Altieres Rohr

The missing computer ‘virus’ or ‘how everything is a backdoor’

Old definitions of malicious code no longer serve any purpose.
But people still think of ‘virus’ as the umbrella term.




Definitions become useless as malicious code gets flexible. (Photo: Ines Teijeiro / SXC)

Computer viruses have been disappearing. There are nearly no viruses anymore. Even for Windows. This is true. Yet it is not. How so?

The confusion stems from the very useless categories of computer malicious code, all put under the umbrella term of “malware”1 nowadays. However, to many people, all malicious code are “viruses”. Some probably have never heard of the term “malware”, nor is the term as easy to remember as “virus”.

However, “virus” is not an umbrella term for all malicious code — it describes a very specific kind of computer malicious code: those that must “parasite” legitimate files in order to spread from one system to the next.

This is no longer a behavior that can be seen in most malicious software – they don’t touch your files, for the most part. They might infect system files, but these are not files that you are likely to share, so they do this to make removal harder, not to spread.  So there are no viruses.

The categories of malicious code do not represent any useful information for a user, and not even for computer techs working on the field. There are a lot of people out there who still think that computer “worms” are always able to spread on their own, with no user interaction.

Except they don’t. At least not necessarily. They may be able to do so. But they don’t need that to be called worms.

In a show of even more ignorance regarding these terms, people have been saying that Mac OS X does not have any viruses because there’s still no code that can spread by itself without user interaction. There was never such a definition!

Let’s take a look at some very short definitions:

Category Definition
Trojan Does not spread by itself; an attacker must trick the user into running the software or opening a web page / data file (such as a photo) that exploits a vulnerability in a software in order to install the trojan.
Virus Spreads by infecting legitimate files or software, including boot sectors (in floppies, which are going to be shared). The only exception are companion viruses, which don’t directly parasite a software, but copy themselves with the same name as the original software.
Worm Spreads by copying itself to USB drives, email messages or network resources. They don’t touch existing files for this, so a file is never ‘infected’ by a worm – it is the worm itself, in full.
Backdoor Any malicious code which opens a remote control channel for the attacker.

So looking at those definitions, you might think it’s impossible for something to be both a trojan and a worm at the same time, right? Well, not so. If you look at the Kaspersky Labs write-up for Flame, the sophisticated malicious software which has been stealing data in the Middle East, you’ll find this:

Flame is a sophisticated attack toolkit, which is a lot more complex than Duqu. It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master.

Translation:  “it does too much stuff that makes it troublesome to be defined by any category”.

It makes no sense to talk about the older categories anymore, and it makes even less sense every day. Although many malicious softwares are now trojans, they include backdoor functionality, which means that, if the attacker so desires, they can order the code to download additional components, which might allow it to spread. That’s the case with Flame.

Even if they don’t include a backdoor functionality, they often still have a “self-update” feature, which is the same thing – code can be updated from one thing to be anything.

To many people, what really matters is whether a code can exploit vulnerabilities to do anything. This is not covered by any definition! It seems we’re all stuck with something that is only useful to the anti-virus package’s internal workings, that has to know if a file must be cleaned (if it’s a virus) or simply deleted (trojans and worms).

The other damage that these ever more useless definitions create is that many people still use the term “virus” for everything, creating the paradox at the start of this article.

If you ask me, all malware are viruses; if not, we might as well forget the term “virus” as it relates to computers. If anyone were really serious about this, we’d have Norton AntiMalware right about now. It’s still called an AntiVirus. And there’s a reason for that.

  1. A term which was made popular by the anti-spyware community, because traditional anti-virus packages at first refused to detect and remove adware and commercial spyware. As such, they had to make it clear that, although adware and spyware weren’t viruses, they were still malicious; thus malware