Unmasking malware coders

Unmasking malware coders

Writers, chefs and craftsmen all have recognizable signature styles. The same can be said for programmers – including those who write malware.

Army researchers are working on an algorithm that will help system administrators improve security by more easily identifying malware authors and tracking the origin of threats, said Richard Harang, a security researcher with the Army Research Laboratory who is working on a toolkit help Army analysts to identify malware authors more quickly. 

His team’s code stylometry study looked at samples from 1,600 coders and, with 94 percent accuracy, could determine the author of a particular code excerpt. In a "top five suspects" match, the precision was near perfect.

The researchers were able to show that identifying features could be found not only in a programmer’s source code, but also in compiled executable binary code. With machine learning, they were able to de-anonymize programmers of executable binaries, suggesting that coding style survives complicated transformations.

The issue of attribution is important because may it may help analysts identify malware authors more quickly and speed deterrence efforts. 

About the Author

Mark Pomerleau is a former editorial fellow with GCN and Defense Systems.

inside gcn

  • digital model of city (Shutterstock.com)

    Why you need a digital twin

Reader Comments

Wed, Jan 27, 2016 Warren

once they are Identified and tracked would this give an option to block the IP or is only for identifying but not stopping coders

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group