Some people believe in UFOs and poltergeists, someone in a bigfoot, and some people think that a developer of malware and other illegal software can guarantee their own anonymity by simply packing the binary file or obfuscating the code.
Some individuals are convinced that government authorities will never be interested in their activities if the programs they create do not cause direct material damage, do not extend to the territory of their own country, or the victims do not send reports to the police. It is difficult to say why such high self-confidence grows in their minds. The facts stubbornly show us a completely different picture. The deanonymization of malware authors has become so commonplace that such incidents do not surprise anyone these days.
Who is interested in me?
There is such a thing as the secret of the investigation, which cannot be divulged under any sauce. If law enforcement agencies conduct any activities against certain abstract hackers, they are unlikely to be told about this until they get charged or brought to trial.
Absolutely in all cases of hackers’ de-anonymization known to the general public, the cause of what happened should be sought in the mirror. Virus creators sometimes make such trifle mistakes that it looks like a sheer absurdity.
Well, it would seem obvious that you should not keep personal files on a server where the botnet admin panel is situated. Why do you need to send stats on the work of another botnet using SMS to a mobile phone number if this number has repeatedly appeared in advertisements selling computer parts and indicating the city and nickname? Who inspired that young genius hacker to build a C&C server on a public hosting platform where his daddy’s company site is located, and also hardcoding that URL directly into his malware?
There are only dots in each line
As you know, debugging is a painful process. To facilitate this process, some compilers add special debugging lines to the binary. They sometimes contain the full path to the folder where the project sources are stored, and this path sometimes includes the Windows username, for example: C:\Users\Alex\Desktop\Super_Trojan\ProjectVirus.vbp
In the process of reverse-engineering the file, all the funny things inevitably creep out. It’s one thing if the name of the user account was invented by the same guys who compose unpronounceable names for IKEA products but often that line includes the real name and even the surname of the hapless creator of the virus.
Thanks to this circumstance, it becomes much easier to find him, although the result is not guaranteed as who knows how many namesakes live on our planet? However, if the malware sample has a debugging line with the surname and folder structure – this can be another proof of a person’s involvement in creating the virus program.
Even if instead of the username, in the line discovered by the researchers, only the nickname appears, this may still give an important clue. Most hackers who are still not extremely paranoid use the same nickname on different websites. Anyone can quickly find posts of a specific person on online forums, GitHub pages or Twitter. It’s easy to understand that all these “digital traces” are left by one and the same person: the same avatar, similar signature, the same text placed on different sites, and security experts may connect all the dots.
Another common thing is storing email addresses as unencrypted character values. Characteristic strings are the first thing that a reverse engineer draws attention to in disassembled code. Moreover, some individuals believe that it is enough to XOR a line to reliably hide their email addresses from prying eyes. No, not enough. If email address suddenly appears in the code, it immediately gets googled. After several consecutive steps, an email address can be found in Telegram, and on social networks, and on forums.
Do not knock, it is open!
It is even more fun, when some unrecognized genius hardcodes a username and password directly in the code, for example, the password for the botnet’ admin panel or for the cloud storage where the Trojan uploads files that were stolen from victims’ computers. It is very good if the same password is used everywhere – the admin panel, the mail server, and social networks.
Here is a recent example in this regard. One anonymous virus author decided to try and launch a Trojan-stealer on his own computer. Stiller was working perfectly. As a result, all secrets from the computer of our “natural scientist” were uploaded into the cloud as its login and password were hardcode into the stealer.
Your domain is out of service
Some people really like to hardcode the IP addresses of command & control servers directly into their malware code, even though progressive mankind has long ago come up with DGA – algorithms for the dynamic generation of domain names.
And the point is not that DGA increases the survivability of the Trojan (if one control server gets detected and taken down – this software automatically connects to another server), and not even that the server (if its IP address is known) can be brute-forced, sinkholed or DDoSed, but here other protection mechanisms come into play – verification of the server signature, encryption during data transfer, and others.
Even if the security researcher fails to break into the admin panel, a lot of useful information can be obtained using the WHOIS service. Hiding the name of the domain holder does not always help as you can search for other websites on the same IP address and see what is stored there and also try to log in there. Many people have heard the term Cloudflare, but most are too lazy to dig deeper and understand how it works.
Some humanoid hackers even set up admin panels on public hosting services or on sites where their other projects are running or use their employer’s, friend’s, relatives’ sites for that.
Should we laugh or cry?
Pride is a mortal sin. And all sinners, according to religious texts, will face inevitable punishment. Not all virus writers are ready to stay in the shade and quietly count their money, they want fame, honor, respect, public attention, and stormy applause. As a result, some virus makers start making YouTube videos on how to compile and obfuscate Trojan’s even having forgotten to close the browser tabs with their Facebook page.
One famous person did not shoot compromising videos but posted extremely interesting articles on how to bypass UAC, write exploits, escalade privileges, and other virus makers’ tricks. In this case, it is easy to identify some virus writers by their code, or rather by the names of variables, comments, the way certain functions are implemented, etc.
There are plenty of methods for identifying the authors of computer viruses. I mentioned only the most obvious of them. The conclusion is also quite obvious: hackers’ own incompetence and devil-may-care attitude to elementary security issues bring them to the police officer.
Author’s Bio: David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking.