Trojan or Worm?

by Chris Josephes


Summary of OSX/Oompa-A from AmbrosiaSoftware.



Summary of OSX/Oompa-A from Sophos.



Summary of OSX/Ooma-A from Symantec


Each report describes the basics of Oompa-A, yet they all reach different conclusions about what it is. Actually, Sophos has no idea what to call it, so they're saying it's both a worm and a virus.



I'm leaning a little more towards the trojan side myself. Oompa isn't capable of doing anything without a form of user intervention, and that includes its propegation to other users.



A trojan isn't just defined by a user clicking on an icon, it's the art of deceiving the end user. Nobody would have excitedly clicked on their personal 401k statement the same way they would have clicked on potential screen shots of OSX Leopard.



I won't deny the fact that it propegates, but maybe that is just a sign that the old malware defintions of virus, worm, trojan, and logic bomb aren't suitable for pigeon-holeing entire programs. Most malware nowadays uses techniques from all four in order to infect as many hosts as possible.



Whether a program is a worm or a virus is not really important. What end users need to understand are the infection vectors, the propegation methods, the sustainability of the program, the threat level, and the potential damage. Any additional hype on top of that is usually just added on to sell you anti-virus (or anti-trojan?) software.



Maybe the time has come to stop using terms like virus or worm, and just create one cool sounding word for all forms of harmful software.



6 Comments

mpeters
2006-02-17 10:01:21
cool "new" word
Does malware not work for you?
cpj
2006-02-17 10:16:20
cool "new" word
Malware meets the defintition, but it doesn't have the high coolness factor like trojan or logic bomb.


When you say malware, you usually need to follow it up with the definition. Virus, on the other hand is most commonly associated with something that's bad for you.


Hoild
2006-02-18 11:16:37
Requires running as admin for doing any harm...
Please, Chris, don't overlook the fact it even requires a user with administrative rights to run it to infect anything.
-It is harmless when launched by a normal user.


Let's stick with categorising it as a "trojan" considering such an important bit of detail...

cpj
2006-02-18 12:59:27
Requires running as admin for doing any harm...
This article was not meant to be critical of OS-X security, or the effectiveness of Oompa as a valid trojan. My only point was that there is a disagreement about how it is classified.


The Sobig worm, for example, propegates by email, and it requires a user to click on the attachment to launch it. Does that make it a worm, or a trojan, or both?

gary.w.longsine
2006-02-23 21:35:55
over-hyped, but indicative
Although this particular bit of malware has been over-hyped, it does serve to illustrate that social engineering can be used to spread malware on Mac OS X. The 64 thousand dollar question is, "how fast"? Malware that requires administrator access will probably spread more slowly on Mac OS X. However, user data files can be compromised without administrator access.


This malware clearly isn't a worm, however. See the fine Wikipedia entry on Computer Worms (http://en.wikipedia.org/wiki/Computer_worm) for good background on why not (the short answer is that a worm spreads from system to system without human intervention -- no need to click an attachment, etc.)


/gary
http://antiworm.blogspot.com/

cpj
2006-02-24 06:21:55
over-hyped, but indicative
The Wikipedia entry says that the worm does not require intervention, but it does not explicitly say "no need to click on an attachment".


Further in the entry, it references the MyDoom computer worm. The MyDoom worm (http://en.wikipedia.com/wiki/Mydoom) requires a user to click on an email attachment in order to execute.


There's still the difference between MyDoom and Oompa in that Oompa requires prompting for root access; which has hashly affected its ability to propegate. Other than that, both malwares use social engineering in order to get the user to open the attachment.


I'm not saying that you're right or I'm right, but there isn't a clear definition of when the "user interaction" happens that changes the basic definition of a worm.