Black Hat USA researcher will demonstrate how to find clues to help ID actual attackers, plans to release free fingerprinting tool

Malware writers actually leave behind a telling trail of clues that can help identify their native tongue, their geographic location, their ties to other attacks -- and, in some cases, lead law enforcement to their true identities. A researcher at Black Hat USA next month plans to give away a homemade tool that helps organizations glean this type of intelligence about the actual attacker behind the malware.

Greg Hoglund, founder and CEO of HBGary, for several months has been studying malware from the infamous Operation Aurora attack that hit Google, Adobe, Intel, and others, as well as from GhostNet; in both cases, he discovered key characteristics about the attackers themselves. Hoglund says the key is to gather and correlate all of the characteristic "markers" in the malware that can, in turn, be traced to a specific malware writer.

While anti-malware firms focus on the malware and malware kits and give them names, Hoglund says that model is all wrong. "That whole model is completely broken," he says. "Instead of tracking kits, we need to start tracking the attacker as a threat group. I want to take the fight back to the attacker."

Among his findings on GhostNet, an attack used to spy on Chinese dissidents, for example, was a common compression method for the video stream that was unique to those attacks. And in Operation Aurora, he found Chinese-language ties, registry keys, IP addresses, suspicious runtime behavior, and other anomalies that tied Aurora to the developer.

"Developers write certain algorithms ... one time and keep reusing those components," Hoglund says. Those are one of these clues that can be found.

In an advanced persistent threat attack he has been tracking for five years that comes out of China, he found the binaries had some of the same characteristics over the years. "I took all the malware samples from that attack and ran it through an analysis, and I could see these clues all over," he says. "There was stuff from five years ago still in the binaries. I can tell when they compiled it."

A single clue alone might not mean much until you start combining multiple clues together, he says. His fingerprinting tool will help incident responders do exactly that: "The fingerprint tool will tell them interesting clues as to the artifacts left behind in the [malware] development environment -- what version compiler was used, the original project name even if they changed the name of the file, which is common," he says. "A lot of attackers rename their attack to something that sounds innocuous, but sometimes you can extract the original project name, and find a path on the hard drive and libraries. When you combine all of this together, it creates a fingerprint [of the attacker]."

Whether that fingerprint gets translated into a positive identification of the malware writer depends on law enforcement. Hoglund has passed several of his fingerprinting finds to government agencies and law enforcement, but says he doesn't hear back on whether they got their man.

How can you tell one individual from a group using the same attack tools and methods? Hoglund says the development environment used in the malware is a dead giveaway about the developer. "It relates to the way the guy's or girl's machine is set up. He has this version of C runtime library ... and had upgraded to Visual Studio 2008," for example, he says.

"What he's doing has source code, and he's rebuilding it [the source code] every time. There are pieces always present that I can see and track," he says.

So if another attacker used the same source code, he would still have a different fingerprint because he was coming from a different environment, location on the hard drive, and ran different software, etc., he says.

That's not to say all attackers are easy to ID. Most hide their malware through packing or obfuscation today, and malware toolkits are also making fingerprinting more difficult, Hoglund says.

His research works like this: Hoglund has a bank of Windows machines running VMware in a lab. Real malware his firm finds on its clients' systems is dropped into the lab machines, where it gets batched via a tool that then extracts out of physical memory just what the malware did. "That's the source material I'm working with in the big bucket. I disassemble it, and have a tool to graph it," he explains. That basically creates a visual representation of the fingerprint, he says.

"This leads to an identifiable developer, say, Mr. Blue," he says. "We don't know his name, but what we do have is a fingerprint that all of this malware was written by the same person ... the tool marks what's present in all the binaries."

He also runs some link-analysis tools, Maltego and Palantir, and does a little Google search of the bad guy's source code. "It's amazing how often we get hits," he says.

With Aurora, for instance, he found the snippet of the binary code in a blog post Chinese hacking site after doing a Google search. "He was either very close or was the developer. We weren't able to find this anywhere else on the Net," he says. He then graphed the hacker's social relationships, including who he was communicating with and who was commenting on his blog, and found that he had also written an attack toolkit, which he was also selling online. "We had the individuals who were using that developer toolkit ... it doesn't get any better than that," he says.

Hoglund says his firm handed their findings over to the feds, but never heard back on the outcome.

Based on his research and investigations of malware, he says he thinks there are more likely only hundreds, rather than thousands, of criminal gangs behind most cybercrime. "I think those groups do a lot of colluding. They're not individuals. They're not islands," he says. "They share a lot of stuff with each other."

Meanwhile, Hoglund says he plans to release a second free tool at Black Hat -- an inoculator tool. This tool will sweep the entire enterprise for a piece of malware and remove it. "That's totally hard core," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights