Unmasking malware coders

Unmasking malware coders

Writers, chefs and craftsmen all have recognizable signature styles. The same can be said for programmers – including those who write malware.

Army researchers are working on an algorithm that will help system administrators improve security by more easily identifying malware authors and tracking the origin of threats, said Richard Harang, a security researcher with the Army Research Laboratory who is working on a toolkit help Army analysts to identify malware authors more quickly. 

His team’s code stylometry study looked at samples from 1,600 coders and, with 94 percent accuracy, could determine the author of a particular code excerpt. In a "top five suspects" match, the precision was near perfect.

The researchers were able to show that identifying features could be found not only in a programmer’s source code, but also in compiled executable binary code. With machine learning, they were able to de-anonymize programmers of executable binaries, suggesting that coding style survives complicated transformations.

The issue of attribution is important because may it may help analysts identify malware authors more quickly and speed deterrence efforts. 

About the Author

Mark Pomerleau is a former editorial fellow with GCN and Defense Systems.


  • Records management: Look beyond the NARA mandates

    Records management is about to get harder

    New collaboration technologies ramped up in the wake of the pandemic have introduced some new challenges.

  • puzzled employee (fizkes/Shutterstock.com)

    Phish Scale: Weighing the threat from email scammers

    The National Institute of Standards and Technology’s Phish Scale quantifies characteristics of phishing emails that are likely to trick users.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.