Unmasking malware coders

Unmasking malware coders

Writers, chefs and craftsmen all have recognizable signature styles. The same can be said for programmers – including those who write malware.

Army researchers are working on an algorithm that will help system administrators improve security by more easily identifying malware authors and tracking the origin of threats, said Richard Harang, a security researcher with the Army Research Laboratory who is working on a toolkit help Army analysts to identify malware authors more quickly. 

His team’s code stylometry study looked at samples from 1,600 coders and, with 94 percent accuracy, could determine the author of a particular code excerpt. In a "top five suspects" match, the precision was near perfect.

The researchers were able to show that identifying features could be found not only in a programmer’s source code, but also in compiled executable binary code. With machine learning, they were able to de-anonymize programmers of executable binaries, suggesting that coding style survives complicated transformations.

The issue of attribution is important because may it may help analysts identify malware authors more quickly and speed deterrence efforts. 

About the Author

Mark Pomerleau is a former editorial fellow with GCN and Defense Systems.


  • business meeting (Monkey Business Images/Shutterstock.com)

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (Shutterstock.com)

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected