Digital ‘Fingerprints’ Can Expose Malware Developers

Just as criminals can leave fingerprints in the physical world, malware authors can leave tell-tale signs on their products in the digital world, July’s Black Hat security conference will hear.

So-called development fingerprints, or “code artifacts” in malware can be used to to track down attackers, according to a talk to be given by Greg Hoglund, chief executive of security company HBGary, at the Black Hat conference in Las Vegas.

Fingerprint tool nabs the evildoers

Hoglund will discuss a tool called Fingerprint.exe, which can be used to help organisations gather intelligence about malware authors.

“[Fingerprint.exe] will try to determine as much as possible about the compiler, version, timestamps, third-party libraries, etc.,” Hoglund (left) said. “We have created a diagram we call the ‘flow of forensic toolmarks’ and identified all the locations where a fingerprint can be left behind when a developer writes and compiles code.

“This type of fingerprinting has a much longer shelf life than, say, a single malware signature,” he explained. “While a malware signature may only work on a single malware variant, a developer fingerprint works on any malware developed from or derived from that development environment.”

The approach has more scalability and is likely to detect more malware variants than other methods, he said. While malware authors can mutate their malware binaries to make it difficult for traditional anti-virus signatures to keep up, development fingerprints relate to the way the code was written — something not easily changed by the developer, he explained.

“Instead of giving each malware binary a code name like the existing AV [antivirus] vendors do, we want to give each threat-actor or group a code name,” Hoglund said. “There will be far [fewer] groups than malware variants, obviously. We have a hunch the number won’t even be that large, measuring in the hundreds as opposed to thousands. Tracking the groups is better anyway, since the malware itself isn’t a threat — it’s the person [or persons] operating the malware that represent the threat.”

Though he acknowledged that many pieces of malware recycle code from other viruses and Trojans, this can help identify the malware’s developer as well, he said.

“For example, I am tracking one developer who has clearly cut-and-pasted from three distinct source bases … B02k, UltraVNC and some obscure sample code from a Windows internals book dating back to 2002,” Hoglund told eWEEK. “So the combination of all three serves as a kind of marker for this developer. Also, when common code is reused this can lead to social spaces on the ‘Net where this code has been posted or talked about, and from here we create link-analysis diagrams of the online social relationships at play. In some cases we have been able to find the developer and also people asking for technical support on their copies of his bot.”

Hoglund said he plans to release a single tool for fingerprinting, as well as a second tool designed to sweep an enterprise and remove a malware infection, “assuming you know how it survives reboot.” The two tools could be used together, but are designed to stand alone, he said.

Hoglund’s Black Hat presentation is scheduled for July 28.