Malware Attribution: Should We Identify the Crooks Who Deploy It?

Brian Krebs asks: What makes one novel strain of malicious software more dangerous or noteworthy than another? Is it the sheer capability and feature set of the new malware, or are these qualities meaningless without also considering the skills, intentions and ingenuity of the person wielding it? Most experts probably would say it's important to consider attribution insofar as it is knowable, but it's remarkable how seldom companies that regularly publish reports on the latest criminal innovations go the extra mile to add context about the crooks apparently involved in deploying those tools.

Like Sourceforge?

[Anonymous Coward]

[nt]

Re:Like Sourceforge?

[NotDrWho]

Now, now, there is no need to insult crooks by associating them with Sourceforge.

Re:

[Em Adespoton]

i wonder if apk can fix this with a hosts file. he really is quite obsessed with them, to teh point of not using other tools even when they can complement a good hosts file. like a religious zealot. oh and i love the way he declares victory every time he gets trolled, he takes the bait EVERY SINGLE TIME and pats himself on the back for it. an amazing feat of self-delusion.

apk can fix this with a hosts file really easily:
0 slashdot.org

Re:

[Anonymous Coward]

Crap - you said his name three times!!

Re:

[CastrTroy]

This has been going on for quite a while. I don't know why this is news to everybody or why all of a sudden we are making a big deal out of it. Here's an article from 2013 about how GIMP was abandoning Sourceforge because of their shoddy, adware ridden, installers. [theregister.co.uk]

Re:

[drinkypoo]

I don't know why it's news all of a sudden, we made a big deal out of it because a highly-voted submission on the subject was ignored, then another one, then another one... the first one was before the weekend...

Re:

[CastrTroy]

If the first one was accepted, it would have been filled with complaints about "how is this news?", along with a bunch of ranting and raving about how the editors don't know how to do their job. I don't see what we gained from having this story posted on slashdot. Most people who come here probably already know that Sourceforge is a hive of scum and villainy, and has been on most of our ignore lists for quite some time.

Re:No don't it will only create notoriety

[fustakrakich]

We could "ID" them in the obituaries...

Re:No don't it will only create notoriety

[jellomizer]

For many of these folks, they don't see themselves as being the bad guy. But Innovative entrepreneurs, or activist for some cause.
They don't seem to realize, how much harm they are actually causing.

This notoriety, could be similar to the notoriety a sex offender has. Not of a lone rogue, fighting the good fight while bucking the system. But as that creepy guy who has access all your personal data, and will use it to profit off of it, and causing people like your grandmother to suffer, during their golden years.

Re:

[Noah Haders]

typically, the first step in convicting someone of a crime is to identify who did the crime. Second step, arrest that person. So it makes sense to try to identify the person who made the malware.

non sequiter, it was kinda funny that the silk road guy went by the name 'dread pirate roberts', but nobody came along to pick up the name and keep it going. Ruins the point?

Re:

[Chris Mattern]

non sequiter, it was kinda funny that the silk road guy went by the name 'dread pirate roberts', but nobody came along to pick up the name and keep it going. Ruins the point?

None of the "Dread Pirate Roberts"es were in fact caught. They all retired on their riches, passing the title down to a successor in the process. So the situations aren't the same.

Re:

[cwsumner]

... Some git who manages to do a bunch of harm (scamming retirees) is only going to be looked at in a good light in a Robin Hood scenario. Or it will be looked like a P. T. Barnum... and even though he was noted for using people, he was quite well respected for being able to put one over on others. ...

That has been true for thousands of years ... in some circles.

I prefer not to travel in those circles. They are a disaster waiting to happen, stand clear or be collateral damage!

Why WOULDN'T you?

[argStyopa]

Seriously, if someone is running around breaking windows (pun intended) in your neighborhood, they're outed in the local crime report.
If they did it to 1.5 million homes, I'd bloody well expect that yes, they should be identified.

I personally wouldn't object to having them branded, either.
Or, if you're more Adam Smithy, just suspend their ability to file civil lawsuits allowing people to do whatever they want to them that doesn't actually rise to criminal activity.

Re:Why WOULDN'T you?

[drinkypoo]

The problem is that you don't want to give them notoriety. Some of them are in it just for that. Stupid, sure, but still true.

Re:

[g01d4]

I'd think they'd prefer notoriety under an alias, e.g. "The drinkypoo Bandit" rather than a real name unless they could obtain attribution knowing there wasn't enough evidence to convict.

Re:

[drinkypoo]

I'd think they'd prefer notoriety under an alias, e.g. "The drinkypoo Bandit" rather than a real name unless they could obtain attribution knowing there wasn't enough evidence to convict.

That's why some antivirus companies deliberately change the names when reporting, from whatever the author wants it to be called (when they can tell.) They don't want to provide them notoriety under their chosen alias.

Re:

[Ravaldy]

They would get a good 30 seconds of fame. That's about it. To have your name echo through time you need to have done something impactful to the whole world like Snowden did. There are many other examples but you get the point.

That is not the real problem

[s.petry]

Most malware is hosted and served out by businesses most people consider "legit". This is second only to Governments who infect millions of devices often inadvertently.

In both of those cases, there is no use in reporting. Oh yeah, some schlep will probably be made to be a fall guy but the shit storm will still be there churning out shit.

Report when the correct people can be, and are, held accountable for their actions. Until then, all men are created equally and have the same rights under due process. If

Re:

[StikyPad]

The ones who are in it for notoriety will claim credit anyway. It's the ones who want to remain in the shadows who are generally the most dangerous. This includes state actors.

The only downside I see to identifying the authors and/or users is that it potentially tips them off as to the identifying characteristics of their software so that they can better cover their tracks in the future. It can be easier to stay ahead of an adversary if they don't know that you're ahead. This is not "security through ob

Re:

[SpaceCommander]

Risk/Benefit is not on the site of actor attribution. Easy to get wrong, hard to get right. And we do things like wage DoS attacks against adversary nations of shaky evidence. Or at least good evidence that they haven't made public. That's why.

Re:

[geekmux]

Seriously, if someone is running around breaking windows (pun intended) in your neighborhood, they're outed in the local crime report. If they did it to 1.5 million homes, I'd bloody well expect that yes, they should be identified.

I personally wouldn't object to having them branded, either. Or, if you're more Adam Smithy, just suspend their ability to file civil lawsuits allowing people to do whatever they want to them that doesn't actually rise to criminal activity.

I'm curious, what say you when you are the one spending thousands to try and wipe out Google's search history after you're wrongly accused of said hacking crime and you successfully defend yourself and your reputation in court, but it still lingers for all future employers to search and find, all because you "bloody well expect" such a "criminal" to be branded immediately.

Seems few people really think of the consequences of shit like this, especially if framing professionals for cybercrimes may turn out to

Re:

[jriding]

Like Lenovo?? There is no question who pushed it onto YOUR new device. They approved it, they knew what it was, they forced it on you with no way or little way to remove it.
Yes call them out in a big way.

Re:

[geekmux]

Like Lenovo?? There is no question who pushed it onto YOUR new device. They approved it, they knew what it was, they forced it on you with no way or little way to remove it. Yes call them out in a big way.

You might not have noticed before when I stated a wrongful accusation.

Lenovo was far from being 100% innocent in their actions, as you state.

Someone who is truly wrongfully accused will spend years and tens of thousands of dollars or more repairing their reputation, which most individuals can't even afford to defend the accusation, much less the clean-up efforts.

Re:

[chispito]

Seriously, if someone is running around breaking windows (pun intended) in your neighborhood, they're outed in the local crime report.

Actually, blotters don't publish the identities of the suspects because they're suspects. In the same way, I'm sure these companies are sharing more information with law enforcement than with the general public.

I prefer it this way to having a bunch of scripting vigilantes on Reddit doxing the wrong the guy.

Re:

[requerdanos]

Of *course* they publish the names of suspects. Heck, where I live you can go to the county website and see names and photos of people arrested on suspicion of a crime, who have not been convicted, most of whom will never be convicted. You can try it out here [brunswicksheriff.com].

Re:

[chispito]

After posting I realized I used the wrong term. It was a bad analogy. The point is that attribution is really, [tenable.com] really difficult [tenable.com] and The Boy Who Cried Wolf and all that.

Re:

[bouldin]

Malware attribution is so difficult that I only know of one company that makes a serious attempt at it: crowdstrike.

Re:

[jrumney]

If you can identify them by their real name in a way that will lead to them being caught and punished, then go for it. If you are identifying them by an online pseudonym that they use on darknet message boards, you are only giving them notoriety that may help them gain future customers.

Re:

[Darinbob]

I suspect they don't know the actual name of the person, but they only know the handle that the person uses in some forums. Like graffiti, sure we know that BadAzz wrote his name up on the overpass but we don't know how to find and fine him.

the mobile site distributes malware in asia

[gl4ss]

or at least it sometimes jumps you into an android apk installation page.

also the ads on the mobile make the mobile slashdot site pretty much unusable. they're so bad. they not only take the whole screens worth every few articles but also run some javascript that makes the browser crawl and jerk. in addition some of the ads are friggin videos.

Re:

[jrumney]

Is it only in Asia that this happens? I ticked the "Disable Advertising" box because of the intrusiveness of the advertising, especially on the mobile site, but it seems that box unticks itself in Asia too.

Re:

[gl4ss]

I just thought that the disable advertising doesn't work on the mobile site(i got adblock on desktop).

I'd like to think that the slashdot folks would have noticed the malware ads if they appeared in europe.

Kido

[__aabppq7737]

Did Conficker's authors DDOS trafficconverter.biz? What was the big picture of owning several teraFLOPS of power of hacked home PCs? Probably more than selling SpyProtect 2009.

Not remarkable at all.

[Ungrounded Lightning]

Anti-malware companies try to appear as experts.

Malware authors try to be anonymous, leaving minimal personal signature in the malware. Malware authors also share code and reverse-engineer each other's code and use the result, so even style may be misleading. So even experts would have difficulty attributing it to any particular person,

That means any attempt to identify the author - as a real person, an alias, or a label under which to group multiple products of the same author, will be very error prone

I'd just like to know...

[JumpinJohnny]

How much malware is produced by government/military organizations vs. criminals vs. corporations. There is probably plenty of overlap.

No different than anything else

[ScentCone]

It's no longer fashionable to associate human character, judgement, and action with unpleasant results. Malice? There is no malice. There is only the problematic tool or technology, against which we should rage. It's not murder, it's a "gun death." It's not a reckless jackass badly flying a GoPro in a crowded place, it's a "drone incident." It's not a bad driver, it's another "SUV death." It's not a criminal trying to steal your savings or reputation, it's "malware."

Talking out loud about how actual humans are responsible for the stupid or evil shit they do is no longer acceptable. That would mean assessing their intelligence, or making a considered moral judgement, based on some sort of, you know, identifiable value system. We can't have that! We'd need to post Trigger Warnings near any discussion that might result in the horrifying prospect of recognizing that not everyone is as smart as everyone else, or calling an evil actor evil, because, you know, judging. Much better to talk only about the scary tools, never about the people. Hey, Russian credit card scammers and bot farmers are really the victims, here - the malware made them use it. Probably of some sort of western patriarchal influence and whatnot.

Re:

[ScentCone]

There is a level of craziness to this post

Of course there is. I'm describing a pervasive, increasingly toxic type of craziness that impacts nearly every bit of public discourse that pops up when anything bad is being discussed. If such discussions were generally rational, there'd be nothing to have to talk about. But rational discussions involving causality and agency are now considered rude, like gluten.

Re:

[ScentCone]

My god, the thought that the new generation might have new moral values: what is the world coming to?

Really? You think a "new generation" is so simple-minded that they can't use reason to put together a value system that arrives at the same destination as so many others? You think it's a good thing to change out values like ... stealing people's stuff is morally bad? Like, using your l33t haxx0r skills to ruin someone's reputation for the lulz is bad? You're confusing the tools and technologies that a new generation finds at their disposal with being somehow related to the philosophical underpinnings of t

Re:

[ScentCone]

Are you equal in intelligence, as the next person?

No. I'm smarter than a lot of people, and many many people are smarter than me.

Did you ever get a "b", or score a 99 on a test

Oh, I've done MUCH worse than that.

Why condemned them

Why are you asking me? Have I condemned anybody? I'm condemning those who try to pretend that nothing bad is ever anybody's fault. That (relative to the article we're talking about, here) fact that focusing on the tools people use (or mis-use) and ignoring the fact that it's people using those tools is intellectual laziness and often cowardice in the face of political correctness.

Some may be better in an urban, or a wilderness environment. Why complain, you are not robots.

So you agre

Re:

[bouldin]

The digital information used for attribution is so easily manipulated that it's nearly impossible to be 100% sure you have the right person... without a police style sting where you record the attacker in action.

For malware, attribution can be inferred by looking at code similarities among the malware.

Of Course

[Kozar_The_Malignant]

Of course they should be identified. How else can we hunt them down and castrate them?

it would backfire

[bloodhawk]

attribution would backfire and just create competition for who could become the most notorious.

I know this one!

[fuzzy2k]

Should We Identify the Crooks Who Deploy It? Yes. Thanks for asking.