Researchers at the Sydney branch of SophosLabs™, Sophos's global
network of virus, spyware and spam analysis centers, have
discovered a proof-of-concept virus, called W32/GattMan-A, which
works in a novel way.
Unlike the majority of malicious software, which are Windows
programs targeting the Windows operating system, this virus
deliberately targets an analysis tool which is widely used by
The GattMan virus spreads through the program Interactive
Disassembler Pro (IDA), produced by DataRescue. IDA is one of the
most popular "reversing" tools, and is used for converting the raw
machine code inside program files back into human-readable source
code form so that its behaviour can be analysed and understood.
Reversing is part science and part art, allowing security
experts to go from something arcane like this:
9823a2ec dfe98986 4359e108 e1866fb0 126f2f3d 329a6591
to something readable and easier for technicians to understand,
if day = friday then
if date = 13 then
repeat 100 times
print "freddy krueger!"
The GattMan virus, which is believed to have been written by
members of the "Ready Rangers Liberation Front" (rRlf) and "The
Knight Templars" (TKT) virus-writing gangs, works by infecting IDC
files. IDC is a script programming language similar to ANSI C,
which allows researchers to customize and enhance the behavior of
the IDA tool. They are often useful in unscrambling esoteric or
hidden parts of malicious code, and are often exchanged with other
researchers as part of the effort of taking apart a new piece of
IDC script files infected by GattMan work by creating a Windows
program (EXE file) which, in turn, searches out new IDC files,
which then create a new EXE file, and so on.
"Whereas analysts are usually very careful about exchanging EXE
files, since so much malware spreads that way, it is often only in
professionally-run and security-conscious malware labs that the
same sort of precaution is taken with every type of file," said
Paul Ducklin, Head
of Technology, Asia Pacific, SophosLabs. "Presumably, the authors
of GattMan were hoping to embarrass incautious researchers by
spreading a virus using the very tools of their trade."
GattMan is a polymorphic virus - a technique not often used by
malware today - which means it alters (or mutates) its appearance
as it spreads. Both the IDC and EXE parts of this virus can change
their form as they replicate.
Sophos researchers were interested to discover that the mutation
of the EXE files generated by GattMan is achieved by looking for
file-morphing utilities on each infected PC. Such utilities are not
likely to appear on the average computer, but are often to be found
on the PCs of malware researchers as they can be handy in
understanding and unscrambling some types of malicious code. The
identity of the morphing utilities is cryptographically hidden
inside the virus, but SophosLabs researchers can reveal that they
are: Exe32Pack, PePack, Spec, Upx and VGAlign.
"Although just a proof-of-concept, and unlikely to spread except
amongst researchers (or malware authors) who are both curious and
careless, GattMan proves once again that malware authors are often
willing to look for brand new avenues of infection," said Ducklin.
"In this case the virus's creators appear to be doing it for kicks
rather than financial reward."
Sophos has been protecting against the W32/GattMan-A virus since
05:34 GMT on 4 July 2006.
Sophos recommends that all computer users should ensure that
they are running an anti-malware product which is configured to
automatically update itself, security
patches and firewall