Unmasking malware coders

Unmasking malware coders

Writers, chefs and craftsmen all have recognizable signature styles. The same can be said for programmers – including those who write malware.

Army researchers are working on an algorithm that will help system administrators improve security by more easily identifying malware authors and tracking the origin of threats, said Richard Harang, a security researcher with the Army Research Laboratory who is working on a toolkit help Army analysts to identify malware authors more quickly. 

His team’s code stylometry study looked at samples from 1,600 coders and, with 94 percent accuracy, could determine the author of a particular code excerpt. In a "top five suspects" match, the precision was near perfect.

The researchers were able to show that identifying features could be found not only in a programmer’s source code, but also in compiled executable binary code. With machine learning, they were able to de-anonymize programmers of executable binaries, suggesting that coding style survives complicated transformations.

The issue of attribution is important because may it may help analysts identify malware authors more quickly and speed deterrence efforts. 

About the Author

Mark Pomerleau is a former editorial fellow with GCN and Defense Systems.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/Shutterstock.com)

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected