Wednesday, June 23, 2010

Researcher 'Fingerprints' The Bad Guys Behind The Malware

Via -

Malware writers actually leave behind a telling trail of clues that can help identify their native tongue, their geographic location, their ties to other attacks -- and, in some cases, lead law enforcement to their true identities. A researcher at Black Hat USA next month plans to give away a homemade tool that helps organizations glean this type of intelligence about the actual attacker behind the malware.

Greg Hoglund, founder and CEO of HBGary, for several months has been studying malware from the infamous Operation Aurora attack that hit Google, Adobe, Intel, and others, as well as from GhostNet; in both cases, he discovered key characteristics about the attackers themselves. Hoglund says the key is to gather and correlate all of the characteristic "markers" in the malware that can, in turn, be traced to a specific malware writer.

While anti-malware firms focus on the malware and malware kits and give them names, Hoglund says that model is all wrong. "That whole model is completely broken," he says. "Instead of tracking kits, we need to start tracking the attacker as a threat group. I want to take the fight back to the attacker."

Among his findings on GhostNet, an attack used to spy on Chinese dissidents, for example, was a common compression method for the video stream that was unique to those attacks. And in Operation Aurora, he found Chinese-language ties, registry keys, IP addresses, suspicious runtime behavior, and other anomalies that tied Aurora to the developer.

"Developers write certain algorithms ... one time and keep reusing those components," Hoglund says. Those are one of these clues that can be found.


With Aurora, for instance, he found the snippet of the binary code in a blog post Chinese hacking site after doing a Google search. "He was either very close or was the developer. We weren't able to find this anywhere else on the Net," he says. He then graphed the hacker's social relationships, including who he was communicating with and who was commenting on his blog, and found that he had also written an attack toolkit, which he was also selling online. "We had the individuals who were using that developer toolkit ... it doesn't get any better than that," he says.

Hoglund says his firm handed their findings over to the feds, but never heard back on the outcome.

Based on his research and investigations of malware, he says he thinks there are more likely only hundreds, rather than thousands, of criminal gangs behind most cybercrime. "I think those groups do a lot of colluding. They're not individuals. They're not islands," he says. "They share a lot of stuff with each other."

Meanwhile, Hoglund says he plans to release a second free tool at Black Hat -- an inoculator tool. This tool will sweep the entire enterprise for a piece of malware and remove it. "That's totally hard core," he says.

No comments:

Post a Comment