eldar@lomi.spb.su (Eldar A. Musaev) (04/11/91)
Writing a book about malicious software I need in classification. I ask to discuss the next classification. That is not my classification, I've only formulated common implications and made some attempt to make it complete. Another basis of this classification are the recommendations of (American) National Institute of Standards and Technology (John Wack Suggested Reading List for Computer Viruses and Related Problems, September 22, 1989 - Basic Terms). Till now there is some unstability in some terms so it would be very good to find the best fits. Please, send replies to me, I'll summarize results. Common name: Malicious Software Short informal synonym: Badware Interlanguage synonym: Trojans Reasons: Any malicious software can be considered as a programs with Trojan side effects. The first level classification criterion: a)Duplicating/non-duplicating - i.e. does the program duplicate itself or not ? b)Parasitic/non-parasitic - i.e. does the program attaches itself to another program to duplicate itself ? So there are three classes of malicious software: I.Trojans - non-duplicating, non-parasitic II.Worms or Bacteriums (this term I've read in French-language papers) - duplicating, non-parasitic III.Viruses - duplicating, parasitic I.Trojans - the suggested classification criterion is the origin of the Trojan effect: I.1.Accidental Trojans or Infirm Programs - the programs which have not been sufficiently tested and so contain many errors. Example: PCShell word-processor which sometimes looses the file if the disk is full I.2.Side Trojan or Programs with bugs (or implanted bugs) - the programs with unspecified back entries or other opportunities to deactivize software or make any harm. Example: Software for the French weapon systems sold to Iraq. I.3.Direct Trojans or Trojan Horses - the programs which are specially designed to harm something and which are designed to hide these side effects. II.Worms or Bacteriums - the suggested classification criterion is the area and media of duplication. II.1.Network worms - the programs which duplicates themselves from node to node in networks. Example: Christmas Tree II.2.Local worms - the programs which copy themselves *INSTEAD OF* another program. The original program is destroyed in part or as a whole. Another names: Overwriting viruses - Patricia Hoffman; Worms - some French-language papers; Bacteriums - the same place. Suggested short terms: absorbers, destroyers, spoilers ... What is better ? III.Viruses - the suggested classification criterion for viruses is the kind of the link between the virus and a victim and the fact of modification of the victim content. III.1.Static viruses - most numerous class of viruses and malicious software. These viruses join to the victims and modify them to get a control first. Exaples: Vienna, Dark Avenger etc. III.2.Dynamic viruses - the viruses which do not change the contents of the victim and place themselves in separate files, which are logically and dynamically connected with the victim. Example: Spawning viruses (in terms of Patricia Hoffman) which make a COM-twins for EXE-victims, so when calling a victim, the virus gets a control first (as a COM-file with the same name) and later dynamically loads and executes the victim. "Spawn" is the C/Unix term for the dynamic call with return of a program, so it is a comparatively new term. The older generation of programmers use "attach", "link" or "[dynamically] call" terms. ===== Please, reply to me, I'll summarize the results ================== | Eldar A. Musaev, Ph.D., Researcher | eldar@lomi.spb.su or | | Mathematical Institute, Acad.of Sci. | lomi.spb.su!eldar@fuug.fi | | USSR 191 011 Leningrad Fontanka 27 LOMI AN USSR | ========================================================================