Blackhat 2010: Malware Attribution - Tracking Cyber Spiesby Greg Hoglund

Corporate, state, and federal networks are at great risk and a decade of security spending has not increased our security. Hundreds of thousands of malware samples are released daily that escape undetected by antivirus. Cyber-spies are able to take intellectual property like source code formulas and CAD diagrams at their whim. We are at a crisis point and we need to rethink how we address malware.

Malware is a human problem. We can clean malware from a host but the bad guy will be back again tomorrow. By tracing malware infections back to the human attacker we can understand what they are after, what to protect, and counter their technical capabilities. Every step in the development of malware has the potential to leave a forensic toolmark that can be used to trace developers, and ideally can lead to the operators of the malware. Social cyberspaces exist where malware developers converse with one another and their clients. A global economy of cyber spies and digital criminals support the development of malware and subsequent monetization of information. This talk focuses on how code artifacts and toolmarks can be used to trace those threat actors.

We will study GhostNet and Aurora, among others. Example toolmarks will include compiler and programming language fingerprints, native language artifacts (was it written for Chinese operators, etc), mutations or extensions to algorithms, command and control protocols, and more. We will discuss link analysis (using Palantir, etc) against open-source data such as internet forums and network scans. Ultimately this information will lead to a greater understanding of the malware operation as a whole, and feeds directly back into actionable defenses.

Published 14 February 2015