DeepSec 2013 Talk: Malware Datamining And Attribution
The production of code leaves traces in the final binary. There can be debugging symbols present, which give you a lot of information. Maybe the binary has some commonly used libraries or functions. A lot of fingerprinting can be done with software. Why is this of interest? Well, there is the attribution problem of attacks and malicious software. Identifying where malware comes from can be crucial for the assessment of risks and the impact of compromised systems. Michael Boman has researched this topic and will present his findings in his talk titled Malware Datamining And Attribution at DeepSec 2013.
Stuxnet and related malware is a prime example where the source of the code is of fundamental interest. Even for more „mundane“ code malware authors use leaves traces in their work which can be used to attribute malware to a a individual or a group of individuals. This is a great help when assessing the nature of malicious activity. You might identify the tools used, notice patterns, determine if the malware is part of an organised attack, a single incident or something else. It is especially interesting if you can combine the forensic data gathered with evidence found on computers where the malware was actually produced. Either way it is a good method to gain insight into how attack tools are used, who uses them, and how they are traded (in the case of malware being sold to groups performing the actual attacks).
Don’t turn a blind eye on the binaries that end up on your systems or in your networks. You should always post-process incidents and acquire as much data as you can. Data mining starts small, and when it comes to malicious software it is your personal radar. Follow Michael Boman’s presentation to get ideas how and where to start.