Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: First WMF mass mailer ItW (phishing Trojan)
From: bkfsec <bkfsec () sdf lonestar org>
Date: Fri, 17 Feb 2006 15:53:45 -0500

Gadi Evron wrote:

Taxonomy/terminology of viruses/malware is problematic, no one expert will
agree with the other.
This is true... I would say that it's mostly true because people have been sloppy and used the wrong terms for referring to specific types of malware.

(almost) all current worms are Trojan horses.
I disagree. The definition of a worm and the definition of a trojan horse are not the same in any way, shape, or form.

Worms don't, by design, have to masquerade as a legitimate program in order to do their damage.

If it is spread by email, it's a mass mailer. It's a worm...
No.  Mass-mailer has never specifically implied that it is a worm, IMO.

any more than that and this will become
a religious discussion between those who work with these or a clue-less
one by those who don't. :)
Not a religious discussion, but rather one on the effective spread of information in order to deal with a threat. What this problem comes down to is that people deal with worms differently than they deal with trojan horses and they deal with both of them differently than they deal with viruses (file infectors). That may seem quaint to some, but I would respectfully submit that anyone who feels that way clearly is the clue-less one.

Yes, there's room for discussion and disagreement on specific examples. There really is very little room for disagreement on the terms themselves, though. The only real argument I've ever heard has been in regard to calling all malware viruses, being that the media refers to all malware as viruses... and that works when you're dealing with a clueless audience that doesn't know what a worm is... it doesn't work so well with this audience.

Question: if one sees this spreading as a mass mailer, propagating (via
email) and infecting via a download(er) of a Trojan, why would it
It matters to some of us because the mitigation strategy for dealing with a trojan is different than the strategy for dealing with a worm.

One can make the point that the new mass-mailers are "sufficiently automated", but in my opinion it still doesn't match the attack vector and as a result dillutes the use of the terminology as a method of defining malware. The less accuracy the term has, the less useful it becomes.

Now, that's kind of nitpicking. :) Those of us who know what you're getting at don't get tripped up by the use of terms different than our own... we know how mass mailers work. However, that doesn't mean that there can't be some confusion. Consider the possibility of a mass-mailer worm versus a mass-mailer trojan:

MM Worm -- The file attachment is either downloaded or executed by script in the e-mail, or some other buffer overflow-style attack. Without any interaction from the user, the file is then mass-mailed. Even this is questionable as a worm because the user still has to click on the e-mail, but it's pretty close. This type of attack is usually due to a flaw in an e-mail client or browser code and can usually be patched.

MM Trojan -- The vast majority of what we see now. The user has to execute the file manually. This cannot be patched and relies on the user's ability to run code.

See the difference?

As our definitions become less useful, we become less efficient. Anyone who wants to forward the state of security in this world should be pushing for a more defined taxonomy rather than a less well defined one. It behooves one to avoid confusion of this nature.

Maybe it should be called a Trojan with mass-mailing capabilities (I'm
completely with you on that one).


I'd agree with that.


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]