Risk
7/29/2010
10:08 AM
50%
50%

Malware Authors Leave Their Fingerprints On Their Work, Black Hat Researcher Says

Careful study of malware can help experts recognize its source and protect against it

LAS VEGAS, NEVADA -- Black Hat USA 2010 -- At the rate malware is proliferating, it sometimes seems impossible to tell one bit of malicious code from the next. But according to a security researcher here, malware authors leave "fingerprints" all over their work, which could aid security professionals in stopping them.

Click here for more of Dark Reading's Black Hat articles.
At a session on malware attribution, HB Gary researcher Greg Hoglund outlined a wide variety of methods that can be used to identify the source of malware and, ultimately, determine how to defend against it.

"We're not talking about naming names here, or finding their Social Security number and missile coordinates," said Hoglund, whose company does detailed analysis of malware. "What we're saying is that there is a human factor here that can help us understand what we're dealing with when we see new malware."

Malware developers leave "fingerprints" on their programs in the form of the tools they use, their styles of code-writing, and even in the parameters they choose, Hoglund says. These clues can help security experts determine whether a new attack is based on an old one, or whether a development toolkit was used to create it.

Such information might not be enough for law enforcement to track the malware back to its author, but recognizing similarities in malware development patterns can be helpful in preparing effective defenses, Hoglund stated.

After extensive malware analysis, HB Gary has identified some basic "rules" of malware authorship, Hoglund said. Rule No. 1 is that humans are lazy and seldom rewrite source code if they can avoid it.

"There might be 50,000 variations out there, but the base code is still the same," he said.

The second rule is that most attackers are focused on making a rapid reaction to network-level filtering and other standard defenses, Hoglund said. "They are not so focused on host-level stealth," which makes host-level analysis useful in following their tracks, he observed.

The third rule is that physical memory is king. "Once executing in memory, code has to be revealed, and that's where you can see its true behavior," even though the malware author may have taken sophisticated steps to pack or otherwise obfuscate it, Hoglund said.

Malware attribution is not particularly difficult if you know what to look for, Hoglund stated. "If you can read a packet sniffer, you can attribute malware," he said. If more security professionals investigated the source of the malware they saw, then it would be easier to develop defenses, he observed.

Hoglund took the audience through a broad range of methods for identifying a malware author's fingerprints, ranging from toolkits and development tools used to time stamps and source code analysis.

"So far in malware analysis, the industry has focused mostly on the binary end of the spectrum," Hoglund said. "We want to open people's minds up to the human side."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.