Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:55 PM
Connect Directly

Researcher 'Fingerprints' The Bad Guys Behind The Malware

Black Hat USA researcher will demonstrate how to find clues to help ID actual attackers, plans to release free fingerprinting tool

Malware writers actually leave behind a telling trail of clues that can help identify their native tongue, their geographic location, their ties to other attacks -- and, in some cases, lead law enforcement to their true identities. A researcher at Black Hat USA next month plans to give away a homemade tool that helps organizations glean this type of intelligence about the actual attacker behind the malware.

Click here for more of Dark Reading's Black Hat articles.
Greg Hoglund, founder and CEO of HBGary, for several months has been studying malware from the infamous Operation Aurora attack that hit Google, Adobe, Intel, and others, as well as from GhostNet; in both cases, he discovered key characteristics about the attackers themselves. Hoglund says the key is to gather and correlate all of the characteristic "markers" in the malware that can, in turn, be traced to a specific malware writer.

While anti-malware firms focus on the malware and malware kits and give them names, Hoglund says that model is all wrong. "That whole model is completely broken," he says. "Instead of tracking kits, we need to start tracking the attacker as a threat group. I want to take the fight back to the attacker."

Among his findings on GhostNet, an attack used to spy on Chinese dissidents, for example, was a common compression method for the video stream that was unique to those attacks. And in Operation Aurora, he found Chinese-language ties, registry keys, IP addresses, suspicious runtime behavior, and other anomalies that tied Aurora to the developer.

"Developers write certain algorithms ... one time and keep reusing those components," Hoglund says. Those are one of these clues that can be found.

In an advanced persistent threat attack he has been tracking for five years that comes out of China, he found the binaries had some of the same characteristics over the years. "I took all the malware samples from that attack and ran it through an analysis, and I could see these clues all over," he says. "There was stuff from five years ago still in the binaries. I can tell when they compiled it."

A single clue alone might not mean much until you start combining multiple clues together, he says. His fingerprinting tool will help incident responders do exactly that: "The fingerprint tool will tell them interesting clues as to the artifacts left behind in the [malware] development environment -- what version compiler was used, the original project name even if they changed the name of the file, which is common," he says. "A lot of attackers rename their attack to something that sounds innocuous, but sometimes you can extract the original project name, and find a path on the hard drive and libraries. When you combine all of this together, it creates a fingerprint [of the attacker]."

Whether that fingerprint gets translated into a positive identification of the malware writer depends on law enforcement. Hoglund has passed several of his fingerprinting finds to government agencies and law enforcement, but says he doesn't hear back on whether they got their man.

How can you tell one individual from a group using the same attack tools and methods? Hoglund says the development environment used in the malware is a dead giveaway about the developer. "It relates to the way the guy's or girl's machine is set up. He has this version of C runtime library ... and had upgraded to Visual Studio 2008," for example, he says.

"What he's doing has source code, and he's rebuilding it [the source code] every time. There are pieces always present that I can see and track," he says.

So if another attacker used the same source code, he would still have a different fingerprint because he was coming from a different environment, location on the hard drive, and ran different software, etc., he says.

That's not to say all attackers are easy to ID. Most hide their malware through packing or obfuscation today, and malware toolkits are also making fingerprinting more difficult, Hoglund says.

His research works like this: Hoglund has a bank of Windows machines running VMware in a lab. Real malware his firm finds on its clients' systems is dropped into the lab machines, where it gets batched via a tool that then extracts out of physical memory just what the malware did. "That's the source material I'm working with in the big bucket. I disassemble it, and have a tool to graph it," he explains. That basically creates a visual representation of the fingerprint, he says.

"This leads to an identifiable developer, say, Mr. Blue," he says. "We don't know his name, but what we do have is a fingerprint that all of this malware was written by the same person ... the tool marks what's present in all the binaries."

He also runs some link-analysis tools, Maltego and Palantir, and does a little Google search of the bad guy's source code. "It's amazing how often we get hits," he says.

With Aurora, for instance, he found the snippet of the binary code in a blog post Chinese hacking site after doing a Google search. "He was either very close or was the developer. We weren't able to find this anywhere else on the Net," he says. He then graphed the hacker's social relationships, including who he was communicating with and who was commenting on his blog, and found that he had also written an attack toolkit, which he was also selling online. "We had the individuals who were using that developer toolkit ... it doesn't get any better than that," he says.

Hoglund says his firm handed their findings over to the feds, but never heard back on the outcome.

Based on his research and investigations of malware, he says he thinks there are more likely only hundreds, rather than thousands, of criminal gangs behind most cybercrime. "I think those groups do a lot of colluding. They're not individuals. They're not islands," he says. "They share a lot of stuff with each other."

Meanwhile, Hoglund says he plans to release a second free tool at Black Hat -- an inoculator tool. This tool will sweep the entire enterprise for a piece of malware and remove it. "That's totally hard core," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Google Cloud Debuts Threat-Detection Service
Robert Lemos, Contributing Writer,  9/23/2020
Shopify's Employee Data Theft Underscores Risk of Rogue Insiders
Kelly Sheridan, Staff Editor, Dark Reading,  9/23/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-27
XSS exists in the MobileFrontend extension for MediaWiki before 1.34.4 because section.line is mishandled during regex section line replacement from PageGateway. Using crafted HTML, an attacker can elicit an XSS attack via jQuery's parseHTML method, which can cause image callbacks to fire even witho...
PUBLISHED: 2020-09-27
An issue was discovered in the FileImporter extension for MediaWiki before 1.34.4. An attacker can import a file even when the target page is protected against "page creation" and the attacker should not be able to create it. This occurs because of a mishandled distinction between an uploa...
PUBLISHED: 2020-09-27
An issue was discovered in MediaWiki 1.34.x before 1.34.4. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML.
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, Special:UserRights exposes the existence of hidden users.
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> ...