GattMan computer virus uses new method of infection

July 07, 2006 Sophos Press Release

Researchers at the Sydney branch of SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have discovered a proof-of-concept virus, called W32/GattMan-A, which works in a novel way.

Unlike the majority of malicious software, which are Windows programs targeting the Windows operating system, this virus deliberately targets an analysis tool which is widely used by security researchers.

The GattMan virus spreads through the program Interactive Disassembler Pro (IDA), produced by DataRescue. IDA is one of the most popular "reversing" tools, and is used for converting the raw machine code inside program files back into human-readable source code form so that its behaviour can be analysed and understood.

Reversing is part science and part art, allowing security experts to go from something arcane like this:

9823a2ec dfe98986 4359e108 e1866fb0 126f2f3d 329a6591 9a01067b

to something readable and easier for technicians to understand, like this:

if day = friday then
  if date = 13 then
    repeat 100 times
      print "freddy krueger!"

The GattMan virus, which is believed to have been written by members of the "Ready Rangers Liberation Front" (rRlf) and "The Knight Templars" (TKT) virus-writing gangs, works by infecting IDC files. IDC is a script programming language similar to ANSI C, which allows researchers to customize and enhance the behavior of the IDA tool. They are often useful in unscrambling esoteric or hidden parts of malicious code, and are often exchanged with other researchers as part of the effort of taking apart a new piece of malware.

IDC script files infected by GattMan work by creating a Windows program (EXE file) which, in turn, searches out new IDC files, which then create a new EXE file, and so on.

"Whereas analysts are usually very careful about exchanging EXE files, since so much malware spreads that way, it is often only in professionally-run and security-conscious malware labs that the same sort of precaution is taken with every type of file," said Paul Ducklin, Head of Technology, Asia Pacific, SophosLabs. "Presumably, the authors of GattMan were hoping to embarrass incautious researchers by spreading a virus using the very tools of their trade."

GattMan is a polymorphic virus - a technique not often used by malware today - which means it alters (or mutates) its appearance as it spreads. Both the IDC and EXE parts of this virus can change their form as they replicate.

Sophos researchers were interested to discover that the mutation of the EXE files generated by GattMan is achieved by looking for file-morphing utilities on each infected PC. Such utilities are not likely to appear on the average computer, but are often to be found on the PCs of malware researchers as they can be handy in understanding and unscrambling some types of malicious code. The identity of the morphing utilities is cryptographically hidden inside the virus, but SophosLabs researchers can reveal that they are: Exe32Pack, PePack, Spec, Upx and VGAlign.

"Although just a proof-of-concept, and unlikely to spread except amongst researchers (or malware authors) who are both curious and careless, GattMan proves once again that malware authors are often willing to look for brand new avenues of infection," said Ducklin. "In this case the virus's creators appear to be doing it for kicks rather than financial reward."

Sophos has been protecting against the W32/GattMan-A virus since 05:34 GMT on 4 July 2006.

Sophos recommends that all computer users should ensure that they are running an anti-malware product which is configured to automatically update itself, security patches and firewall software.