Gattman computer virus uses new method of infection.
Unlike the majority of malicious software, which are Windows programs targeting the Windows operating system, this virus deliberately targets an analysis tool which is widely used by security researchers. The Gattman virus spreads through the program Interactive Disassembler Pro (IDA), produced by DataRescue. IDA is one of the most popular "reversing" tools, and is used for converting the raw machine code inside program files back into human-readable source code form so that its behaviour can be analysed and understood.
The Gattman virus, which is believed to have been written by members of the "Ready Rangers Liberation Front" (rRlf) and "The Knight Templars" (TKT) virus-writing gangs, works by infecting IDC files. IDC is a script programming language similar to ANSI C, which allows researchers to customize and enhance the behavior of the IDA tool. They are often useful in unscrambling esoteric or hidden parts of malicious code, and are often exchanged with other researchers as part of the effort of taking apart a new piece of malware.
IDC script files infected by Gattman work by creating a Windows program (EXE file) which, in turn, searches out new IDC files, which then create a new EXE file, and so on.
"Whereas analysts are usually very careful about exchanging EXE files, since so much malware spreads that way, it is often only in professionally--run and security-conscious malware labs that the same sort of precaution is taken with every type of file," said, Head of Technology, Asia Pacific, SophosLabs. "Presumably, the authors of Gattman were hoping to embarrass incautious researchers by spreading a virus using the very tools of their trade."
Gattman is a polymorphic virus--a technique not often used by malware today--which means it alters (or mutates) its appearance as it spreads. Both the IDC and EXE parts of this virus can change their form as they replicate.
Sophos researchers were interested to discover that the mutation of the EXE files generated by Gattman is achieved by looking for file- morphing utilities on each infected PC. Such utilities are not likely to appear on the average computer, but are often to be found on the PCs of malware researchers as they can be handy in understanding and unscrambling some types of malicious code. The identity of the morphing utilities is cryptographically hidden inside the virus, but SophosLabs researchers can reveal that they are: Exe32Pack, PePack, Spec, Upx and VGAlign. "Although just a proof-of-concept, and unlikely to spread except amongst researchers (or malware authors) who are both curious and careless, Gattman proves once again that malware authors are often willing to look for brand new avenues of infection," said Ducklin. "In this case the virus's creators appear to be doing it for kicks rather than financial reward."
Sophos has been protecting against the W32/Gattman-A virus since 05:34 GMT on 4 July 2006.
Sophos recommends that all computer users should ensure that they are running an anti-malware product which is configured to itself, security patches and software.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Security News and Products|
|Date:||Jul 1, 2006|
|Previous Article:||Sunbelt Software announces third-generation "all-in-one" messaging security.|
|Next Article:||Widespread Gmail phishing email lures with $500 cash prize.|