[X-Newbies] Anti-Virus

Alex lists at lexial.ca
Wed Jun 15 06:22:09 PDT 2005 

It is useful -- especially for novices -- to distinguish between 
various types of malware; this helps understand what they are, how they 
work, and how they spread. The definitions aren't perfect or 
universally accepted, but here's an approximation. A virus is a 
self-spreading piece of code hidden within some other code, and 
executed when the host code is run. A worm is a stand-alone programme 
which replicates itself using some type of vulnerability. A Trojan 
Horse is a programme which pretends to do something, while doing 
something else. Viruses and worms are self-replicating; Trojans aren't. 
Worms and Trojans are stand-alone programmes, viruses aren't. Spyware 
is any software which records some information about the user, without 
the user's knowledge or approval. A keystroke recorder is not spyware 
if installed by the user (e.g., to record his own actions to create a 
macro); the selfsame piece of software installed without the user's 
knowledge is spyware.

Malware can be installed in stages. For instance, you run a Trojan 
Horse downloaded from Kazaa. The TH pretends to display a slide show; 
but, while it does that, it also installs in the startup items a worm. 
(If your account is admin, no password is necessary.) When you reboot, 
the worm runs, copies itself on any connected boot volumes, and 
installs spyware (a keystroke recorder), which later connects to a web 
site and uploads the recorded data. (This is just an illustration, not 
an actual series of events.)

On Jun 14, 2005, at 19:05, Randy B.Singer wrote:

> [...] There are three Trojans/Worms for OS X: Opener/Renepo, the 
> WordInstaller
> Trojan, and MP3/Concept.[...]

Of the three, Renepo is the most interesting and dangerous. It is (a) 
self-replicating, and (b) a script. If you regard the script as a 
stand-alone programme, then you describe Renepo as a worm, otherwise 
you describe it as a virus; it is not, in any case, a Trojan Horse. 
Renepo is also spyware (it looks for serial numbers, gather hashes, 
etc., and may even install a keystroke recorder). And it puts paid to 
any notion that "Mac OS X is safe because it is Unix".

Word Installer (aka "Microsoft Word 2004 OSX Web Install") is a puerile 
Trojan Horse (it is a compiled script, but it is not self-replicating). 
MP3 Concept (which is only a proof-of-concept) is also a Trojan Horse, 
but cleverer than the other one.

> There is spyware for the Macintosh, but it can't be installed via 
> e-mail
> or a Web site.  Installing it requires physical access to the 
> Macintosh,
> and the user's passwords.

User password is not necessary to install spyware if one has physical 
access -- a bootable device, e.g., CD or FW drive, can be used. In 
Tiger, it is theoretically possible to install spyware w/o physical 
access with a widget. It is even conceivable to do so without widgets, 
piggy-backing on sudo. But, it should be stressed that these are 
conceivable, rather than actual, threats.

<0x0192>

More information about the X-Newbies mailing list