Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] Malware targets security research tool

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] Malware targets security research tool
Date: Fri, 7 Jul 2006 04:31:17 -0500 (CDT) 
http://www.theregister.co.uk/2006/07/06/gattmann_virus/

By John Leyden
6th July 2006

Virus writers have created a proof-of-concept virus, dubbed Gattman,
that targets an analysis tool widely used by anti-virus researchers.

Only the most inept anti-virus researchers are likely to become
infected, according to one expert, so the interest in the malware is
its curiosity value rather than any threat it poses, which is
virtually nil.

Gattman spreads using a program called Interactive Disassembler Pro
(IDA), a popular reverse engineering tool from Data Rescue, widely
used in anti-virus research labs, which converts machine code inside
program files into a human-readable source code format. The tool
allows the behaviour of code to be analysed.

The malware infects the scripting language used by IDA, elements of
which are sometimes shared between researchers during joint analysis
efforts, to create a Windows executable file. This executable searches
out new IDC files to create a new executable file. Gattmann is
programmed only to spread and doesn't feature any malicious payload.


Gotcha

The exchange of executable files is strictly controlled in anything
approaching professionally-run security labs.

Carole Theriault, senior security consultant at UK-based anti-virus
firm Sophos, said the authors of Gattman were presumably hoping to
embarrass incautious researchers by spreading a virus using the very
tools of their trade.

"The virus shows some technical knowledge. It was probably written in
an attempt to embarrass anti-virus firms but it's unlikely to spread
except among researchers - or more likely malware authors - who are
both curious and careless," Theriault told El Reg. "The approach taken
by the virus to spread is rather odd."

Gattman is a polymorphic virus, a technique that has fallen out of
favour in recent times, which means it alters its appearance as it
spreads. Both the IDC and EXE parts of this virus can change their
form as they replicate. The changes in EXE files generated by Gattman
use file-morphing utilities on each infected PC. Such utilities are
often found on the PCs of malware researchers but uncommon more
generally. ®



_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] Malware targets security research tool, InfoSec News <=
Previous by Date:  [ISN] Computer hacker will be extradited to US, rules Home Office, InfoSec News
Next by Date:  [ISN] UT notifying employees of computer hacker, InfoSec News
Previous by Thread:  [ISN] Computer hacker will be extradited to US, rules Home Office, InfoSec News
Next by Thread:  [ISN] UT notifying employees of computer hacker, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]