Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Malware Authors Leave Their Fingerprints On Their Work, Black Hat Researcher Says

Careful study of malware can help experts recognize its source and protect against it

LAS VEGAS, NEVADA -- Black Hat USA 2010 -- At the rate malware is proliferating, it sometimes seems impossible to tell one bit of malicious code from the next. But according to a security researcher here, malware authors leave "fingerprints" all over their work, which could aid security professionals in stopping them.
Click here for more of Dark Reading's Black Hat articles.
At a session on malware attribution, HB Gary researcher Greg Hoglund outlined a wide variety of methods that can be used to identify the source of malware and, ultimately, determine how to defend against it.

"We're not talking about naming names here, or finding their Social Security number and missile coordinates," said Hoglund, whose company does detailed analysis of malware. "What we're saying is that there is a human factor here that can help us understand what we're dealing with when we see new malware."

Malware developers leave "fingerprints" on their programs in the form of the tools they use, their styles of code-writing, and even in the parameters they choose, Hoglund says. These clues can help security experts determine whether a new attack is based on an old one, or whether a development toolkit was used to create it.

Such information might not be enough for law enforcement to track the malware back to its author, but recognizing similarities in malware development patterns can be helpful in preparing effective defenses, Hoglund stated.

After extensive malware analysis, HB Gary has identified some basic "rules" of malware authorship, Hoglund said. Rule No. 1 is that humans are lazy and seldom rewrite source code if they can avoid it.

"There might be 50,000 variations out there, but the base code is still the same," he said.

The second rule is that most attackers are focused on making a rapid reaction to network-level filtering and other standard defenses, Hoglund said. "They are not so focused on host-level stealth," which makes host-level analysis useful in following their tracks, he observed.

The third rule is that physical memory is king. "Once executing in memory, code has to be revealed, and that's where you can see its true behavior," even though the malware author may have taken sophisticated steps to pack or otherwise obfuscate it, Hoglund said.

Malware attribution is not particularly difficult if you know what to look for, Hoglund stated. "If you can read a packet sniffer, you can attribute malware," he said. If more security professionals investigated the source of the malware they saw, then it would be easier to develop defenses, he observed.

Hoglund took the audience through a broad range of methods for identifying a malware author's fingerprints, ranging from toolkits and development tools used to time stamps and source code analysis.

"So far in malware analysis, the industry has focused mostly on the binary end of the spectrum," Hoglund said. "We want to open people's minds up to the human side."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3493
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
CVE-2021-3492
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
CVE-2020-2509
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later Q...
CVE-2020-36195
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...