walker@AEDC-VAX.AF.MIL (William Walker C60223 x4570) (04/28/91)
There's enough confusion in the anti-virus community already, without
the confusion resulting from the differences in terminology. I'm sure
there's nothing new in that statement. Eldar A. Musaev has a good
start at eliminating the confusion in the terminology, and he's going
about it in a good way: defining differences in function and
classifying by function. However, his using "Christmas Tree" (I
assume the BITNET CHRISTMAS EXEC) as an example of a Network Worm
doesn't seem quite right to me. Even if he didn't mean the CHRISTMAS
EXEC, it still doesn't fit neatly into his classifications (see
Virus-L V4 I60).
The CHRISTMAS EXEC on BITNET would, in my opinion, be a Trojan Horse
rather than a Worm. The definitions of a Trojan Horse that I have
seen state that a Trojan Horse is a [standalone] program which
purports to do one thing (and may in fact do it), but covertly does
another, malicious thing. CHRISTMAS fits this description; however,
CHRISTMAS also replicates. So, where's the distinction?
Perhaps the function of replication could be divided into independent
and dependent. Independent replication would be that, once started,
the replication process would continue without outside assistance.
Dependent replication would be that the replication process would
occur only while the parent/host/whatever program is running. In this
way, CHRISTMAS EXEC could be separated from, say, the Internet worm:
CHRISTMAS is a dependent replicator, while the Internet worm is an
independent replicator.
However, with this addition, a new problem arises. How does one
classify NON-resident malicious programs such as Amstrad, Vienna, or
405? They're dependent replicators as well. Would they be separated
from resident malicious programs such as Stoned, Jerusalem, or Yankee
Doodle?
Another distinction which should be made is the difference between a
standalone program, an overwriting program, and a parasitic program.
Eldar Musaev separates parasitic by saying it attaches itself to
another file, but he lumps the other two under "non-parasitic." I
believe that they should be kept separate. A standalone program is
just that, and requires no other program to help it run and/or spread.
An overwriting program, though it doesn't attach itself to a file and
is itself a complete program, requires that a host/"victim" file be
present for it to replace. Similarly, a "spawning" program requires
that a host/victim file be present for it to spawn to. A boot-sector
virus could be classified similarly, depending on how it treats the
original boot sector.
Using these further separations, the functional criteria could now become:
I. Replication
1. Non-replicator
2. Dependent Replicator
3. Independent Replicator
II. Host Basis
1. Standalone (non-host-based)
2. Host-based
a. Spawning
b. Overwriting
c. Parasitic
If the term "bacterium" (plural "bacteria") is used for host-based
dependent replicators, and "virus" ("virii") is used for host-based
independent replicators ( for lack of better terms to separate the two
), the resulting classifications could now become:
I. Standalone Non-replicators
Trojan Horses Example: ARC 5.13
II. Spawning Non-replicators
Spawning Trojans
III. Overwriting Non-replicators
Overwriting Trojans Example: Twelve Tricks
IV. Parasitic Non-Replicators
Parasitic Trojans
V. Standalone Dependent Replicators
Replicating Trojans Example: CHRISTMAS EXEC
VI. Standalone Independent Replicators
Worms Example: Internet Worm
VII. Spawning Dependent Replicators
Spawning Bacteria Example: Aids II
VIII.Overwriting Dependent Replicators
Overwriting Bacteria Example: 382 Recovery
IX. Parasitic Dependent Replicators
Bacteria Example: Vienna
X. Spawning Independent Replicators
Spawning Virii
XI. Overwriting Independent Replicators
Overwriting Virii
XII. Parasitic Independent Replicators
Virii Example: Jerusalem
Some of the resulting combinations don't have examples at this time,
and some of those (such as a parasitic non-replicator) are not likely.
Also, some people may say that the Lehigh virus is an overwriting
virus. I would call it parasitic, since it is not a complete program
by itself, but attaches itself to COMMAND.COM, even though it
overwrites the stack space.
Well, that's my two cents worth. I hope it can be of some help. The
names given for the different combinations are just suggestions; they
don't have to be used ( For that matter, NONE of this HAS to be used
:-) ). In fact, I'm sure that someone could come up with better names
for some of these.
Bill Walker |
OAO Corporation |
Arnold Engineering Development Center | "I'd like to solve the puzzle, Pat"
M.S. 120 |
Arnold Air Force Base, TN 37389-9998 |martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences) (04/30/91)
walker@AEDC-VAX.AF.MIL (William Walker C60223 x4570) writes: >If the term "bacterium" (plural "bacteria") is used for host-based >dependent replicators, and "virus" ("virii") is used for host-based >independent replicators ( for lack of better terms to separate the two The biologists amongst us would be much happier if you reversed these two names, since a virus is a much more dependent organism than is a bacterium. A virus uses the host biochemical mechanisms to replicate, while a bacterium has its own. So the dependent replicators should be called virii and the independent ones bacteria, assuming we want to be consistent with the analogy. Tim Martin Soil Science University of Alberta