Posted by: David Harley | April 4, 2010

Terms of Endangerment*

Passing swiftly over that really weak pun in the title… when is a virus not a virus?

When it’s a Trojan horse (or pretty much anything that doesn’t self-replicate). Of course, much of the time it only matters to the industry what you call it (or, rather, how you classify it accurately).  Nowadays, true viruses constitute a pretty low proportion of all malware, and many people refer to pretty much any malicious code as a virus, irrespective of its ability to replicate (or the lack of it).  Or, more formally, whether or not it conforms to Dr. Fred Cohen’s mathematical definition or the less rigorous definition that most of us in the industry like to quote, despite its awkward punctuation: “a program that can ‘infect’ other programs by modifying them to include a, possibly evolved, version of itself.”

Of course, this laxity of usage of the “V” word has always held true for most people: not so long ago, I came across the first article I ever wrote on viruses (for a long-gone networking newsletter), and was slightly embarrassed to realize that I talked a lot about payloads and a bit about remediation, but hardly at all about replication or infection vectors. Well, I guess I’ve made up for that in sheer weight of verbiage since…

Of course, the terms “malware” (MALicious softWARE) and “anti-malware” are also much more generally used and recognized nowadays than they were even ten years ago, though not altogether consistently. Where I tend to use “malware” as a generic term that can be applied to any malicious program, I’ve seen “malware” used as shorthand for “non-replicative malware”. I’ve also seen it used as if there was a formal distinction between Trojans and malware: in some cases, that seems to be based on the assumption that Trojans and spyware are different.

How much does it matter? Well, as Chester Wisniewski pointed out in a blog yesterday, accurate classification of malware is vital to the security industry in some contexts. Even a term as generic as malware (at least, as I use the term) can pose interesting questions.

Is self-replication “malicious” by definition? (Cohen wrote at some length about “benevolent” viruses in the early days of computer virology [1], while Vesselin Bontchev took a rather different view [2].)

If samples are generated for a (presumably benevolent) test of an anti-malware product, can it still be described as malware? If not, does that make it acceptable? (In general, I think not, but you might find one of my AMTSO blogs a better starting point for considering that argument, or the AMTSO documentation here.)

So, you may wonder, why am I writing about this at Mac Virus? Because, like Chet, I’m concerned that the AV industry is not, after all, the only group to make decisions on the basis of malware classification. Another such group is the more generalist security industry, which is often quite hostile to AV and sometimes prefers to re-invent its own terminological wheels – personally, I only really care about that practice when those re-inventions cause confusion out in the wider Internet community.

However, Chet also points out that “Many people, especially journalists and Mac users, try to use their understanding of these terms to defend their poor choices in security practices.” Unfortunately, he’s absolutely right.

I’m often told: “There aren’t any Mac viruses.” Actually, there are quite a few Mac-specific viruses, though their effectiveness is largely limited to pre-OS X systems. There are, of course, lots of platform-independent viruses, though Microsoft’s rationalization of its macro implementation in Office applications has severely curtailed their effectiveness. It’s debatable whether there are any OS X viruses (a matter of definition!) But that only matters if you think that only viruses matter, and that’s a view that nowadays is confined to Mac and Linux evangelists. Windows users are all too aware of the risks posed by rootkits, spyware, bots, and Trojans of all sorts.

Of course, the number of such threats that pose a risk to Mac users is tiny, compared to the many thousands of unique malicious Windows binaries that are generated on a daily basis. But there are already more of them than there ever were that threatened pre-OS X systems.

I’ll be talking about Apple security at Infosec in London later this month: if you’re there, come and say hello. (If you can’t make the presentation, leave a message at the ESET stand: I won’t be there all the time, but they can put you in direct touch with me.) The same goes for EICAR, where Pierre-Marc Bureau, Andrew Lee and myself will present a far more detailed paper.

[1] A Short Course on Computer Viruses; It’s Alive! (both books published by John Wiley & Sons)

[2] Are “Good” Computer Viruses Still a Bad Idea? Vesselin Bontchev. http://www.people.frisk-software.com/~bontchev/papers/goodvir.html

*http://en.wikipedia.org/wiki/Terms_of_Endearment

David Harley FBCS CITP CISSP
Mac Virus
Small Blue-Green World
AVIEN Chief Operations Officer
ESET Research Fellow & Director of Malware Intelligence

Also blogging at:
http://www.eset.com/blog
http://avien.net/blog/
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com
http://chainmailcheck.wordpress.com

Advertisements

Responses

  1. […] in some cases, that seems to be based on the assumption that Trojans and spyware are different. David Harley Key to the definition of a Trojan is that it is not self-replicating. Like the Trojan horse of […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: