Discussion:
Sophos and the Blaster Worm
(too old to reply)
HiWi
2003-08-18 12:07:48 UTC
Permalink
Did anyone have an idea wether sophos was able to scan the blaster
before other anti virus programs could? and if not: is sophos still as
good as an antivirus software like norton or mcafee, or is it even
better?

thanks for your answer

bernd

freiburg
W.B.
2003-08-18 14:39:36 UTC
Permalink
Post by HiWi
Did anyone have an idea wether sophos was able to scan the blaster
before other anti virus programs could? and if not: is sophos still as
good as an antivirus software like norton or mcafee, or is it even
better?
thanks for your answer
bernd
freiburg
Blaster really isnt a 'virus' rather a worm. Anti-virus products could
tell you if you had the worm, but not really prevent you from getting it.
Only patching could actually prevent infection. Sophos issued their IDE
file for Blaster A on Monday 11, about 5:30 PM CDT. Not sure about the
others. I have used Sophos products quite extensively-- nobody does it
better for the corporate environment.
FromTheRafters
2003-08-18 23:56:19 UTC
Permalink
Post by W.B.
Post by HiWi
Did anyone have an idea wether sophos was able to scan the blaster
before other anti virus programs could? and if not: is sophos still as
good as an antivirus software like norton or mcafee, or is it even
better?
thanks for your answer
bernd
freiburg
Blaster really isnt a 'virus' rather a worm.
The distinction between the two being?....
Post by W.B.
Anti-virus products could tell you if you had the
worm, but not really prevent you from getting it.
Couldn't they prevent it from becoming active?
Do you actually *have* the worm if the worm's
executable hasn't executed on your machine?
Post by W.B.
Only patching could actually prevent infection.
Infection? :O) Okay, the patch prevents the intrusion,
but the worm's executable would still be able to affect
the computer if it were somehow to find its way onto
the machine. A *patched* machine can still act as the
worm's file server to the rest of the network can't it?
W.B.
2003-08-19 14:04:14 UTC
Permalink
Post by FromTheRafters
Post by W.B.
Blaster really isnt a 'virus' rather a worm.
The distinction between the two being?....
Although the lines have blurred several times over the course of history,
currently 'virus' depend on human interaction, 'worms' do not. I guess you
could call early MBR infectors 'worms' with that definition, but I chalk it
up to how the terminology has evolved.
Post by FromTheRafters
Post by W.B.
Anti-virus products could tell you if you had the
worm, but not really prevent you from getting it.
Couldn't they prevent it from becoming active?
Maybe, Maybe not. In any case anti-virus is not what I would turn to in
the case of a worm attack.
Post by FromTheRafters
Do you actually *have* the worm if the worm's
executable hasn't executed on your machine?
Debatable.
Post by FromTheRafters
Post by W.B.
Only patching could actually prevent infection.
Infection? :O) Okay, the patch prevents the intrusion,
but the worm's executable would still be able to affect
the computer if it were somehow to find its way onto
the machine. A *patched* machine can still act as the
worm's file server to the rest of the network can't it?
To clarify, patching would stop the mode of transport for the worm. If you
were dumb enough to, say, put the msblast.exe file on a floppy and execute
it on others computers, then yes you are correct. A patched machine could
still act as an infector.
FromTheRafters
2003-08-20 01:03:52 UTC
Permalink
Post by W.B.
Post by FromTheRafters
Post by W.B.
Blaster really isnt a 'virus' rather a worm.
The distinction between the two being?....
Although the lines have blurred several times over the course of history,
currently 'virus' depend on human interaction, 'worms' do not.
Interesting view. But that would make the KaZaA worms neither.
Most if not all of the p2p worms don't autoexecute.
Post by W.B.
I guess you
could call early MBR infectors 'worms' with that definition, but I chalk it
up to how the terminology has evolved.
I kind of look at it like the virus has to infect a cellular unit (program)
and the worm doesn't have to. I agree that the terminology is changing
and at times seems vague, and just wanted your opinion on the difference
between the two since you saw fit to state that there *is* a difference.
Post by W.B.
Post by FromTheRafters
Post by W.B.
Anti-virus products could tell you if you had the
worm, but not really prevent you from getting it.
Couldn't they prevent it from becoming active?
Maybe, Maybe not. In any case anti-virus is not what I would turn to in
the case of a worm attack.
Neither would I, especially in the case where a worm uses an exploit
such as this one. If it were a purer type of worm, AV wouldn't be any
help at all.
Post by W.B.
Post by FromTheRafters
Do you actually *have* the worm if the worm's
executable hasn't executed on your machine?
Debatable.
Indeed it is. ;o)
Post by W.B.
Post by FromTheRafters
Post by W.B.
Only patching could actually prevent infection.
Infection? :O) Okay, the patch prevents the intrusion,
but the worm's executable would still be able to affect
the computer if it were somehow to find its way onto
the machine. A *patched* machine can still act as the
worm's file server to the rest of the network can't it?
To clarify, patching would stop the mode of transport for the worm.
Evidently the only vector coded into the program, but not the
only way to distribute the program.
Post by W.B.
If you
were dumb enough to, say, put the msblast.exe file on a floppy...
A germ by any other name would still stink. Many people are
dumb enough to download and execute unknown programs
that promise to make their porn viewing or music stealing
activities easier.
Post by W.B.
...and execute
it on others computers, then yes you are correct. A patched machine could
still act as an infector.
Never underestimate stupidity. ;o)
Tetsuo
2003-08-20 02:54:17 UTC
Permalink
Post by FromTheRafters
Post by W.B.
Post by FromTheRafters
Post by W.B.
Blaster really isnt a 'virus' rather a worm.
The distinction between the two being?....
Although the lines have blurred several times over the course of history,
currently 'virus' depend on human interaction, 'worms' do not.
Interesting view. But that would make the KaZaA worms neither.
Most if not all of the p2p worms don't autoexecute.
Post by W.B.
I guess you
could call early MBR infectors 'worms' with that definition, but I chalk it
up to how the terminology has evolved.
I kind of look at it like the virus has to infect a cellular unit (program)
and the worm doesn't have to. I agree that the terminology is changing
and at times seems vague, and just wanted your opinion on the difference
between the two since you saw fit to state that there *is* a difference.
Isn't it simpler (and more metaphorically elegant) to speak about a worm
carrying a virus?

--
Tetsuo
FromTheRafters
2003-08-20 03:07:59 UTC
Permalink
Post by W.B.
Post by FromTheRafters
Post by W.B.
Post by FromTheRafters
Post by W.B.
Blaster really isnt a 'virus' rather a worm.
The distinction between the two being?....
Although the lines have blurred several times over the course of
history,
Post by FromTheRafters
Post by W.B.
currently 'virus' depend on human interaction, 'worms' do not.
Interesting view. But that would make the KaZaA worms neither.
Most if not all of the p2p worms don't autoexecute.
Post by W.B.
I guess you
could call early MBR infectors 'worms' with that definition, but I chalk
it
Post by FromTheRafters
Post by W.B.
up to how the terminology has evolved.
I kind of look at it like the virus has to infect a cellular unit
(program)
Post by FromTheRafters
and the worm doesn't have to. I agree that the terminology is changing
and at times seems vague, and just wanted your opinion on the difference
between the two since you saw fit to state that there *is* a difference.
Isn't it simpler (and more metaphorically elegant) to speak about a worm
carrying a virus?
...and a virus carrying a worm ~ both.

In many cases it is exactly so, for instance Klez had a worm
component which carried its executable (which was also a
file infecting virus) through the network in the form of a mass
mailer. It also had a virus dropper which dropped an Elkern
variant. Some of its subject lines and attachment names could
even make it qualify as a trojan.

As has been discussed here before, these terms are not mutually
exclusive, and one program can be many things.

You could view such a thing as a virus with a worm payload,
*and* a worm with a virus payload.
W.B.
2003-08-20 14:22:03 UTC
Permalink
Post by FromTheRafters
Never underestimate stupidity. ;o)
Boy, have I have learned that the hard way. ;)
FromTheRafters
2003-08-20 19:30:26 UTC
Permalink
Post by FromTheRafters
Post by W.B.
Post by HiWi
Did anyone have an idea wether sophos was able to scan the
blaster before other anti virus programs could? and if not: is
sophos still as good as an antivirus software like norton or
mcafee, or is it even better?
thanks for your answer
bernd
freiburg
Blaster really isnt a 'virus' rather a worm.
The distinction between the two being?....
In this case, the distinction is truly valid, a worm spreads without
user intervention,
..or sometimes with. Clicky mass mailers are still worms, no?
sort of, but true worms, like the morris worm, or ADM or CodeRed don't
need that bit. I'd say many of the massmailer worms are actually hybrid
trojans. You don't click them, they don't do stuff you didn't intend -
classic definition of a trojan.
So it must be because they are replicative, and don't "infect"
(and are too overqualified to be mere rabbits) that they must
fall into that catch-all worm category?
and without a host file, a virus spreads by infecting host
files after a user (or system) intervention.
So, stating that it is not a virus, but rather a worm, and then
talking about its infection is a confusion of terminology? I
thought one of the distinctions was that worms don't infect.
The late Mr Widlake used to say "viruses infect, worms infest", it's not
entirely satisfactory, but it's close enough for jazz.
Taking individual "programs" as "cells" then worms do their
thing without the necessity of invading the cell, or the functional
equivalent of invading the cell (companion method). However,
their *thing* must involve replication or else they are not even
worms.
Post by FromTheRafters
Post by W.B.
Anti-virus products could tell you if you had the
worm, but not really prevent you from getting it.
Couldn't they prevent it from becoming active?
Do you actually *have* the worm if the worm's
executable hasn't executed on your machine?
No, you don't. You have a sample :-)
I like this answer. Many people here will still call it an
infection though.
Many people believe all sorts of strange things, it don't make them right
:)
True enough. I'm still wondering whether or not I should
consider a trojan program which invades the "cell" to make
its function run under the guise of the host program, to be
an "infection" since most definitions I have heard require
that "infection" applies only if the function includes self
replication.

I still like Simon's "infest" rather than "infect" for worms,
and personally like to use "affected" rather than "infected"
when speaking of non-replicative malware.

Too many of the AV and other security sites refer to how
a trojan infects, when to me it seems that it doesn't do so.
Andrew Lee
2003-08-21 09:39:26 UTC
Permalink
[snip]
Post by FromTheRafters
Post by FromTheRafters
The distinction between the two being?....
In this case, the distinction is truly valid, a worm spreads
without user intervention,
..or sometimes with. Clicky mass mailers are still worms, no?
sort of, but true worms, like the morris worm, or ADM or CodeRed
don't need that bit. I'd say many of the massmailer worms are
actually hybrid trojans. You don't click them, they don't do stuff
you didn't intend - classic definition of a trojan.
So it must be because they are replicative, and don't "infect"
(and are too overqualified to be mere rabbits) that they must
fall into that catch-all worm category?
Classic rabbits delete themselves after replication - so they only pop up
on one host at a time - very hard to kill.
The mass mailer type of worm does act in a worm like way, but some of them
have a trojan portion. Some of course exploit vulnerabilities on the mailer
client, so this is more classically a worm. They are not falling into a
catch all - many people consider worms to be subsets of viruses (some very
respected researchers don't even make that distinction)
Post by FromTheRafters
and without a host file, a virus spreads by infecting host
files after a user (or system) intervention.
So, stating that it is not a virus, but rather a worm, and then
talking about its infection is a confusion of terminology? I
thought one of the distinctions was that worms don't infect.
The late Mr Widlake used to say "viruses infect, worms infest", it's
not entirely satisfactory, but it's close enough for jazz.
Taking individual "programs" as "cells" then worms do their
thing without the necessity of invading the cell, or the functional
equivalent of invading the cell (companion method). However,
their *thing* must involve replication or else they are not even
worms.
I don't really like the biological analogies, they only work so far, but in
this case, think of it like this - a virus infects cells by splicing it's
own DNA into the host cell - so every time the cell divides the virus is
replicated. Worms live in the stomach (or skin etc) of the host, and have
their own replication mechanism - in other words, the virus requires the
mechanism of the cell to replicate, the worm just uses the host as fuel for
replication. Essentially, worms are parasitic on the host. As with computer
worms, worms are less "damaging" to the host - though that doesn't mean
that they won't kill you from secondary infection - or from using up all
your resources - but consequently they are easier to clean.
Post by FromTheRafters
Post by FromTheRafters
Post by W.B.
Anti-virus products could tell you if you had the
worm, but not really prevent you from getting it.
Couldn't they prevent it from becoming active?
Do you actually *have* the worm if the worm's
executable hasn't executed on your machine?
No, you don't. You have a sample :-)
I like this answer. Many people here will still call it an
infection though.
Many people believe all sorts of strange things, it don't make them right
:)
True enough. I'm still wondering whether or not I should
consider a trojan program which invades the "cell" to make
its function run under the guise of the host program, to be
an "infection" since most definitions I have heard require
that "infection" applies only if the function includes self
replication.
Think of a Trojan like being a chocolate bar that turns out to be made of
shit. You eat it, you're going to be pretty ill, it may even kill you, but
it's not going to spread to anyone else - of course it opens you up to all
sorts of infections and other nasties from everywhere else (or even that it
may be carrying) Faeces are a classic carrier of worm eggs for instance.
Post by FromTheRafters
I still like Simon's "infest" rather than "infect" for worms,
and personally like to use "affected" rather than "infected"
when speaking of non-replicative malware.
Yes, though I think it deserves a greater clarity, viruses infect files on
individual machines, worms infest networks of many machines. Of course,
that doesn't have quite the soundbyte quality of the original :)
Post by FromTheRafters
Too many of the AV and other security sites refer to how
a trojan infects, when to me it seems that it doesn't do so.
Well, I wouldn't lose sleep over it, it's not technically accurate, but for
general purpose use, most users just want to know that the thing that's
buggering up their PC is going to be removed.


cheers
--
Andrew Lee | ***@gladius.f9.org.uk \PGP:DC84 FD28 DA8A E38A A9DD|
AVIEN Founding Member |http://avien.org \ID:18A9 AFAD 5422 43F1 4C81|
// It is not certain that everything is uncertain -- Blaise Pascal
// Opinions expressed are my personal views, not those of my employer
FromTheRafters
2003-08-20 20:08:53 UTC
Permalink
I won't get in the whole worm - virus , blah blah blah debate. But with
Blaster heres the wrinkle people seem to miss, although it should be the
most obvious bit!
The MS bug is the real problem, the worm is incidental. An 'infection'
facilitates propagation. Thats all.
Yes, that is what I have tried to point out. The vulnerability itself
is very dangerous to leave unpatched, forget the worm ~ patch
the vulnerability.

...and on the flip side, a patch doesn't make the system immune
to the worm, it only closes the primary way it gains access. Okay,
granted it is the *only* vector coded into the worm itself, but it
is not the only vector used by the distributor.
The system issues, whether the 'shutdown' issue in XP, or the many other
symptoms exhibited by Win2k systems do not require infection at all. If
system hasn't been patched to prevent the exploit, AV software could stop
the executable from being dropped,
I think that local AV must allow the drop, at least temporarily,
but I'm not sure. Anyway, the method used to run the executable
is by the OS's assistance, not by exploitation, so the AV should
be able to intervene at that point. If people think that their AV is
enough to catch this worm, maybe that is so, but what about the
vulnerability itself and other malware that exploits it.
and by doing so prevent the local machine
from spreading the worm but it can't stop the 'exploit' . RPC ! Look it up.
I have. Most of my posts on this subject address just this
thing that you mention.
The code that causes the shutdown issues isn't running locally.
Yes it is, it is running through the local buffer overrun. In some
cases the exploit code doesn't have the desired effect on the
local system and thus causes the problems.
Patching prevents the exploit, but won't prevent the worm from spreading if
the system was already 'infected'.
True, and it won't stop the system from becoming affected
by the worms entrance through some other vector. I don't
know whether or not the worm's executable is OS specific,
but if you ignore the vulnerability's OS specificity to get the
executable onboard, other OS's are still affectable unless
for some reason the worm executable won't work on those
OSes.

There is the "pure worm" aspect of a vulnerability such as
this, which (if the affected buffer were large enough) would
have been a problem in and of itself like the Sapphire worm,
*and* the other less pure worm aspect that might not be as
OS specific as the former. It may be a mistake to treat this
worm as if it doesn't affect some OSes just because it only
normally uses that particular exploit to gain control.

This would have been more obvious if this worm had been
coded as a multiple vector worm.
ImhoTech
2003-08-20 21:24:10 UTC
Permalink
Post by FromTheRafters
The code that causes the shutdown issues isn't running locally.
Yes it is, it is running through the local buffer overrun. In some
cases the exploit code doesn't have the desired effect on the
local system and thus causes the problems.
Correct, I should have been more specific. Now what I should have said,
there is no viral (wormal just doesn't sound right) code run locally that
would be detected by AV software, the exploit originating from a remote
infected computer. There would only be detection when the worm successfully
begins a file drop. At that point The AV software will stop the transfer,
effectively preventing infection, but never preventing the 'symptoms'.
Continue reading on narkive:
Loading...