BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Worm bait?

Subject: Worm bait?
From: jkinz at kinz.org (Jeff Kinz)
Date: Wed, 20 Aug 2003 10:49:47 -0400
In-reply-to: <1061341515.13363.105.camel@bart>; from jullrich@sans.org on Tue, Aug 19, 2003 at 09:05:15PM -0400
References: <1061337340.405.28.camel@resolute.stephencanthony.com> <200308200033.h7K0XYPD027641@dsl092-065-009.bos1.dsl.speakeasy.net> <20030820011326.GA5784@yellowbank.com> <1061341515.13363.105.camel@bart>

On Tue, Aug 19, 2003 at 09:05:15PM -0400, Johannes B. Ullrich wrote:
> > Terminology question.  What's a 'worm' vs. 'virus' vs. 'trojan horse'
> Worm: self propagating malware which does not require user interaction
> Virus: Malware that uses e-mail to propagate and usually requires at
> least that you as a user load it into your MUA. Does not always require
> 'opening'. But for example, it will not propagate if you keep it sitting
> on your mail server.
> Trojan Horse: Program that escalates privilaeges by tricking a
> privileged user into executing it.
> Backdoor: non-standard remote admin method :-/
> Bot: IRC controlled backdoor
> Auto Rooter: software that uses an exploit and installs backdoor without
> user interaction.
> 
> anyway. just a quick off the cuff list. not meant to be authoritative.

Hi Johannes,
I think your definitions may be too narrow and too tied to the recent
ways they are used to attack MS systems. Virii don't need email, or user
interaction unless they are email based.  Trojans don't need privileged
users user's to run them, they can be designed to exploit system
resident security holes and only need to be run by ordinary user's.
Bot's are not always IRC controlled.

By the way - does the existence of an "Auto Rooter" imply a 
"Roto Rooter" tool that cleans up after it ? :-)

We have to be careful not let the MS systems state of easy vulnerability
prejudice our thinking about how malware functions or we will forget
the many other ways these malware tools can be configured and operate.

By the way - I just checked out SANS (http://isc.sans.org).  Very Nice
site.  Great info.  Anyone who wants more info about the current state
of the internet vis-a-vis security and traffic issues should check it
out.  Wonderful information.  You guys are really on top of things.

-- 
Jeff Kinz, Open-PC, Emergent Research,  Hudson, MA.  jkinz at kinz.org
copyright 2003.  Use is restricted. Any use is an 
acceptance of the offer at http://www.kinz.org/policy.html.
Don't forget to change your password often.

References:
- Worm bait?
  - From: steve at stephencanthony.com (Stephen Anthony)
- Worm bait?
  - From: rlk at alum.mit.edu (Robert L Krawitz)
- Worm bait?
  - From: ron.peterson at yellowbank.com (ron.peterson at yellowbank.com)
- Worm bait?
  - From: jullrich at sans.org (Johannes B. Ullrich)

Prev by Date: Worm bait?
Next by Date: Worm bait?
Previous by thread: Worm bait?
Next by thread: Worm bait?
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org