What exactly is "koobworm" ???

[FromTheRafters]

No.

Yes, it uses network replication (typical of many worms)

It does not place a copy of itself on the server that it advertises
via
it's spam links or postings.

Could you give me an exact malware name for the malware we are talking
about so that we don't end up talking about different things?

The ones I've seen do indeed serve the malware from the server.

It does not place a copy of itself on the destination PC.

True, but they take steps (programmatically) to enhance the probability
that the victim user will do so.

It _wants_ for a copy of itself to end up on other PC's (as does all
malware) but it no more puts that copy there than the typical trojan
does for itself.

True, but you seem to be stuck on the idea that all worms are automatic
worms.

No. Who-ever controls the spamvertised server has put a copy of Koob
on
that server.

There is user controlled space on those (Facebook?) servers.

When a new PC becomes infected, that copy came from a
server - not some other infected PC.

True again, but that does not disqualify the malware as being a worm

A worm does not require the use of a third PC when spreading from
machine 1 to machine 2.

Who says?

Worms are not served. Trojans are served. Koob is a trojan.

As usual,you start out asking and end up telling.

Explain how I can have any form of malware end up on my PC _without_
replication.

I meant recursively replicating (since we are talking about worms and/or
viruses I thought it was understood)

Your use of the concept of "replication" is strange in this context.

I will try to be more careful with my wording.

The requirment for it to need a server to spread makes it a trojan and
not a worm.
Wrong.


From what I can tell, there is no clear definition of virus that
sufficiently or clearly delineates it from either trojan or worm.

"Worms and viruses are both common types of self-replicating malware but
differ in their method of replication (Grimes, 2001; Harley, Slade, and
Gattiker, 2001; Szor, 2005). A computer virus depends on hijacking
control of another (host) program to attach a copy of its virus code to
more files or programs. When the newly infected program is executed, the
virus code is also executed. In contrast, a worm is a standalone
program that does not depend on other programs (Nazario, 2004). It
replicates by searching for vulnerable targets through the network, and
attempts to transfer a copy of itself. Worms are dependent on the
network environment to spread."

from

http://lyle.smu.edu/~tchen/papers/network-worms.pdf

and...

"A computer virus is a self-replicating program containing code that
explicitly copies itself and that can "infect" other programs by
modifying them or their environment such that a call to an infected
program implies a call to a possibly evolved copy of the virus."

From who knows where - an expanded form of Fred Cohen's definition.

Only trojans and worms appear to have a few clear distinctions in
terms
of how they spread and the level of operator intervention required.
In
that regard, a true worm can spread from PC-1 to PC-2 without the aid
of
a third PC to act as a server and without the need for human activity
or
action. Koob is not such a worm.

Many people use the term "true worm" to describe automatic worms.
Nevertheless, the *other* worms do exist and will continue to be called
worms. It is more about the resultant behavior than it is about the
method used to achieve that end.

I asked if transmitting or posting a URL qualifies as a worm
transmission method. You said yes, and then you immediately went on
to
describe file copying to shared directories. The two are hardly the
same phenomena. So you'd better come up with a better answer because
that one didn't work.

See "network replication". Here is an example from my Google search.

http://csrc.nist.gov/publications/nistir/threats/subsection3_3_2.html

Koob does not replicate itself. It tricks people into downloading
more
copies of itself from a server.

....and as such does recursively replicate without using a host program
to do so.

Koob requires a functioning server with
known coordinates in order to spread. A true worm seeks out on it's
own
the next destination PC and directly transmits a copy of itself to
that
PC. Koob does not do this.

Says who?

Why are you so insistent on making a case that koob is a worm, to the
extent of stretching the definition of what a worm is?


Your answer was as clear as mud. Please reformulate and restate your
response to that question.

As with the virus, the replicant can be a "possibly evolved" or
"morphed" copy rather than an exact copy.

Worms don't need polymorphism if they are leveraging an exploit that
sucessfully allows themselves to spread from one PC to the next
without
human intervention.

They do if they want to avoid (or delay) detection.

 

[Virus Guy]

Who says?

If there is going to be a distinction made today between what is a
trojan and what is a worm, then I'd make the case that the single most
useful criteria or requirement for a worm is that it can spread from one
machine directly to another without requiring an intermediate server,
and possibly that such spreading can be done without requiring human
assistance.

The most obvious mechanism is the exploitation of various netbios
vulnerabilities, followed by network shares (but note that placing a
copy of itself on shared directory of another machine does not garantee
that it will actually execute on that machine and spread further).
Spreading via "sneaker-net" (auto-run exploitation on removable media
for example) would also qualify.

Any other mode of distribution that involves a third server machine
(where the malware is really hosted) would take it out of the realm of
being a worm and make it just an ordinary virus or trojan.

If you want to make the case that something can be a worm even if it
doesn't spread from one machine directly to another without requiring a
third machine to act as a server, then what else (in your opinion)
becomes the central characteristic for something to be called a worm?

I note that nobody else wants to venture an opinion or comment. Not
even you - Lipman?

 

[FromTheRafters]

If there is going to be a distinction made today between what is a
trojan and what is a worm, then I'd make the case that the single most
useful criteria or requirement for a worm is that it can spread from
one
machine directly to another without requiring an intermediate server,
and possibly that such spreading can be done without requiring human
assistance.

First, let me thank you for snipping.

If a malware writer places a trojan where it can be downloaded and
executed, this is a distribution method. If a program places trojans
where they can be downloaded and executed, this is an automated
distribution system. If the program doing the placing is the functional
equivalent of the program being placed - it is a worm. Recursive
replication is wormsign (unless it infects a host program with itself -
in which case it is a virus). It doesn't matter how many stages the
program goes through, or how many fragments there are running on how
many different machines. As long as it eventually comes around to being
a functionally equivalent new instance (at least twice), it can be
considered recusively replicating - and a worm. A virus' copying itself
is explicit, while the worms' can be implicit (network replication).

The most obvious mechanism is the exploitation of various netbios
vulnerabilities, followed by network shares (but note that placing a
copy of itself on shared directory of another machine does not
garantee
that it will actually execute on that machine and spread further).

True, but I can just about guarantee that *someone* really really really
must see the dancing pigs.

Even if the dancing pig displaying program has in its EULA that
something else will happen that you would not approve of.

Some worms of recent past have actually shown that clickme.exe works
just fine. I'm pretty sure malware.exe or don'tclickme.com would work
too.

Spreading via "sneaker-net" (auto-run exploitation on removable media
for example) would also qualify.

So, auto execution is your main concern? Put users back in the loop, and
you have only attenuated the effect a little bit. Certainly there will
be no "Worhol clickworms" - but having users involved like this is no
real obstacle to a worm. To be sure, a virus may or may not involve user
action in its cycle, so why put that restriction on a worm when
infection already provides a dichotomy?

Any other mode of distribution that involves a third server machine
(where the malware is really hosted) would take it out of the realm of
being a worm and make it just an ordinary virus or trojan.

Actually - it takes it one step closer to being an octopus.

If you want to make the case that something can be a worm even if it
doesn't spread from one machine directly to another without requiring
a
third machine to act as a server, then what else (in your opinion)
becomes the central characteristic for something to be called a worm?

Central - it recursively replicates without requiring infecting a host
program to do so.

I note that nobody else wants to venture an opinion or comment. Not
even you - Lipman?

David disagrees with the dichotomy, and prefers that all worms are
contained within the "virus" set.

....funny, he seems fairly reasonable at other times \

He strongly opposes trojans being called viruses because he favors the
dichotomy there. If it doesn't recursively replicate, it should not be
called a virus or a worm even though it appears as a trojan in some part
of its lifecycle.

The subject has been talked to death, with very little consensus, over
the years and that is not expected to change.

 

[Virus Guy]

More interesting to me are the technical details of what it
actually does when run. There are descriptions available on
the web, for example from Symantec and McAfee.

I have only found very general explanations for what koob does.

Nothing specific, such as registry changes, changes to autorun, how does
it hook itself into a system, how does it hide itself when running, does
it interfere with other processes (AV, etc) running on the infected
system, what ports does it listen to, what additional payloads does it
seek out and download.