Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:55 PM
Connect Directly

Researcher 'Fingerprints' The Bad Guys Behind The Malware

Black Hat USA researcher will demonstrate how to find clues to help ID actual attackers, plans to release free fingerprinting tool

Malware writers actually leave behind a telling trail of clues that can help identify their native tongue, their geographic location, their ties to other attacks -- and, in some cases, lead law enforcement to their true identities. A researcher at Black Hat USA next month plans to give away a homemade tool that helps organizations glean this type of intelligence about the actual attacker behind the malware.

Click here for more of Dark Reading's Black Hat articles.
Greg Hoglund, founder and CEO of HBGary, for several months has been studying malware from the infamous Operation Aurora attack that hit Google, Adobe, Intel, and others, as well as from GhostNet; in both cases, he discovered key characteristics about the attackers themselves. Hoglund says the key is to gather and correlate all of the characteristic "markers" in the malware that can, in turn, be traced to a specific malware writer.

While anti-malware firms focus on the malware and malware kits and give them names, Hoglund says that model is all wrong. "That whole model is completely broken," he says. "Instead of tracking kits, we need to start tracking the attacker as a threat group. I want to take the fight back to the attacker."

Among his findings on GhostNet, an attack used to spy on Chinese dissidents, for example, was a common compression method for the video stream that was unique to those attacks. And in Operation Aurora, he found Chinese-language ties, registry keys, IP addresses, suspicious runtime behavior, and other anomalies that tied Aurora to the developer.

"Developers write certain algorithms ... one time and keep reusing those components," Hoglund says. Those are one of these clues that can be found.

In an advanced persistent threat attack he has been tracking for five years that comes out of China, he found the binaries had some of the same characteristics over the years. "I took all the malware samples from that attack and ran it through an analysis, and I could see these clues all over," he says. "There was stuff from five years ago still in the binaries. I can tell when they compiled it."

A single clue alone might not mean much until you start combining multiple clues together, he says. His fingerprinting tool will help incident responders do exactly that: "The fingerprint tool will tell them interesting clues as to the artifacts left behind in the [malware] development environment -- what version compiler was used, the original project name even if they changed the name of the file, which is common," he says. "A lot of attackers rename their attack to something that sounds innocuous, but sometimes you can extract the original project name, and find a path on the hard drive and libraries. When you combine all of this together, it creates a fingerprint [of the attacker]."

Whether that fingerprint gets translated into a positive identification of the malware writer depends on law enforcement. Hoglund has passed several of his fingerprinting finds to government agencies and law enforcement, but says he doesn't hear back on whether they got their man.

How can you tell one individual from a group using the same attack tools and methods? Hoglund says the development environment used in the malware is a dead giveaway about the developer. "It relates to the way the guy's or girl's machine is set up. He has this version of C runtime library ... and had upgraded to Visual Studio 2008," for example, he says.

"What he's doing has source code, and he's rebuilding it [the source code] every time. There are pieces always present that I can see and track," he says.

So if another attacker used the same source code, he would still have a different fingerprint because he was coming from a different environment, location on the hard drive, and ran different software, etc., he says.

That's not to say all attackers are easy to ID. Most hide their malware through packing or obfuscation today, and malware toolkits are also making fingerprinting more difficult, Hoglund says.

His research works like this: Hoglund has a bank of Windows machines running VMware in a lab. Real malware his firm finds on its clients' systems is dropped into the lab machines, where it gets batched via a tool that then extracts out of physical memory just what the malware did. "That's the source material I'm working with in the big bucket. I disassemble it, and have a tool to graph it," he explains. That basically creates a visual representation of the fingerprint, he says.

"This leads to an identifiable developer, say, Mr. Blue," he says. "We don't know his name, but what we do have is a fingerprint that all of this malware was written by the same person ... the tool marks what's present in all the binaries."

He also runs some link-analysis tools, Maltego and Palantir, and does a little Google search of the bad guy's source code. "It's amazing how often we get hits," he says.

With Aurora, for instance, he found the snippet of the binary code in a blog post Chinese hacking site after doing a Google search. "He was either very close or was the developer. We weren't able to find this anywhere else on the Net," he says. He then graphed the hacker's social relationships, including who he was communicating with and who was commenting on his blog, and found that he had also written an attack toolkit, which he was also selling online. "We had the individuals who were using that developer toolkit ... it doesn't get any better than that," he says.

Hoglund says his firm handed their findings over to the feds, but never heard back on the outcome.

Based on his research and investigations of malware, he says he thinks there are more likely only hundreds, rather than thousands, of criminal gangs behind most cybercrime. "I think those groups do a lot of colluding. They're not individuals. They're not islands," he says. "They share a lot of stuff with each other."

Meanwhile, Hoglund says he plans to release a second free tool at Black Hat -- an inoculator tool. This tool will sweep the entire enterprise for a piece of malware and remove it. "That's totally hard core," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-07
MobileIron Core and Connector before, 10.4.x before, 10.5.x before, 10.5.2.x before, and 10.6.x before, and Sentry before 9.7.3 and 9.8.x before 9.8.1, allow remote attackers to execute arbitrary code via unspecified vectors.
PUBLISHED: 2020-07-07
MobileIron Core and Connector before, 10.4.x before, 10.5.x before, 10.5.2.x before, and 10.6.x before allow remote attackers to bypass authentication mechanisms via unspecified vectors.
PUBLISHED: 2020-07-07
MobileIron Core and Connector before, 10.4.x before, 10.5.x before, 10.5.2.x before, and 10.6.x before allow remote attackers to read files on the system via unspecified vectors.
PUBLISHED: 2020-07-07
In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affecte...
PUBLISHED: 2020-07-07
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling `event.preventDefault()` on all new-window events where the `url` or `options` is not ...