Black Hat talk to reveal analysis of hacker fingerprints

During his talk, Hoglund says he will exhibit graphs that cluster half a million pieces of malware his team has examined on a graph according to how closely their fingerprints match

Looking deeper within malware yields fingerprints of the hackers who write the code, and that could result in signatures that have a longer lifetime than current intrusion-detection schemes, Black Hat 2010 attendees will be told next week.

Black Hat's most notorious incidents: a quiz

Analysis of the binaries of malware executables also reveals characteristics about the intent of the attack code that could make for more efficient and effective data defenses, says Greg Hoglund, CEO of HBGary, whose briefing "Malware Attribution: Tracking Cyber Spies and Digital Criminals" is scheduled for the Las Vegas conference.

Hoglund says this analysis uncovers tool marks -- signs of the environments in which the code was written -- that can help indentify code written by a common person or group based on what combination of tools they use.

For example, his research looked under the covers of one malware executable whose fingerprint included use of Back Orifice 2000, Ultra VNC remote desktop support software, and code from a 2002 Microsoft programming guide. Each program was slightly modified, but the information available amounted to a good fingerprint.

The malware was a remote access tool (RAT), and RAT generators such as Poison Ivy could have created unique RAT code for each use, but that's not the route this attacker chose. Identifying this RAT in other instances of malware can link groups of malicious code to a common author or team, Hoglund says.

He has found that these fingerprints last a long time. Once written, the binaries themselves are altered only infrequently, so employing these fingerprints as malware signatures will be more useful for longer periods. "The bad guys don't change their code that often," Hoglund says.

A traditional antivirus platform identifies variants of malware. This research can anchor a new form of intrusion detection that analyzes malware deeply to find these fingerprints and to assign it to a threat group based on the intent of the malware, he says.

For instance, if the malware is designed to steal credit card numbers from individuals, a corporation might rank it as a lower threat to the corporation than malware that seeks to steal the company's intellectual property, he says.

"You are not going to succeed in keeping the bad guys out of your network," Hoglund says. "But if you can detect them as early as possible, you can prevent losses."

During his talk, Hoglund says he will exhibit graphs that cluster half a million pieces of malware his team has examined on a graph according to how closely their fingerprints match. He says he hopes to demonstrate that the sources of these 500,000 examples number relatively low -- in the hundreds rather than the thousands, he says.

If that's the case, using these fingerprints as signatures by which malware is detected, intrusion-detection engines could focus on filtering them rather than the wrappers in which they are sent. That would mean a more stable library of signatures since the attackers are slow to change their code. These IDS signatures would work better over a longer period.

To do this the IDS needs to be on endpoints where the code executes and can be seen in the memory of the computer as a human-readable text. At the network layer, a packed executable would not reveal these attributes.

At the conference, Hoglund plans to release a tool called Fingerprint that analyzes and compares the similarities among the underlying artifacts found in different pieces of malware. Businesses could use the tool to determine what identifiable attacker wrote the code and what its intent is.

That in turn can give businesses an idea of whether they are under a concerted assault from a common group rather than being the victim of random attacks. Using this type of analysis, Hoglund says he found that one identifiable attacker was responsible for targeting the Department of Defense as well as a particular military base five years before.

That indicated the attacker was the same, and use of a Chinese-language development environment indicated the attacks came from there. Some of the source code used was exact copies of code traded on China hacker sites.

Read more about wide area network in Network World's Wide Area Network section.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Microsoftmalwareblack hatBlack Hat 2010

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tim Greene

Network World
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?