Worm sleeps to avoid detection

The latest mass-mailing worm, Atak, hides by going to sleep when it suspects that antivirus software is trying to detect it.

Atak was first discovered Monday. Although antivirus companies do not expect it to cause much damage, they say it will be a nuisance because it can generate a large amount of spam.

Graham Cluley, senior technology consultant for antivirus company Sophos, said authors of malicious software generally try to make the job of antivirus researchers as difficult as possible by adding confusing code and using evasion techniques.

"Atak tries to tell when someone is stepping through the code to analyze whether it is a virus or not. Often, a virus will contain lots of code that is designed to make it more complicated for (antivirus) companies to write the detections," Cluley said.

Mikko Hypponen, director of antivirus research at Finnish company F-Secure, said that although it is common practice for virus writers to protect their malware, this worm is exceptional.

"It is standard for worms to have layers of encryption--or armoring--to keep out snoopers, but this goes way beyond that. It tries actively to detect if it is being analyzed by antivirus research tools. If it thinks it is being analyzed, it stops running and shuts down," Hypponen said.

Atak is not thought to be a serious threat. But because of recent detection and in-built protection, the worm's full functionality has not yet been fully analyzed. However, it is known that the worm contains text that seems to threaten other well-known worms and viruses, such as MyDoom, Bagle and Netsky.

. Hypponen said there is a possibility that Atak will try to seek out and destroy "rival" worms.

"We haven't been able to figure out if Atak tries to disable some of these viruses," he said. "The message implies it does contain some code that attacks other viruses."

Source

This article just shows you how destructive the future of internet viruses will be. The hackers technology is rapidly growing.

This shutting down must be designed against memory scans.
Shutting down itself wouldn't work against HD/file scan.

I find it absolutely fascinating that virus writers are now going after each other and their creations instead of the usual evasion of AV scans and detection. What would drive them to act in that fashion I wonder? I almost think waring virii on a computer would be worse than a single one, because you could potentially have two or more programs fighting for memory and an upper hand to stop the other virus and complete its task/release its payload. It really is starting to border on actual human viruses in how they change, act, etc. Almost enough to make me want to setup a test machine to let loose a few viruses known to attack each other to watch their progress.

Good to see you are still around alternate. What a fitting topic for you to reply too.

MacKiller > yeah, considering how long I spent at that place I shall not name. What I think will really hail the beginning of a major change in computers is the first true cross-platform virus that can attack not only windows but linux and other OS'es as well, and not juse minor disruptions but MyDoom level problems. Linux and other *nix variants still are largely untargeted by virus writers, thought as it gains popularity I wonder if that will change? It seems there is already a shift for malware writers to focus on software other than MS such as FireFox, which just released 0.9.2 due to some concerns over a vulnerability.

I can be almost certian when I say that in the future, there will be one that can destroy them all.

Then we can be expecting Windows Updates everyday, rather than every other day