Skip Links

Black Hat talk to reveal analysis of hacker fingerprints

New tool called Fingerprint will let users sort malware on their own

By , Network World
July 19, 2010 12:14 PM ET

Network World - Looking deeper within malware yields fingerprints of the hackers who write the code, and that could result in signatures that have a longer lifetime than current intrusion-detection schemes, Black Hat 2010 attendees will be told next week.

Black Hat's most notorious incts: a quiz

Analysis of the binaries of malware executables also reveals characteristics about the intent of the attack code that could make for more efficient and effective data defenses, says Greg Hoglund, CEO of HBGary, whose briefing "Malware Attribution: Tracking Cyber Spies and Digital Criminals" is scheduled for the Las Vegas conference.

Hoglund says this analysis uncovers tool marks -- signs of the environments in which the code was written -- that can help identify code written by a common person or group based on what combination of tools they use.

For example, his research looked under the covers of one malware executable whose fingerprint included use of Back Orifice 2000, Ultra VNC remote desktop support software, and code from a 2002 Microsoft programming guide. Each program was slightly modified, but the information available amounted to a good fingerprint.

The malware was a remote access tool (RAT), and RAT generators such as Poison Ivy could have created unique RAT code for each use, but that's not the route this attacker chose. tifying this RAT in other instances of malware can link groups of malicious code to a common author or team, Hoglund says.

He has found that these fingerprints last a long time. Once written, the binaries themselves are altered only infrequently, so employing these fingerprints as malware signatures will be more useful for longer periods. "The bad guys don't change their code that often," Hoglund says.

A traditional antivirus platform tifies variants of malware. This research can anchor a new form of intrusion detection that analyzes malware deeply to find these fingerprints and to assign it to a threat group based on the intent of the malware, he says.

For instance, if the malware is designed to steal credit card numbers from individuals, a corporation might rank it as a lower threat to the corporation than malware that seeks to steal the company's intellectual property, he says.

"You are not going to succeed in keeping the bad guys out of your network," Hoglund says. "But if you can detect them as early as possible, you can prevent losses."

During his talk, Hoglund says he will exhibit graphs that cluster half a million pieces of malware his team has examined on a graph according to how closely their fingerprints match. He says he hopes to demonstrate that the sources of these 500,000 examples number relatively low -- in the hundreds rather than the thousands, he says.

If that's the case, using these fingerprints as signatures by which malware is detected, intrusion-detection engines could focus on filtering them rather than the wrappers in which they are sent. That would mean a more stable library of signatures since the attackers are slow to change their code. These IDS signatures would work better over a longer period.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News