Results 1 to 4 of 4
  1. #1
    New Lounger
    Join Date
    Aug 2003
    Location
    Binghamton, New York, USA
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Why is SOBIG a worm?

    The issue of the WWW newqsleter that I just received calls SOBIG a "worm". Why is this a worm, and not a virus? I thought that a worm entered your system by itself (like MS-Blaster or Welchia), and a virus had to be executed. Thanks.

  2. #2
    Platinum Lounger
    Join Date
    Jan 2001
    Location
    Quedgeley, Gloucester, England
    Posts
    5,333
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: Why is SOBIG a worm?

    Sophos has a Glossary of terms, which you can wade through.

    Here's a definition of trojan, virus and worm.

    McAfee says:
    QUOTE
    What is a Virus?
    A virus is a manmade program or piece of code that causes an unexpected, usually negative, event. Viruses are often disguised games or images with clever marketing titles such as "Me, nude."

    What is a Worm?
    Computer Worms are viruses that reside in the active memory of a computer and duplicate themselves. They may send copies of themselves to other computers, such as through email or Internet Relay Chat (IRC).

    What is a Trojan Horse?
    A Trojan horse program is a malicious program that pretends to be a benign application; a Trojan horse program purposefully does something the user does not expect. Trojans are not viruses since they do not replicate, but Trojan horse programs can be just as destructive.

    Many people use the term to refer only to non-replicating malicious programs, thus making a distinction between Trojans and viruses.

    UNQUOTE

    ... and so on, Googling...
    <font face="Script MT Bold"><font color=blue><big><big>John</big></big></font color=blue></font face=script>

    Ita, esto, quidcumque...

  3. #3
    Gold Lounger
    Join Date
    Feb 2003
    Location
    Wardrobe Malfunction Junction, Derry
    Posts
    2,953
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Why is SOBIG a worm?

    Because of the way it spreads I believe, but the words are both being used by every big company under the SOBIG tent--it copies itself via network shares and email using its own SMTP engine and gathers target email addresses from files using
    WAB
    DBX
    HTM
    HTML
    EML
    TXT

    Technically this worm is a virus--I don't know that there is a firm bright line distinction, and if there is someone will showcase it I'm sure. All of the big companies are using the word interchangably in discussions of it.


    Virus
    A program or code that replicates; that is, infects another program, boot sector, partition sector, or document that supports macros, by inserting itself or attaching itself to that medium. Most viruses only replicate, though, many do a large amount of damage as well.


    Worm
    A program that makes copies of itself; for example, from one disk drive to another, or by copying itself using email or another transport mechanism. The worm may do damage and compromise the security of the computer. It may arrive in the form of a joke program or software of some sort.



    How SOBIG arrives
    What is SOBIG and how do I get it?
    W32.Sobig.E@mm Symantec Bulletin
    WORM_SOBIG.E Trend
    W32.Sobig.A@mm Removal Tool
    Trend Technical Details WORM_SOBIG.E

    I know this has not divided it neatly for you, but I believe SOBIG fulfills the defnition of both. Maybe this material will allow someone to divide it.

    SMBP

  4. #4
    Gold Lounger
    Join Date
    Feb 2003
    Location
    Wardrobe Malfunction Junction, Derry
    Posts
    2,953
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Why is SOBIG a worm?

    SOBIG not SOBIG as Expected on Friday

    20 computers were found; 17 taken off line; FBI subpoenaed a Phoenix ISP they believe could reveal a source of SOBIG; the remaining 3 computers simply redirected to a porn site instead of giving catestrophic instructions like telling computers to erase the hard drive or initiate a new round of attacks. Engineers at F Secure in Helsinki, Finland decrypted it by 3PM Thursday.

    "Further, they discovered a new twist. At 3 p.m. yesterday, tens of thousands of computers already infected with SoBig were supposed to connect to those 20 computers, using them as mere go-betweens, to retrieve a list of Web addresses. Once they were obtained, the machines infected with SoBig were supposed to download a program from those addresses.

    What was supposed to happen after that no one knew, because "we stopped it," said Tony Magallanez, a systems engineer at F-Secure in San Jose.

    To mitigate the threat, F-Secure engineers notified both the F.B.I. and the Internet service providers connected to the 20 computers. The addresses were then removed from the network by the Internet companies. In addition, the large telecommunications companies that provide the backbone for the Internet could have interceded and blocked all communication to those specific Internet addresses, Mr. Kuo said. Jeff Minor, chief executive of Easynews, an Internet service provider in Phoenix, said the F.B.I. served a subpoena to the company late yesterday morning. Mr. Minor said he thought that a stolen credit card number was used to open an account on Easynews, and the SoBig worm was sent from that account. Mr. Minor said the account was opened seven minutes before the rogue program was sent out. He said it was embedded in an image and sent to an Internet news group devoted to pornography.

    "Anyone trying to download that particular image in that news group would have been infected," Mr. Minor said.

    Mr. Minor said the worm was posted to the network from a computer in Vancouver, British Columbia. "To the best of my knowledge it was at somebody's home," Mr. Minor said. "



    ------NY Times August 23, 2003

    SMBP

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •