Re: First WMF mass mailer ItW (phishing Trojan)

[bkfsec <bkfsec () sdf lonestar org>]

Gadi Evron wrote:

> Taxonomy/terminology of viruses/malware is problematic, no one expert will
> agree with the other.
>  
This is true... I would say that it's mostly true because people have 
been sloppy and used the wrong terms for referring to specific types of 
malware.

> (almost) all current worms are Trojan horses. 
I disagree.  The definition of a worm and the definition of a trojan 
horse are not the same in any way, shape, or form.

Worms don't, by design, have to masquerade as a legitimate program in 
order to do their damage.

> If it is spread by email, it's a mass mailer. It's a worm... 
No.  Mass-mailer has never specifically implied that it is a worm, IMO.

> any more than that and this will become
> a religious discussion between those who work with these or a clue-less
> one by those who don't. :)
>  
Not a religious discussion, but rather one on the effective spread of 
information in order to deal with a threat.  What this problem comes 
down to is that people deal with worms differently than they deal with 
trojan horses and they deal with both of them differently than they deal 
with viruses (file infectors).  That may seem quaint to some, but I 
would respectfully submit that anyone who feels that way clearly is the 
clue-less one.

Yes, there's room for discussion and disagreement on specific examples.  
There really is very little room for disagreement on the terms 
themselves, though.  The only real argument I've ever heard has been in 
regard to calling all malware viruses, being that the media refers to 
all malware as viruses... and that works when you're dealing with a 
clueless audience that doesn't know what a worm is... it doesn't work so 
well with this audience.

> Question: if one sees this spreading as a mass mailer, propagating (via
> email) and infecting via a download(er) of a Trojan, why would it
> matter?
>  
It matters to some of us because the mitigation strategy for dealing 
with a trojan is different than the strategy for dealing with a worm.

One can make the point that the new mass-mailers are "sufficiently 
automated", but in my opinion it still doesn't match the attack vector 
and as a result dillutes the use of the terminology as a method of 
defining malware.  The less accuracy the term has, the less useful it 
becomes.

Now, that's kind of nitpicking.  :)  Those of us who know what you're 
getting at don't get tripped up by the use of terms different than our 
own... we know how mass mailers work.  However, that doesn't mean that 
there can't be some confusion.  Consider the possibility of a 
mass-mailer worm versus a mass-mailer trojan:

MM Worm -- The file attachment is either downloaded or executed by 
script in the e-mail, or some other buffer overflow-style attack.  
Without any interaction from the user, the file is then mass-mailed.  
Even this is questionable as a worm because the user still has to click 
on the e-mail, but it's pretty close.  This type of attack is usually 
due to a flaw in an e-mail client or browser code and can usually be 
patched.

MM Trojan -- The vast majority of what we see now.  The user has to 
execute the file manually.  This cannot be patched and relies on the 
user's ability to run code.

See the difference?

As our definitions become less useful, we become less efficient.  Anyone 
who wants to forward the state of security in this world should be 
pushing for a more defined taxonomy rather than a less well defined 
one.  It behooves one to avoid confusion of this nature.

> Maybe it should be called a Trojan with mass-mailing capabilities (I'm
> completely with you on that one).
>
>         
I'd agree with that.

            -bkfsec


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/