malware is an umbrella term for all bad or malicious software... this includes viruses, worms, trojans, rootkits, logic bombs, keyloggers, backdoors, spyware, adware, etc...
it should be noted that for a long time (and to a large extent, even now) the public at large have used the term 'virus' as the umbrella term for all such software, largely out of ignorance of the field...
more recently there has been a push by certain commercial interests to repurpose the term 'spyware' as the umbrella term for all such software - in part because increasingly on the internet spyware is taking on the connotation of being anything we don't like/want on our computers... while this is very reminiscent of trojan (which is itself an umbrella classification), repurposing an existing term to encompass all bad software based on the whims of the uninformed public is absurd and will eventually be made obsolete by the very whims those commercial interests are chasing...
back to index
devising a framework for thinking about malware and related issues such as viruses, spyware, worms, rootkits, drm, trojans, botnets, keyloggers, droppers, downloaders, rats, adware, spam, stealth, fud, snake oil, and hype...
Saturday, January 28, 2006
what is infection?
infection is the process or state whereby a viral program attaches itself to a host program in such a way that when an attempt is made to run/execute/interpret the host program the viral program can be run/executed/interpreted in addition to or instead of the host program...
this attachment can be in the form of inserting the viral program in the host program, inserting the host program in the viral program, replacing the host program with the viral program, placing/naming the viral program in such a way that the operating environment finds/calls the viral program before the host program, inserting a call or reference to the viral program in the host program, linking the viral and host programs through manipulation of filesystem structures, etc...
many people today use the term 'infect' to refer to putting any kind of malware into something else (such as 'infecting' audio CD's with DRM)... this is a product of the public's high level of awareness of viruses and viral concepts compared to other forms of malware (viruses have been in the wild and in the public eye for 20 years or more now) and not a correct usage of the technical term...
back to index
this attachment can be in the form of inserting the viral program in the host program, inserting the host program in the viral program, replacing the host program with the viral program, placing/naming the viral program in such a way that the operating environment finds/calls the viral program before the host program, inserting a call or reference to the viral program in the host program, linking the viral and host programs through manipulation of filesystem structures, etc...
many people today use the term 'infect' to refer to putting any kind of malware into something else (such as 'infecting' audio CD's with DRM)... this is a product of the public's high level of awareness of viruses and viral concepts compared to other forms of malware (viruses have been in the wild and in the public eye for 20 years or more now) and not a correct usage of the technical term...
back to index
Tags:
definition,
infection,
terminology misuse,
virus
what is a worm?
a worm is a self-replicating program that is able to make (possibly evolved) copies of itself that are not attached to (via infection) other host programs...
that is not to say that worms can't infect host programs, there are already many examples of virus/worm hybrids that are able to self-replicate using both strategies - later variants of klez, for example... there are also examples of virus/worm hybrids that must infect a host program in order to self-replicate (like w32/ska, which needs to infect wsock32.dll in order to email itself*)...
also since it must self-replicate, a worm meets the requirements of the mathematical definition of virus and can therefore be thought of a kind of virus, but only in more academic/scientific contexts...
while there are schools of thought that would include such further constraints as being able to spread over a network or even being network-aware, these constraints are arbitrary and in some cases just wrongheaded... for example - a program that copies itself to all logical drives provided by the operating system is actually still able to spread over implicit networks like sneakernet, as well as being able to spread over more conventional windows networks in the presence of mapped drives... the requirement for network-awareness, on the other hand, is actually an attempt to narrow the network spreading constraint by introducing intent into the equation (network-awareness becomes an indicator of intent to spread over networks and thereby weed out the supposed accidental network spreading in the previous example) while completely ignoring the fact that intent is an entirely subjective quantity (especially when judging it from code) and causes the definition to no longer be functional for no apparent reason or benefit...
(* thanks to peter szor's book for reminding me of that)
back to index
that is not to say that worms can't infect host programs, there are already many examples of virus/worm hybrids that are able to self-replicate using both strategies - later variants of klez, for example... there are also examples of virus/worm hybrids that must infect a host program in order to self-replicate (like w32/ska, which needs to infect wsock32.dll in order to email itself*)...
also since it must self-replicate, a worm meets the requirements of the mathematical definition of virus and can therefore be thought of a kind of virus, but only in more academic/scientific contexts...
while there are schools of thought that would include such further constraints as being able to spread over a network or even being network-aware, these constraints are arbitrary and in some cases just wrongheaded... for example - a program that copies itself to all logical drives provided by the operating system is actually still able to spread over implicit networks like sneakernet, as well as being able to spread over more conventional windows networks in the presence of mapped drives... the requirement for network-awareness, on the other hand, is actually an attempt to narrow the network spreading constraint by introducing intent into the equation (network-awareness becomes an indicator of intent to spread over networks and thereby weed out the supposed accidental network spreading in the previous example) while completely ignoring the fact that intent is an entirely subjective quantity (especially when judging it from code) and causes the definition to no longer be functional for no apparent reason or benefit...
(* thanks to peter szor's book for reminding me of that)
back to index
Tags:
definition,
malware,
worm
Tuesday, January 17, 2006
what is a virus?
there are 2 answers to this question, depending on whether you're using the natural language definition or the mathematical definition used in logical proofs...
natural language definition
a virus is self-replicating program that attaches a (possibly evolved) copy of itself to other (host) programs in such a way that when an attempt is made to run the host program a call may be made to run the copy of the virus instead of or as well as the original host program...
the attachment mentioned above is commonly referred to as infection... usually it infers that a copy of the virus is actually placed within the host, however this is not always the case... the only real requirements for the attachment are spelled out above...
mathematical definition
the mathematical definition in it's most simplistic natural language form is - a virus is a self-replicating program...
this may seem a little odd that no mention of infection is made at all, but for infection to occur you need to have the concept of separate and distinguishable programs and that doesn't exist in the context in which the mathematical definition is used... it applies to the turing machine model of computation and a turing machine makes no distinction between different sets of symbols on it's tape... without logical partitions between different sets of symbols there can be no separate programs and therefore no specific host program to infect... at most the definition specifies that any offspring of the virus must not overlap the original instance of the virus (or in other words it must not overwrite the original virus in part or in full)...
(see section 3 of this paper for a more precise retelling of the formal virus definition)
back to index
natural language definition
a virus is self-replicating program that attaches a (possibly evolved) copy of itself to other (host) programs in such a way that when an attempt is made to run the host program a call may be made to run the copy of the virus instead of or as well as the original host program...
the attachment mentioned above is commonly referred to as infection... usually it infers that a copy of the virus is actually placed within the host, however this is not always the case... the only real requirements for the attachment are spelled out above...
mathematical definition
the mathematical definition in it's most simplistic natural language form is - a virus is a self-replicating program...
this may seem a little odd that no mention of infection is made at all, but for infection to occur you need to have the concept of separate and distinguishable programs and that doesn't exist in the context in which the mathematical definition is used... it applies to the turing machine model of computation and a turing machine makes no distinction between different sets of symbols on it's tape... without logical partitions between different sets of symbols there can be no separate programs and therefore no specific host program to infect... at most the definition specifies that any offspring of the virus must not overlap the original instance of the virus (or in other words it must not overwrite the original virus in part or in full)...
(see section 3 of this paper for a more precise retelling of the formal virus definition)
back to index
Tags:
definition,
malware,
virus
what is a program?
this is going to be a non-obvious answer - a program is a collection of instructions meant to be executed or interpreted by the computer for the purpose of carrying out a task...
to that end - *.exe files are programs, but so are the macros in word/excel/powerpoint documents... so are bootsectors... so are batch files... so are the javascripts embedded in web pages... so are windows meta files (*.wmf)... so are a whole host of other things that the average person would probably not have considered a program...
so many of the things are programs, in fact, that it's easier to just say everything other than a few well known exceptions are programs and therefore everything except those few well known exceptions are potential threats... in fact, even those few well known exceptions could be also be threats given the right nefarious modifications to a standard operating environment...
back to index
to that end - *.exe files are programs, but so are the macros in word/excel/powerpoint documents... so are bootsectors... so are batch files... so are the javascripts embedded in web pages... so are windows meta files (*.wmf)... so are a whole host of other things that the average person would probably not have considered a program...
so many of the things are programs, in fact, that it's easier to just say everything other than a few well known exceptions are programs and therefore everything except those few well known exceptions are potential threats... in fact, even those few well known exceptions could be also be threats given the right nefarious modifications to a standard operating environment...
back to index
Tags:
definition
what is it?
if there's one thing that ticks me off more than anything else it would have to be terminology misuse/abuse... technological jargon terms generally have fairly precise meanings and their misuse/abuse twists their meaning until they become useless...
how can i address this little pet peeve of mine? quite simple, really... come up with a glossary of terms with detailed explanations and then point people to it when wander too far astray...
so for the next i-don't-know-how-long i'm going to be defining things and i guess this post is as good a place as any to index them...
how can i address this little pet peeve of mine? quite simple, really... come up with a glossary of terms with detailed explanations and then point people to it when wander too far astray...
so for the next i-don't-know-how-long i'm going to be defining things and i guess this post is as good a place as any to index them...
Tags:
definition
Subscribe to:
Posts (Atom)