Risk
7/29/2010
10:08 AM
50%
50%

Malware Authors Leave Their Fingerprints On Their Work, Black Hat Researcher Says

Careful study of malware can help experts recognize its source and protect against it

LAS VEGAS, NEVADA -- Black Hat USA 2010 -- At the rate malware is proliferating, it sometimes seems impossible to tell one bit of malicious code from the next. But according to a security researcher here, malware authors leave "fingerprints" all over their work, which could aid security professionals in stopping them.

Click here for more of Dark Reading's Black Hat articles.
At a session on malware attribution, HB Gary researcher Greg Hoglund outlined a wide variety of methods that can be used to identify the source of malware and, ultimately, determine how to defend against it.

"We're not talking about naming names here, or finding their Social Security number and missile coordinates," said Hoglund, whose company does detailed analysis of malware. "What we're saying is that there is a human factor here that can help us understand what we're dealing with when we see new malware."

Malware developers leave "fingerprints" on their programs in the form of the tools they use, their styles of code-writing, and even in the parameters they choose, Hoglund says. These clues can help security experts determine whether a new attack is based on an old one, or whether a development toolkit was used to create it.

Such information might not be enough for law enforcement to track the malware back to its author, but recognizing similarities in malware development patterns can be helpful in preparing effective defenses, Hoglund stated.

After extensive malware analysis, HB Gary has identified some basic "rules" of malware authorship, Hoglund said. Rule No. 1 is that humans are lazy and seldom rewrite source code if they can avoid it.

"There might be 50,000 variations out there, but the base code is still the same," he said.

The second rule is that most attackers are focused on making a rapid reaction to network-level filtering and other standard defenses, Hoglund said. "They are not so focused on host-level stealth," which makes host-level analysis useful in following their tracks, he observed.

The third rule is that physical memory is king. "Once executing in memory, code has to be revealed, and that's where you can see its true behavior," even though the malware author may have taken sophisticated steps to pack or otherwise obfuscate it, Hoglund said.

Malware attribution is not particularly difficult if you know what to look for, Hoglund stated. "If you can read a packet sniffer, you can attribute malware," he said. If more security professionals investigated the source of the malware they saw, then it would be easier to develop defenses, he observed.

Hoglund took the audience through a broad range of methods for identifying a malware author's fingerprints, ranging from toolkits and development tools used to time stamps and source code analysis.

"So far in malware analysis, the industry has focused mostly on the binary end of the spectrum," Hoglund said. "We want to open people's minds up to the human side."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2037
Published: 2014-11-26
Openswan 2.6.40 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. NOTE: this vulnerability exists because of an incomplete fix for CVE 2013-6466.

CVE-2014-6609
Published: 2014-11-26
The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package.

CVE-2014-6610
Published: 2014-11-26
Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dia...

CVE-2014-7141
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.

CVE-2014-7142
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (crash) via a crafted (1) ICMP or (2) ICMP6 packet size.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?