Re: "Mainframe" virsus (was: I *Hate* When I Do This!

docdwarf_at_panix.com
Date: 01/13/05 

Date: 13 Jan 2005 12:27:13 -0500

In article <cs67ue02qo5@news2.newsguy.com>,
Michael Wojcik <mwojcik@newsguy.com> wrote:
>
>In article <cs4mqo$dcs$1@panix5.panix.com>, docdwarf@panix.com writes:
>>
>> From the above:
>>
>> --begin quoted text:
>>
>> A computer worm disguised as a benign holiday greeting ...
>>
>> --end quoted text

[snip]

>> The user had to 'read it and execute it'... and according to
>> http://www.download.clubromania.ro/doc&down/doc/online/jargon_dic/v.html#virus
>> this is a criterion.
>>
>> --begin quoted text:
>>
>> Unlike a worm, a virus cannot infect other computers without assistance.
>> It is propagated by vectors such as humans trading programs with their
>> friends (see SEX).
>>
>> --end quoted text
>
>In the taxonomy which seems to be preferred by a majority of today's
>malware researchers, yes, the 1987 Christmas Card (CHRISTMA.EXEC) was
>not a worm, because it required manual user execution. However, it
>wasn't a virus either. Viruses are parasitical code fragments which,
>when executed as part of an infected program, infect other programs.

How very interesting... Mr Wojcik, this definition of virus (propogation
via infection of others versus propogation by replicating self) seems
closer to the function of the biological model, yes; is there, however, a
source to be consulted for the 'preferred taxonomy' to which you refer?
It is pleasant to have a use pointed out but... a source is a source, of
course.

[snip]

>In other words:
>
>worm: malware which penetrates a system by exploiting a vulnerability
>in some automated and externally-accessible system component, without
>requiring user interaction. The Morris Worm and various IIS exploits
>like Slammer are worms.
>
>virus: malware which alters existing programs such that when those
>programs are run, they execute the malware and infect other programs
>(and often do other damage). Requires user interaction, at least for
>the initial infection.
>
>trojan: malware which is executed by the victim user, often through
>social engineering.

By these definition CHRISMAS.EXEC was a trojan, certainly... the question
becomes one of the provenance of the definitions.

[snip]

>I must note that the lack of documented viruses, and relative lack of
>other malware, targetting mainframes doesn't prove much.

'Proof' can be such a dicey thing - 'what are the criteria to be applied
to 'that which constitutes a proof'?' can make for dreary reading - that I
prefer the much milder 'demonstrate', as in 'to make clear by reasoning or
evidence' (given that 'clarity' is in the mind of the beholder') or 'to
illustrate and explain' (given that some people prefer scrambled... but
others like their eggs plain)... but I'd be willing to say that the lack
of documented viruses and relative lack of other malware targetting
mainframes proves that... there hasn't been much documentation written or
many malware findings announced.

DD

Relevant Pages

  • Re: "Mainframe" virsus (was: I *Hate* When I Do This!
    ... their unsuspicious reaction was to read it and execute it. ... > Unlike a worm, a virus cannot infect other computers without assistance. ... malware researchers, yes, the 1987 Christmas Card was ...
    (comp.lang.cobol)
  • Re: Cross-platform virus?
    ... prevent payloads from being dropped and direct which executables to ... infect, without propagating the code to allow for this. ... The interesting part comes when you create a WORM. ... to allow for injecting code into a worm and letting it propagate the ...
    (Ubuntu)
  • Re: A 6% fix from Microsoft Security Bulletin MS03-040 - 828750
    ... True - but then, to a malware coder, it's prolly easier to ... dissassemble 4k of worm than read the docs and code it from scratch ... Firewalls are supposed to handle DoS effects, ... Lovesan's impact was as much of a matter of bad design as a code flaw, ...
    (microsoft.public.security)
  • Re: A 6% fix from Microsoft Security Bulletin MS03-040 - 828750
    ... True - but then, to a malware coder, it's prolly easier to ... dissassemble 4k of worm than read the docs and code it from scratch ... Firewalls are supposed to handle DoS effects, ... Lovesan's impact was as much of a matter of bad design as a code flaw, ...
    (microsoft.public.security.virus)
  • Re: A 6% fix from Microsoft Security Bulletin MS03-040 - 828750
    ... True - but then, to a malware coder, it's prolly easier to ... dissassemble 4k of worm than read the docs and code it from scratch ... Firewalls are supposed to handle DoS effects, ... Lovesan's impact was as much of a matter of bad design as a code flaw, ...
    (microsoft.public.win2000.security)