12 February 2009

Malware Terminology: Trojans, Worms, & Viruses

Some guy wrote How To Write a Linux Virus in 5 Easy Steps, but he's wrong. What he describes is not a virus; it is a trojan. And he calls himself a geek!

Let me start by saying that "malware" and "badware" are two commonly used umbrella terms for these types of software.

It is a trojan because it relies entirely upon social engineering to install and run. Remember the Trojan Horse? The Greeks claimed the horse was a gift for the Trojans. It turned out to be hiding a bunch of armed men. This is the same thing. The malware claims to be something innocuous which the user might enjoy or believes is necessary. The user is thus tricked into installing it. That trickery? That's the social engineering. It's the same trickery the Greeks used. The user installs and maybe executes the malware. Since there was both trickery and user intervention, it is a trojan.

A worm does not require user intervention. A worm will often (as in the case of Blaster) use a remote exploit to infect the host machine. It will then procreate and attack any other machines it can reach. It thus spreads completely on its own. Worms do not need to piggyback onto other files like trojans and viruses do. They exist in their own right and behave independently of pretty much all else.

And then there's the generic virus. Viruses do usually require user intervention to spread, but they don't involve social engineering like a trojan does. Viruses will often infect innocuous files which are then shared without the sharer knowing that they are handing a virus to the other person. In the case of a trojan, the sender usually knows exactly what they're doing. The file being infected by the virus does not turn into a trojan by virtue of being infected. It is simply an infected file, possibly an infected program.

Drive-by downloads are a bit confusing. Is it a trojan or a virus? It sort of depends on the site. If it's an attack site, you'll usually receive an email or IM with a link. Then there's some social engineering involved, and you did follow directions by going to the site, but the fact that you don't have to manually install something claiming to be safe puts it in the virus category for me. If it's a usually-safe site that happens to have been infected, then there's no grey area. That's a virus.

K? So, let's stop calling every bit of malware we find "a virus," because that's just not right. We have words for the different types of malware. Let's use them.


Ian Betteridge said...

While you're right, what you're saying is also completely and utterly irrelevant.

As someone in the comments says "Actual viruses went out with the floppy." Almost every instance of malware these days relies on social engineering, and so is really some form of trojan. But people - including a lot of *nix proponents - commonly refer to Windows as "riddled with viruses".

People often have this vision of malware writers are being like Blaster's Jeffrey Parson: kids, doing it for the lulz. They largely aren't: they're professional criminals creating malware to grow botnets, for various unsavoury purposes.

And those guys always rely on user intervention to spread, because user-intervention is the most reliable method: no-one can patch the users to make them more safe.

Binarymutant said...

Great post! Really got me thinking, thank you.

Daengbo said...

Thank you.

Baggers said...

While technically you are correct, he did mention this in the article (or comments) and chose the term virus, because alot of people lump the terms together and the point of the article is to get a message out.
So yes he is using the wrong term but I think more interesting is whether a bug report has been filed for this!
Cheers for the article

Bob said...

That was a great description on the differences between trojans, viruses, and worms!
Nicely done!

istoff said...

Thanks for the clarification, but I think the original poster was far more concerned about security issues which I for one considered to be valid.

Most people I know have a separate home partition and reinstall / change linux distros over time. Losing the home folder does not require root access and is a nightmare. Looking back and bragging about how linux is secure because root wasn't compromised won't get your data back.

I admit that the original poster's article did not reveal anything we didn't already know, but I am grateful for the awareness it has created.

Arguing about the appropriate terminology for malware just didn't add anything to the conversation.

Of course, blogs are personal and it may be that he struck one of your pet peeves, so who am I to complain.

Its Friday the 13th and a full moon here, so please forgive any aggro, trying to slip into my writing...

davidnottingham said...

Great post.

You're not going to like the BBC's Technology section's article on the Downadup/Conficker virus ... erm ... sorry ... worm


A. Y. Siu said...

Thank you for clarifying all the malware terms.

I think some people missed the whole point of your outing this as requiring social engineering.

If malware requires social engineering, then it is entirely the users fault if it gets installed. It is not the fault of the OS. It isn't a flaw in the software, even though istoff seems to imply it is:

I think the original poster was far more concerned about security issues which I for one considered to be valid.Yes, the security issue is users downloading and double-clicking random attachments. The security issue has nothing to do with Linux.

If you're willing to double-click random attachments or install software from any source, then your computer will get compromised. It doesn't matter if you're using Windows, Mac OS X, or Linux.