Rugrat: First 64-Bit Windows Virus Emerges

Symantec has reported it has analyzed a virus capable of attacking 64-bit Windows files. The virus, W64.Rugrat.3344, is the first known threat to 64-bit systems.

According to Symantec, Rugrat is simply a proof-of-concept virus — the kind usually written by “white hat” hackers and given to security companies as an example of potential danger.

Because it has been delivered only to Symantec, Rugrat is not in the wild and poses little immediate danger. However, the company does consider it an indicator of future threats, as it is the first virus that can target 64-bit files.

Examining a Rugrat

Mikko Hypponen, director of antivirus research at F-Secure in Helsinki, Finland, told the E-Commerce Times that the Rugrat virus is a 64-bit conversion of an older 32-bit virus known as Chiton.

The virus infects IA64 Windows Portable Executable files, including most Windows programs other than .dlls. It is considered a “direct-action infector,” meaning it exits memory after execution.

According to Symantec’s report, the virus infects files that are in the same folder as the virus and in all subfolders. It uses the Thread Local Storage structures to execute the viral code, which is considered an unusual method of executing code.

The virus also carries the string, “Shrug – roy g biv” which is never displayed. The file infection routine is standard. The last section of the executable is marked as executable, the virus body is inserted into the last section, and a random number of bytes is appended to the end of the virus body.

According to Symantec, the malware’s author is also the author of other proof-of-concept viruses.

No Problem Yet

At this point, Rugrat is considered a Level 1 threat, with Level 5 being the most severe. In Symantec’s view, the threat containment is easy, and it can be neutralized quickly with the use of LiveUpdate.

Even if the virus were released into the wild, it is possible that fewer than 50 machines would be infected immediately. Most home and business systems today run on 32-bit platforms and would not be affected.

Because the virus is written in IA64 assembly code, Symantec does not anticipate attempts to replicate it. Peter Ferrie, a Symantec antivirus researcher and co-writer of the Rugrat report, told the E-Commerce Times that the use of assembly code indicates a high level of technical, specialized knowledge. “Because of the level of skill required, it’s very unlikely that we’ll see many variants in the near future,” he said.

“This new 64-bit virus means nothing in the real world right now,” Hypponen said. “It’s not going to spread, and there would be very few machines to infect in the first place as compared to traditional platforms.”

Danger Ahead?

After a rash of dangerous viruses emerged in the past few months, the benign qualities of Rugrat should come as a relief to beleaguered IT departments.

But that does not mean there will be no cause for worry in the future.

As Hypponen said, “It does prove that virus writers are investigating new platforms actively and are taking the time to learn to exploit them as they become available.”

Symantec anticipated there would be threats to the 64-bit platform, according to Ferrie. Although there are not many users of the platform currently, he sees potential for trouble ahead.

“It sets the way for people to follow,” Ferrie said. “If someone gets ahold of the source code, they can make changes to it in terms of how the virus behaves. That’s when it would be a threat.”