mailing list archives
Re: First WMF mass mailer ItW (phishing Trojan)
From: bkfsec <bkfsec () sdf lonestar org>
Date: Fri, 17 Feb 2006 15:53:45 -0500
Gadi Evron wrote:
This is true... I would say that it's mostly true because people have
been sloppy and used the wrong terms for referring to specific types of
Taxonomy/terminology of viruses/malware is problematic, no one expert will
agree with the other.
(almost) all current worms are Trojan horses.
I disagree. The definition of a worm and the definition of a trojan
horse are not the same in any way, shape, or form.
Worms don't, by design, have to masquerade as a legitimate program in
order to do their damage.
If it is spread by email, it's a mass mailer. It's a worm...
No. Mass-mailer has never specifically implied that it is a worm, IMO.
Not a religious discussion, but rather one on the effective spread of
information in order to deal with a threat. What this problem comes
down to is that people deal with worms differently than they deal with
trojan horses and they deal with both of them differently than they deal
with viruses (file infectors). That may seem quaint to some, but I
would respectfully submit that anyone who feels that way clearly is the
any more than that and this will become
a religious discussion between those who work with these or a clue-less
one by those who don't. :)
Yes, there's room for discussion and disagreement on specific examples.
There really is very little room for disagreement on the terms
themselves, though. The only real argument I've ever heard has been in
regard to calling all malware viruses, being that the media refers to
all malware as viruses... and that works when you're dealing with a
clueless audience that doesn't know what a worm is... it doesn't work so
well with this audience.
It matters to some of us because the mitigation strategy for dealing
with a trojan is different than the strategy for dealing with a worm.
Question: if one sees this spreading as a mass mailer, propagating (via
email) and infecting via a download(er) of a Trojan, why would it
One can make the point that the new mass-mailers are "sufficiently
automated", but in my opinion it still doesn't match the attack vector
and as a result dillutes the use of the terminology as a method of
defining malware. The less accuracy the term has, the less useful it
Now, that's kind of nitpicking. :) Those of us who know what you're
getting at don't get tripped up by the use of terms different than our
own... we know how mass mailers work. However, that doesn't mean that
there can't be some confusion. Consider the possibility of a
mass-mailer worm versus a mass-mailer trojan:
MM Worm -- The file attachment is either downloaded or executed by
script in the e-mail, or some other buffer overflow-style attack.
Without any interaction from the user, the file is then mass-mailed.
Even this is questionable as a worm because the user still has to click
on the e-mail, but it's pretty close. This type of attack is usually
due to a flaw in an e-mail client or browser code and can usually be
MM Trojan -- The vast majority of what we see now. The user has to
execute the file manually. This cannot be patched and relies on the
user's ability to run code.
See the difference?
As our definitions become less useful, we become less efficient. Anyone
who wants to forward the state of security in this world should be
pushing for a more defined taxonomy rather than a less well defined
one. It behooves one to avoid confusion of this nature.
Maybe it should be called a Trojan with mass-mailing capabilities (I'm
completely with you on that one).
I'd agree with that.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/