Gattman Computer Virus
The Gattman virus spreads through the program Interactive Disassembler Pro (IDA), produced by DataRescue. IDA is one of the most popular "reversing" tools, and is used for converting the raw machine code inside program files back into human-readable source code form so that its behaviour can be analysed and understood.
Reversing is part science and part art, allowing security experts to go from something arcane like this: 9823a2ec dfe98986 4359e108 e1866fb0 126f2f3d 329a6591 9a01067b. To something readable and easier for technicians to understand, like this:
if day = friday then
if date = 13 then
repeat 100 times
print "freddy krueger!"
Gattman is a polymorphic virus - a technique not often used by malware today - which means it alters (or mutates) its appearance as it spreads. Both the IDC and EXE parts of this virus can change their form as they replicate. The Gattman virus, which is believed to have been written by members of the "Ready Rangers Liberation Front" (rRlf) and "The Knight Templars" (TKT) virus-writing gangs, works by infecting IDC files. IDC is a script programming language similar to ANSI C, which allows researchers to customize and enhance the behavior of the IDA tool. They are often useful in unscrambling esoteric or hidden parts of malicious code, and are often exchanged with other researchers as part of the effort of taking apart a new piece of malware.
|
Post your comment