By Tim Greene
July 19, 2010
Looking deeper within malware yields fingerprints of the hackers who
write the code, and that could result in signatures that have a longer
lifetime than current intrusion-detection schemes, Black Hat 2010
attendees will be told next week.
Analysis of the binaries of malware executables also reveals
characteristics about the intent of the attack code that could make for
more efficient and effective data defenses, says Greg Hoglund, CEO of
HBGary, whose briefing "Malware Attribution: Tracking Cyber Spies and
Digital Criminals" is scheduled for the Las Vegas conference.
Hoglund says this analysis uncovers tool marks -- signs of the
environments in which the code was written -- that can help identify
code written by a common person or group based on what combination of
tools they use.
For example, his research looked under the covers of one malware
executable whose fingerprint included use of Back Orifice 2000, Ultra
VNC remote desktop support software, and code from a 2002 Microsoft
programming guide. Each program was slightly modified, but the
information available amounted to a good fingerprint.
Attend Black Hat USA 2010, hosted at Caesars Palace in Las Vegas, Nevada
July 24-29th, offering over 60 training sessions and 11 tracks of Briefings
from security industry elite. To sign up visit http://www.blackhat.com