand...

Could you give me an exact malware name for the malware we are talking
about so that we don't end up talking about different things?

The ones I've seen do indeed serve the malware from the server.
It does not place a copy of itself on the destination PC.
Click to expand...

True, but they take steps (programmatically) to enhance the probability
that the victim user will do so.
It _wants_ for a copy of itself to end up on other PC's (as does all
malware) but it no more puts that copy there than the typical trojan
does for itself.
Click to expand...

True, but you seem to be stuck on the idea that all worms are automatic
worms.
No. Who-ever controls the spamvertised server has put a copy of Koob
on
that server.
Click to expand...

There is user controlled space on those (Facebook?) servers.
When a new PC becomes infected, that copy came from a
server - not some other infected PC.
Click to expand...

True again, but that does not disqualify the malware as being a worm
A worm does not require the use of a third PC when spreading from
machine 1 to machine 2.
Click to expand...

Who says?
Worms are not served. Trojans are served. Koob is a trojan.
Click to expand...

As usual,you start out asking and end up telling.
Explain how I can have any form of malware end up on my PC _without_
replication.
Click to expand...

I meant recursively replicating (since we are talking about worms and/or
viruses I thought it was understood)
Your use of the concept of "replication" is strange in this context.
Click to expand...

I will try to be more careful with my wording.
The requirment for it to need a server to spread makes it a trojan and
not a worm.
Wrong.


From what I can tell, there is no clear definition of virus that
sufficiently or clearly delineates it from either trojan or worm.
Click to expand...

"Worms and viruses are both common types of self-replicating malware but
differ in their method of replication (Grimes, 2001; Harley, Slade, and
Gattiker, 2001; Szor, 2005). A computer virus depends on hijacking
control of another (host) program to attach a copy of its virus code to
more files or programs. When the newly infected program is executed, the
virus code is also executed. In contrast, a worm is a standalone
program that does not depend on other programs (Nazario, 2004). It
replicates by searching for vulnerable targets through the network, and
attempts to transfer a copy of itself. Worms are dependent on the
network environment to spread."

from

http://lyle.smu.edu/~tchen/papers/network-worms.pdf

and...

"A computer virus is a self-replicating program containing code that
explicitly copies itself and that can "infect" other programs by
modifying them or their environment such that a call to an infected
program implies a call to a possibly evolved copy of the virus."

From who knows where - an expanded form of Fred Cohen's definition.
Only trojans and worms appear to have a few clear distinctions in
terms
of how they spread and the level of operator intervention required.
In
that regard, a true worm can spread from PC-1 to PC-2 without the aid
of
a third PC to act as a server and without the need for human activity
or
action. Koob is not such a worm.
Click to expand...

Many people use the term "true worm" to describe automatic worms.
Nevertheless, the *other* worms do exist and will continue to be called
worms. It is more about the resultant behavior than it is about the
method used to achieve that end.
I asked if transmitting or posting a URL qualifies as a worm
transmission method. You said yes, and then you immediately went on
to
describe file copying to shared directories. The two are hardly the
same phenomena. So you'd better come up with a better answer because
that one didn't work.
Click to expand...

See "network replication". Here is an example from my Google search.

http://csrc.nist.gov/publications/nistir/threats/subsection3_3_2.html
Koob does not replicate itself. It tricks people into downloading
more
copies of itself from a server.
Click to expand...

....and as such does recursively replicate without using a host program
to do so.
Koob requires a functioning server with
known coordinates in order to spread. A true worm seeks out on it's
own
the next destination PC and directly transmits a copy of itself to
that
PC. Koob does not do this.
Click to expand...

Says who?
Why are you so insistent on making a case that koob is a worm, to the
extent of stretching the definition of what a worm is?


Your answer was as clear as mud. Please reformulate and restate your
response to that question.
Click to expand...

As with the virus, the replicant can be a "possibly evolved" or
"morphed" copy rather than an exact copy.
Worms don't need polymorphism if they are leveraging an exploit that
sucessfully allows themselves to spread from one PC to the next
without
human intervention.
Click to expand...

They do if they want to avoid (or delay) detection.
 
FromTheRafters said:
Who says?
Click to expand...

If there is going to be a distinction made today between what is a
trojan and what is a worm, then I'd make the case that the single most
useful criteria or requirement for a worm is that it can spread from one
machine directly to another without requiring an intermediate server,
and possibly that such spreading can be done without requiring human
assistance.

The most obvious mechanism is the exploitation of various netbios
vulnerabilities, followed by network shares (but note that placing a
copy of itself on shared directory of another machine does not garantee
that it will actually execute on that machine and spread further).
Spreading via "sneaker-net" (auto-run exploitation on removable media
for example) would also qualify.

Any other mode of distribution that involves a third server machine
(where the malware is really hosted) would take it out of the realm of
being a worm and make it just an ordinary virus or trojan.

If you want to make the case that something can be a worm even if it
doesn't spread from one machine directly to another without requiring a
third machine to act as a server, then what else (in your opinion)
becomes the central characteristic for something to be called a worm?

I note that nobody else wants to venture an opinion or comment. Not
even you - Lipman?
 
Virus Guy said:
If there is going to be a distinction made today between what is a
trojan and what is a worm, then I'd make the case that the single most
useful criteria or requirement for a worm is that it can spread from
one
machine directly to another without requiring an intermediate server,
and possibly that such spreading can be done without requiring human
assistance.
Click to expand...

First, let me thank you for snipping.

If a malware writer places a trojan where it can be downloaded and
executed, this is a distribution method. If a program places trojans
where they can be downloaded and executed, this is an automated
distribution system. If the program doing the placing is the functional
equivalent of the program being placed - it is a worm. Recursive
replication is wormsign (unless it infects a host program with itself -
in which case it is a virus). It doesn't matter how many stages the
program goes through, or how many fragments there are running on how
many different machines. As long as it eventually comes around to being
a functionally equivalent new instance (at least twice), it can be
considered recusively replicating - and a worm. A virus' copying itself
is explicit, while the worms' can be implicit (network replication).
The most obvious mechanism is the exploitation of various netbios
vulnerabilities, followed by network shares (but note that placing a
copy of itself on shared directory of another machine does not
garantee
that it will actually execute on that machine and spread further).
Click to expand...

True, but I can just about guarantee that *someone* really really really
must see the dancing pigs.

Even if the dancing pig displaying program has in its EULA that
something else will happen that you would not approve of.

Some worms of recent past have actually shown that clickme.exe works
just fine. I'm pretty sure malware.exe or don'tclickme.com would work
too.
Spreading via "sneaker-net" (auto-run exploitation on removable media
for example) would also qualify.
Click to expand...

So, auto execution is your main concern? Put users back in the loop, and
you have only attenuated the effect a little bit. Certainly there will
be no "Worhol clickworms" - but having users involved like this is no
real obstacle to a worm. To be sure, a virus may or may not involve user
action in its cycle, so why put that restriction on a worm when
infection already provides a dichotomy?
Any other mode of distribution that involves a third server machine
(where the malware is really hosted) would take it out of the realm of
being a worm and make it just an ordinary virus or trojan.
Click to expand...

Actually - it takes it one step closer to being an octopus.
If you want to make the case that something can be a worm even if it
doesn't spread from one machine directly to another without requiring
a
third machine to act as a server, then what else (in your opinion)
becomes the central characteristic for something to be called a worm?
Click to expand...

Central - it recursively replicates without requiring infecting a host
program to do so.
I note that nobody else wants to venture an opinion or comment. Not
even you - Lipman?
Click to expand...

David disagrees with the dichotomy, and prefers that all worms are
contained within the "virus" set.

....funny, he seems fairly reasonable at other times :o\

He strongly opposes trojans being called viruses because he favors the
dichotomy there. If it doesn't recursively replicate, it should not be
called a virus or a worm even though it appears as a trojan in some part
of its lifecycle.

The subject has been talked to death, with very little consensus, over
the years and that is not expected to change.
 
Ant said:
More interesting to me are the technical details of what it
actually does when run. There are descriptions available on
the web, for example from Symantec and McAfee.
Click to expand...

I have only found very general explanations for what koob does.

Nothing specific, such as registry changes, changes to autorun, how does
it hook itself into a system, how does it hide itself when running, does
it interfere with other processes (AV, etc) running on the infected
system, what ports does it listen to, what additional payloads does it
seek out and download.
 
Back
Top