Speaker: Rich Cummings
Over the last decade, the Malware Industry has grown at a phenomenal rate. The volume of unique Malware, the sophistication of Malware techniques, and the number of participants in the overall Malware environment have all reached a critical mass – they have surpassed the ability of the Security Industry to provide comprehensive protection. The Security Industry is changing, adapting, and growing in an effort to catch up to the Malware Industry. In my presentation, "Fingerprinting Malware Developers,” I will discuss how to fingerprint -- and potentially identify -- the developers behind each piece of Malware. Fingerprinting Malware has emerged as a significant concern in today’s security environment. Forensic Investigators, Security Consultants, Software Vendors, Network Administrators, and CISOs all want to determine who is behind the attacks on their victims, clients, customers, products, and networks. They want to utilize this information for a variety of purposes—prosecute the attackers, identify related attacks, and secure against future attacks. This presentation will outline a number of methods, and some myths, related to the more general field of fingerprinting software developers. Methods covered include instruction usage, analysis of code patterns, debug information, language attribution, linked third-party libraries, embedded product keys, compiler and linker information, compiler signatures, machine signatures, and globally unique identifiers. These methods are then applied to the more specific context of Malware, and the success or failure of each method will be discussed. Finally, I will discuss some of the reasons that fingerprinting Malware developers can be a difficult problem to solve.