We Could Almost See it Coming
On July 2nd, 2006 a virus author released the first virus that infects IDC files (W32.Gatt), claiming that it would be very hard for antivirus researchers to detect and that the source code would be made public at the end of the month. Media reports at the time speculated that the virus release was intended to embarrass virus researchers because it targeted some software tools that we use to analyze malicious code. However, on July 3rd we released antivirus detection for the virus. On July 4th, the virus author withdrew the claim that the source code would be released. Coincidence? I don't think so.
Symantec’s Security Response team is just that: a response team. We responded quickly when this virus appeared and we were able to provide antivirus detections in short order. It was more than likely that the virus author had originally intended to post the source code for W32.Gatt, but it seems to me that there were some good reasons to not post the code, either. One probable reason that the code wasn’t published is that the virus would be easily detected by antivirus software using updated signatures. I realize that this won’t be the end of it, but one of the biggest benefits of fighting “fires” like this one is that if we are able to contain the immediate threat (such as the public release of source code for a virus), then we can stop the spread of the smaller and somewhat more troublesome fires (that is, the variants that would undoubtedly flare up using the original source code).