2

I was studying for CISSP certification when I came across the question "what type of virus attaches itself to an executable?" The answer was "parasitic". I find terms relating to viruses and malware to be a bit confusing.

I thought all viruses modified executable files, as a method of spreading. That is they injected their viral code into an exe so that it ran the next time the file was run, and then returned the flow of execution to the original portion of the program.

And that a worm was a standalone program that had a method of spreading (e.g. copying to network shares, mass mailing etc.)

Am I confused? Is it that a virus is can be a standalone executable, and if it modifies other executable it would be known as a "parasitic" and that if it had more extensive methods to spread it would be considered a worm?

I mean, isn't a parasitic virus a contradictory statement because it's spreading, but a virus that spreads is a worm?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Celeritas
  • 10,039
  • 22
  • 77
  • 144

3 Answers3

3

The difference between a virus and worm can be confusing. Both are self-replicating computer programs, but while a virus needs human interaction to propagate, a worm is standalone and can replicate on its own (usually exploiting security holes in computer systems). For example, a virus might replicate by sending itself as an attachment in an email and trick the user into opening it, but a worm might exploit a vulnerability (like EternalBlue) to gain access to systems.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Grant Davis
  • 41
  • 6
  • 3
    This is the official (ISC)2 definition. The meanings in use in the industry are more fluid, and as you talk to people or read information on line you may see different uses. However, in the context of studying for the CISSP exam, this is the exact definition you need to remember. – John Deters Dec 16 '19 at 19:05
2

A virus can be a standalone file. I could send you a meterpreter file as an exe, for instance. No manipulating of execution flow is required.

A parasitic virus infects an existing file. I could inject meterpreter into calc.exe for instance.

Exploits exploit the program processing a file. That's where the flow of execution gets manipulated. That's where infecting PDF files comes into play, or where the OS processing flow gets changed.

Worms are a category of malware that self-propagates, that is, it seeks out new computers to infect all on its own.

schroeder
  • 123,438
  • 55
  • 284
  • 319
2

You are quite correct, unfortunately.

The word "virus" originally only referred to parasitic code snippets that reproduced by attaching (usually prepending) themselves to existing executables. In those days, "sneaker net" was the most common way of transferring files, often games and other software, so viruses were by far the most common form of malware. Trojans were easily identified due to the relatively low volume traded software and worms can't readily propagate through offline storage. So nearly all malware seen by the average person was delivered via infectious code snippets on floppy disks. So terms like "anti-virus" sprung up to deal with this threat, and those tools frequently could identify and remove the malicious code segment, and "disinfect" the "infected" file, solidifying these concepts in the public consciousness.

Once the Internet sprung up, worms could now get wider distribution, and trading pirated software peer-to-peer became a lot less common -- people downloaded files from more centralized repositories. This change in behavior made trojans (which are LOT easier to write) a much more effective way of spreading malware.

But the name "anti-virus" stuck, as did the general imagery of equating a "virus" with the concept of a computer being sick, which means that that people started to say "my computer caught a virus" rather than saying "my program got infected".

Sp now instead of thinking of the host of a virus as being an infected executable, the general terminology is to think of host as being the computer as a whole. This makes a lot less sense as far as the metaphor is concerned. The whole point of calling it a virus initially was the fact that it reproduced by attaching itself to other programs.

But language evolves, and even though calling generally infectious malware a "virus" would have been incorrect in the early 90's, doing so today is arguably, now, correct. Not because the meaning is any different, but rather because enough people today misuse the term as to make it widely acceptable. And language is about communication, so if everybody thinks that "virus" is the correct general term for malware, then it is.

tylerl
  • 82,225
  • 25
  • 148
  • 226