When is a worm not a worm?

Will No-One Rid Me Of This Turbulent Hacker Tool? (http://en.wikipedia.org/wiki/Thomas_Becket)

I was kind of hoping to have moved on from the iPhone data stealing hacker tool by now. While I do think it's a significant development (see http://www.eset.com/threat-center/blog/2009/11/12/iphone-hack-tool-a-postscript), there comes a point where the sheer volume of discussion of the subject gives it more importance than it really deserves.

However, I can't help but notice that there have been frequent references, based on both the Intego post and on my blogs, to a virus or a worm. Well, of course, I'm fully aware that many people talk about viruses when they mean all sorts of other malware, and if I'm not exactly resigned to it, I don't usually spend much time complaining about it.

In this case, however, it actually matters. The source code I have in front of me has no replicative code, so it's not a virus and it's not a worm. It isn't even a Trojan: if you run this code, you're not in any doubt as to what it does. It announces itself quite clearly as a program for stealing data, and keeps you informed as to what data it's trying to steal and whether it succeeds.

It is, in fact, a (very) basic tool that could be used by a badhat, in much the same way that he might use a sniffer or password cracker: it would require modification just to scan a different network.

I don't know if Intego are looking at exactly the same code. The article by Peter James suggests functionality that isn't present in the script I have, but he may just be indicating functions that the script could have in addition to those already present. Intego have confirmed to me, though, that what they have is a hacker tool with no self-replicating code.

David Harley
Director of Malware Intelligence