Skip the navigation

Black Hat talk to reveal analysis of hacker fingerprints

By Tim Greene
July 19, 2010 12:34 PM ET

Network World - Looking deeper within malware yields fingerprints of the hackers who write the code, and that could result in signatures that have a longer lifetime than current intrusion-detection schemes, Black Hat 2010 attendees will be told next week.

Black Hat's most notorious incidents: a quiz

Analysis of the binaries of malware executables also reveals characteristics about the intent of the attack code that could make for more efficient and effective data defenses, says Greg Hoglund, CEO of HBGary, whose briefing "Malware Attribution: Tracking Cyber Spies and Digital Criminals" is scheduled for the Las Vegas conference.

Hoglund says this analysis uncovers tool marks -- signs of the environments in which the code was written -- that can help indentify code written by a common person or group based on what combination of tools they use.

For example, his research looked under the covers of one malware executable whose fingerprint included use of Back Orifice 2000, Ultra VNC remote desktop support software, and code from a 2002 Microsoft programming guide. Each program was slightly modified, but the information available amounted to a good fingerprint.

The malware was a remote access tool (RAT), and RAT generators such as Poison Ivy could have created unique RAT code for each use, but that's not the route this attacker chose. Identifying this RAT in other instances of malware can link groups of malicious code to a common author or team, Hoglund says.

He has found that these fingerprints last a long time. Once written, the binaries themselves are altered only infrequently, so employing these fingerprints as malware signatures will be more useful for longer periods. "The bad guys don't change their code that often," Hoglund says.

A traditional antivirus platform identifies variants of malware. This research can anchor a new form of intrusion detection that analyzes malware deeply to find these fingerprints and to assign it to a threat group based on the intent of the malware, he says.

For instance, if the malware is designed to steal credit card numbers from individuals, a corporation might rank it as a lower threat to the corporation than malware that seeks to steal the company's intellectual property, he says.

"You are not going to succeed in keeping the bad guys out of your network," Hoglund says. "But if you can detect them as early as possible, you can prevent losses."

During his talk, Hoglund says he will exhibit graphs that cluster half a million pieces of malware his team has examined on a graph according to how closely their fingerprints match. He says he hopes to demonstrate that the sources of these 500,000 examples number relatively low -- in the hundreds rather than the thousands, he says.

Originally published on www.networkworld.com. Click here to read the original story.
Reprinted with permission from NetworkWorld.com. Story copyright 2012 Network World, Inc. All rights reserved.
Our Commenting Policies