Unmasking malware coders
- By Mark Pomerleau
- Jan 26, 2016
Writers, chefs and craftsmen all have recognizable signature styles. The same can be said for programmers – including those who write malware.
Army researchers are working on an algorithm that will help system administrators improve security by more easily identifying malware authors and tracking the origin of threats, said Richard Harang, a security researcher with the Army Research Laboratory who is working on a toolkit help Army analysts to identify malware authors more quickly.
His team’s code stylometry study looked at samples from 1,600 coders and, with 94 percent accuracy, could determine the author of a particular code excerpt. In a "top five suspects" match, the precision was near perfect.
The researchers were able to show that identifying features could be found not only in a programmer’s source code, but also in compiled executable binary code. With machine learning, they were able to de-anonymize programmers of executable binaries, suggesting that coding style survives complicated transformations.
The issue of attribution is important because may it may help analysts identify malware authors more quickly and speed deterrence efforts.
Mark Pomerleau is a former editorial fellow with GCN and Defense Systems.