Tracking Malware Authors' Digital Fingerprints

In a presentation at July's Black Hat security conference, HBGary CEO Greg Hoglund will talk about how to use what he calls the development fingerprints in malware to track down attackers.

Just as criminals can leave fingerprints in the physical world, malware authors can leave fingerprints on their products in the digital world.

Tracing those code artifacts back to attackers can lead to the minds behind the malware economy, according to HBGary CEO Greg Hoglund. In a talk at the upcoming Black Hat conference in Las Vegas, Hoglund will discuss how his new tool, dubbed Fingerprint.exe, can be used to help organizations gather intelligence about malware authors.

"[Fingerprint.exe] will try to determine as much as possible about the compiler, version, timestamps, third-party libraries, etc.," Hoglund said. "We have created a diagram we call the 'flow of forensic toolmarks' and identified all the locations where a fingerprint can be left behind when a developer writes and compiles code."

"This type of fingerprinting has a much longer shelf life than, say, a single malware signature," he explained. "While a malware signature may only work on a single malware variant, a developer fingerprint works on any malware developed from or derived from that development environment."

The approach has more scalability and is likely to detect more malware variants than other methods, he said. While malware authors can mutate their malware binaries to make it difficult for traditional anti-virus signatures to keep up, development fingerprints relate to the way the code was written-something not easily changed by the developer, he explained.

"Instead of giving each malware binary a code name like the existing AV [antivirus] vendors do, we want to give each threat-actor or group a code name," Hoglund said. "There will be far [fewer] groups than malware variants, obviously. We have a hunch the number won't even be that large, measuring in the hundreds as opposed to thousands. Tracking the groups is better anyway, since the malware itself isn't a threat-it's the person [or persons] operating the malware that represent the threat."

Though he acknowledged that many pieces of malware recycle code from other viruses and Trojans, this can help identify the malware's developer as well, he said.

"For example, I am tracking one developer who has clearly cut-and-pasted from three distinct source bases ... B02k, UltraVNC and some obscure sample code from a Windows internals book dating back to 2002," Hoglund told eWEEK. "So the combination of all three serves as a kind of marker for this developer. Also, when common code is reused this can lead to social spaces on the 'Net where this code has been posted or talked about, and from here we create link-analysis diagrams of the online social relationships at play. In some cases we have been able to find the developer and also people asking for technical support on their copies of his bot."

Hoglund said he plans to release a single tool for fingerprinting, as well as a second tool designed to sweep an enterprise and remove a malware infection, "assuming you know how it survives reboot." The two tools could be used together, but are designed to stand alone, he said.

Hoglund's Black Hat presentation is scheduled for July 28.