Sophos: virus targets antivirus researchers

Researchers at Sophos labs in Sydney last week discovered a virus designed to specifically target antivirus researchers.The virus, dubbed "Gattman" by Sophos research staff, was discovered last Wednesday.

Researchers at Sophos labs in Sydney last week discovered a virus designed to specifically target antivirus researchers.

The virus, dubbed "Gattman" by Sophos research staff, was discovered last Wednesday. It is a proof of concept virus and is not a threat to the majority of companies or even home PC users. However, it is compelling evidence that malware authors are designing viruses to target specific industries, companies or even individual users.

Paul Ducklin, head of technology in Asia Pacific for Sophos, told ZDNet Australia that Gattman was designed to target an application called Interactive Disassembler Pro (IDA), which is an analysis tool widely used by security researchers.

"IDA is one of the most popular 'reversing' tools, and is used for converting the raw machine code inside program files back into human-readable source code form so that its behaviour can be analysed and understood," said Ducklin.

For example, Ducklin said IDA will convert something like this:

9823a2ec dfe98986 4359e108 e1866fb0 126f2f3d 329a6591 9a01067b

Into something like this:

  if day = friday then
    if date = 13 then
      repeat 100 times
        print "freddy krueger!"

Gattman is a polymorphic virus, according to Ducklin, which means it changes its appearance as it spreads -- to make it more difficult to identify. In this case the virus mutates depending on the file-morphing utilities discovered on the infected machine.

"Such utilities are not likely to appear on the average computer, but are often to be found on the PCs of malware researchers as they can be handy in understanding and unscrambling some types of malicious code," said Ducklin.

The precise targeting of specific application such as IDA means that Gattman is relatively harmless to the vast majority of Internet users and is "unlikely to spread except amongst researchers -- or malware authors -- who are both curious and careless".

Ducklin believes that Gattman's authors were most likely trying to embarrass the security researcher community.

"Presumably, the authors of Gattman were hoping to embarrass incautious researchers by spreading a virus using the very tools of their trade," said Ducklin.

Mikko Hyppönen, chief research officer at Finnish antivirus firm F-Secure said this is not the first virus to target security researchers but agrees that it is unlikely to cause problems "in the real world".

"It's definitely not causing problems in the real world anyway. I think it was written to just show off it can be done, not really to target anybody.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All