The terminology is based on how the malware spreads. Worms actively exploit holes in network programs (e.g. emailing themselves to your contacts), trojans disguise themselves as something useful (e.g. a pirated game). True viruses spread by injecting copies of themselves into innocent files in such a way that opening the file triggers the payload.
True viruses are rare these days because the infection vector is passive and relatively slow: an infected file must be transferred by user action to another computer, for example by sharing an infected file via floppy disk.
>> for example by sharing an infected file via floppy disk.
Or an "excel" file attached to an email or posted in a chat group that is execute by the host automatically and inserts itself somewhere. Viruses remain alive and well online.
False. There were viruses in the PC and Mac world for years, long before the 1988 Morris worm incident popularized the "worm" term.
Viruses spread via interactions like booting an infected floppy disc, or running an infected program copied from another user.
A virus is simply a piece of malicious code which attaches itself to programs, arranges for itself to be executed when those programs to be run, and thereby spreads to more programs as programs are copied from system to system by unsuspecting users.
A Trojan horse is a malicious program which a user is somehow fooled into trusting, installing and running. It doesn't have to be a virus at all; for instance, it could be a fake authentication dialog that steals their credentials and then defers to the real authentication.
A malicious thumb drive deliberately dropped in the parking lot of a company is a modern example of a Trojan horse. It might not infect anything, just steal information and transmit it.
This definition of virus is actually referred to as worm.
A virus just attaches iself to a host (binary, document,...) to spread, like 30 years ago viruses spread via floppy disk which required a lot of manual doing.
A worm is what activley spreads by itself.
Both viruses or worms (malware so to speak) can be introduced to environments as trojans.
I think when someone says virus these days, including news, they just mean any kind of malware and it seems okay to me.
The important part is to start talking more about malware on macOS, as it seems a blind spot for many organizations.
That's also why it's important to make the distinction between the "naked-cheerleaders.jpg.exe" kind of malware, the "visited a website" or "opened a PDF" kind and finally the "had a machine online" kind. Because AFAIK the second kind of malware is very rare on macOS and the third kind is literally nonexistent. And some people rely on that (including me).
So, I appreciate you might consider this separate, but I would for most purposes include the various iMessage exploits in that last category (so: rare, but not unheard of).
We had this debate in my office today. Imho malware is any software that the user/owner of a system doesn't want running. Others were of the opinion that "malware" doesn't include software for which someone, perhaps other than the user, has a legitimate use. So surveillance software isn't malware because it can be installed on a target device legitimately. So too most bloatware, stuff I call malware but many large corporations do not.
The article mentions that using S3 makes it harder to block. You can't block Amazon S3 without breaking very many things.
Presumably the malware author would open an AWS account with a stolen or prepaid credit card. They could probably even get away with using AWS's free tier.
Or they could even abuse a random web service that uploads data to predictable locations on S3.
You need to host it somewhere. S3 won't set off any IDS/Firewall alert. IDS would pick up calls to China or Russia. Payment details are probably stolen credit cards or credit cards setup with fake/stolen identities. They'll be a dead end.
Right, but if amazon disables the bucket then don’t they lose contact with all the infected hosts? And anyway, I can’t imagine expecting a recurring charge like an AWS account to last too long on a stolen CC.
Along with the apparent lack of any actual payload, it seems to point to this being some kind of proof of concept.
Bad guys have figured out there are tons of 1-year promo offers for AWS and hosting a single file stays well within the free tier. They toss a stolen card on the account to verify it, which honestly most people won't question a $1 charge then refund from Amazon.
Usually botnet control systems like this will generate a new domain every day using some difficult-to-predict algorithm. Maybe seed it off of the previous day Dow Jones Index closing figure or something. This makes it a race to try to register the domain before the bad guys do.
I find it weird how all of the stories about this thing have the tone of "oh no, what could it be for, there is no payload!?!", when it phones home to a control server regularly waiting for payload. Guys, it's a botnet. They're just waiting for it to get big enough to be worth selling. This isn't some huge mystery. It could be used for hundreds of uses from DDOSing, to spamming, to being a covert VPN network, to Warez distribution, porn, etc... Plus it will probably eventually install a keylogger on the system to harvest CC numbers and passwords from the infected users, maybe run some crypto-locking ransomware if the devs need some bitcoin. All of the typical stuff you can expect after a box is rooted by one of these botnet operators.
Stuxnet for example, didn't really seem to do anything useful. Unless you happened to have a very specific version of industrial control software installed.
No obvious payload is actually the worst kind of malware to deal with, because you have no idea if Matthew in accounting had the specific key on his machine that installed a second stage that you know nothing about and can't detect.
I don't really think it pays off to make such distinction between virus and trojan.
`Trojan` is often used to refer to malware that provides a backdoor into your system, and if someone gets to run code on your machine it isn't your machine anymore.
The real value is in evaluating your risk, which includes an analysis of the infection vector. A virus (or worm) can be more risky because it typically exploits a weakness in the system. And some trojans are more risky to some demographics than others, depending on which social engineering techniques they use to trick a user into installing them.
I think technically a virus infects other files, but a worm is it's own file(s) that spread one way or another. A Trojan is just one means of spreading, and can be used by viruses, worms, or other malware. Though there really is no point in be pedantic about the definitions because all the lines have been blurred for decades.
Terminology descriptions aside (I believe what you are describing is a worm, not a virus), knowing how something spreads is important.
Obsessing over motivations of the developers without providing useful mitigation steps or any kind of even vague description of who is at risk by this is frustrating.
If the only vulnerability that was exploited was an unsuspecting user installing a software they thought was clean, it should just be classified as "30K macs have compromised software installed on them"
If I had to guess, I'd say they will probably roll out new XProtect signatures [1] soon, assuming they haven't done so already for these samples.
I also just learned that you can see when the last update was with the following command:
```
system_profiler SPInstallHistoryDataType | grep -A 5 "XProtectPlistConfigData"
```
And then any updates are added to `/Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.yara` (for macOS 11, at least).
What a silly title. It may not have some active payload right now, but that doesn't mean it won't tomorrow. Seems like a reasonable strategy to spread the malware as wide as possible, then push an update to trigger whatever behavior you want. And yes, it does check for updates.
> Every hour, the persistence LaunchAgent tells launchd to execute a shell script that downloads a JSON file to disk, converts it into a plist, and uses its properties to determine further actions.
> In short, it doesn’t do anything. That’s not all that reassuring, given that tens of thousands of Macs could have potentially been infected, but based on the findings and investigations of multiple strains, the virus was “positioned to deliver a potentially impactful payload at a moment’s notice.”
https://news.ycombinator.com/item?id=26204756