[ISN] Malware targets security research tool
isn at c4i.org
Fri Jul 7 05:31:17 EDT 2006
By John Leyden
6th July 2006
Virus writers have created a proof-of-concept virus, dubbed Gattman,
that targets an analysis tool widely used by anti-virus researchers.
Only the most inept anti-virus researchers are likely to become
infected, according to one expert, so the interest in the malware is
its curiosity value rather than any threat it poses, which is
Gattman spreads using a program called Interactive Disassembler Pro
(IDA), a popular reverse engineering tool from Data Rescue, widely
used in anti-virus research labs, which converts machine code inside
program files into a human-readable source code format. The tool
allows the behaviour of code to be analysed.
The malware infects the scripting language used by IDA, elements of
which are sometimes shared between researchers during joint analysis
efforts, to create a Windows executable file. This executable searches
out new IDC files to create a new executable file. Gattmann is
programmed only to spread and doesn't feature any malicious payload.
The exchange of executable files is strictly controlled in anything
approaching professionally-run security labs.
Carole Theriault, senior security consultant at UK-based anti-virus
firm Sophos, said the authors of Gattman were presumably hoping to
embarrass incautious researchers by spreading a virus using the very
tools of their trade.
"The virus shows some technical knowledge. It was probably written in
an attempt to embarrass anti-virus firms but it's unlikely to spread
except among researchers - or more likely malware authors - who are
both curious and careless," Theriault told El Reg. "The approach taken
by the virus to spread is rather odd."
Gattman is a polymorphic virus, a technique that has fallen out of
favour in recent times, which means it alters its appearance as it
spreads. Both the IDC and EXE parts of this virus can change their
form as they replicate. The changes in EXE files generated by Gattman
use file-morphing utilities on each infected PC. Such utilities are
often found on the PCs of malware researchers but uncommon more
More information about the ISN