Printer Friendly

Gattman computer virus uses new method of infection.

Researchers at the Sydney branch of Sophos have discovered a proof-of-concept virus, called Gattman which works in a novel way.

Unlike the majority of malicious software, which are Windows programs targeting the Windows operating system, this virus deliberately targets an analysis tool which is widely used by security researchers. The Gattman virus spreads through the program Interactive Disassembler Pro (IDA), produced by DataRescue. IDA is one of the most popular "reversing" tools, and is used for converting the raw machine code inside program files back into human-readable source code form so that its behaviour can be analysed and understood.

The Gattman virus, which is believed to have been written by members of the "Ready Rangers Liberation Front" (rRlf) and "The Knight Templars" (TKT) virus-writing gangs, works by infecting IDC files. IDC is a script programming language similar to ANSI C, which allows researchers to customize and enhance the behavior of the IDA tool. They are often useful in unscrambling esoteric or hidden parts of malicious code, and are often exchanged with other researchers as part of the effort of taking apart a new piece of malware.

IDC script files infected by Gattman work by creating a Windows program (EXE file) which, in turn, searches out new IDC files, which then create a new EXE file, and so on.

"Whereas analysts are usually very careful about exchanging EXE files, since so much malware spreads that way, it is often only in professionally--run and security-conscious malware labs that the same sort of precaution is taken with every type of file," said, Head of Technology, Asia Pacific, SophosLabs. "Presumably, the authors of Gattman were hoping to embarrass incautious researchers by spreading a virus using the very tools of their trade."

Gattman is a polymorphic virus--a technique not often used by malware today--which means it alters (or mutates) its appearance as it spreads. Both the IDC and EXE parts of this virus can change their form as they replicate.

Sophos researchers were interested to discover that the mutation of the EXE files generated by Gattman is achieved by looking for file- morphing utilities on each infected PC. Such utilities are not likely to appear on the average computer, but are often to be found on the PCs of malware researchers as they can be handy in understanding and unscrambling some types of malicious code. The identity of the morphing utilities is cryptographically hidden inside the virus, but SophosLabs researchers can reveal that they are: Exe32Pack, PePack, Spec, Upx and VGAlign. "Although just a proof-of-concept, and unlikely to spread except amongst researchers (or malware authors) who are both curious and careless, Gattman proves once again that malware authors are often willing to look for brand new avenues of infection," said Ducklin. "In this case the virus's creators appear to be doing it for kicks rather than financial reward."

Sophos has been protecting against the W32/Gattman-A virus since 05:34 GMT on 4 July 2006.

Sophos recommends that all computer users should ensure that they are running an anti-malware product which is configured to itself, security patches and software.
COPYRIGHT 2006 A.P. Publications Ltd.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2006, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Security News and Products
Publication:Software World
Date:Jul 1, 2006
Previous Article:Sunbelt Software announces third-generation "all-in-one" messaging security.
Next Article:Widespread Gmail phishing email lures with $500 cash prize.

Related Articles
The dangers lurking in military software production.
Beyond Virtual Vaccinations.
Security Supplement.
2001 anti virus review: Kaspersky Labs presents a year-end review of events taking place in anti-virus safety. (Security).
Filipino claims to be JPEG virus author. (Virus Notes).
Tape libraries: a different type of virus protection.
Protecting your computers from invaders: antivirus-software powerhouse Symantec offers tips for keeping viruses, worms, and Trojan horses at bay.
Call for framework to report viruses.
How computer viruses work.

Terms of use | Privacy policy | Copyright © 2020 Farlex, Inc. | Feedback | For webmasters