Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security

Malware Attribution: Should We Identify the Crooks Who Deploy It? 87

Posted by Soulskill from the you-break-it-you-bought-it dept.
Brian Krebs asks: What makes one novel strain of malicious software more dangerous or noteworthy than another? Is it the sheer capability and feature set of the new malware, or are these qualities meaningless without also considering the skills, intentions and ingenuity of the person wielding it? Most experts probably would say it's important to consider attribution insofar as it is knowable, but it's remarkable how seldom companies that regularly publish reports on the latest criminal innovations go the extra mile to add context about the crooks apparently involved in deploying those tools.
This discussion has been archived. No new comments can be posted.

Malware Attribution: Should We Identify the Crooks Who Deploy It? More

Malware Attribution: Should We Identify the Crooks Who Deploy It?

Comments Filter:

  • Like Sourceforge? (Score:5, Insightful)

    by Anonymous Coward on Monday June 01, 2015 @10:46AM (#49815189)

    [nt]

    • Re:Like Sourceforge? (Score:5, Funny)

      by NotDrWho ( 3543773 ) on Monday June 01, 2015 @10:59AM (#49815309)

      Now, now, there is no need to insult crooks by associating them with Sourceforge.

    • This has been going on for quite a while. I don't know why this is news to everybody or why all of a sudden we are making a big deal out of it. Here's an article from 2013 about how GIMP was abandoning Sourceforge because of their shoddy, adware ridden, installers. [theregister.co.uk]

      • I don't know why it's news all of a sudden, we made a big deal out of it because a highly-voted submission on the subject was ignored, then another one, then another one... the first one was before the weekend...

        • If the first one was accepted, it would have been filled with complaints about "how is this news?", along with a bunch of ranting and raving about how the editors don't know how to do their job. I don't see what we gained from having this story posted on slashdot. Most people who come here probably already know that Sourceforge is a hive of scum and villainy, and has been on most of our ignore lists for quite some time.

  • Why WOULDN'T you? (Score:5, Interesting)

    by argStyopa ( 232550 ) on Monday June 01, 2015 @10:48AM (#49815205) Journal

    Seriously, if someone is running around breaking windows (pun intended) in your neighborhood, they're outed in the local crime report.
    If they did it to 1.5 million homes, I'd bloody well expect that yes, they should be identified.

    I personally wouldn't object to having them branded, either.
    Or, if you're more Adam Smithy, just suspend their ability to file civil lawsuits allowing people to do whatever they want to them that doesn't actually rise to criminal activity.

    • Re:Why WOULDN'T you? (Score:4, Interesting)

      by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Monday June 01, 2015 @10:51AM (#49815233) Homepage Journal

      The problem is that you don't want to give them notoriety. Some of them are in it just for that. Stupid, sure, but still true.

      • Re: (Score:2)

        by g01d4 ( 888748 )
        I'd think they'd prefer notoriety under an alias, e.g. "The drinkypoo Bandit" rather than a real name unless they could obtain attribution knowing there wasn't enough evidence to convict.

        • I'd think they'd prefer notoriety under an alias, e.g. "The drinkypoo Bandit" rather than a real name unless they could obtain attribution knowing there wasn't enough evidence to convict.

          That's why some antivirus companies deliberately change the names when reporting, from whatever the author wants it to be called (when they can tell.) They don't want to provide them notoriety under their chosen alias.

      • They would get a good 30 seconds of fame. That's about it. To have your name echo through time you need to have done something impactful to the whole world like Snowden did. There are many other examples but you get the point.

      • Most malware is hosted and served out by businesses most people consider "legit". This is second only to Governments who infect millions of devices often inadvertently.

        In both of those cases, there is no use in reporting. Oh yeah, some schlep will probably be made to be a fall guy but the shit storm will still be there churning out shit.

        Report when the correct people can be, and are, held accountable for their actions. Until then, all men are created equally and have the same rights under due process. If

      • The ones who are in it for notoriety will claim credit anyway. It's the ones who want to remain in the shadows who are generally the most dangerous. This includes state actors.

        The only downside I see to identifying the authors and/or users is that it potentially tips them off as to the identifying characteristics of their software so that they can better cover their tracks in the future. It can be easier to stay ahead of an adversary if they don't know that you're ahead. This is not "security through ob

    • Risk/Benefit is not on the site of actor attribution. Easy to get wrong, hard to get right. And we do things like wage DoS attacks against adversary nations of shaky evidence. Or at least good evidence that they haven't made public. That's why.

    • Seriously, if someone is running around breaking windows (pun intended) in your neighborhood, they're outed in the local crime report. If they did it to 1.5 million homes, I'd bloody well expect that yes, they should be identified.

      I personally wouldn't object to having them branded, either. Or, if you're more Adam Smithy, just suspend their ability to file civil lawsuits allowing people to do whatever they want to them that doesn't actually rise to criminal activity.

      I'm curious, what say you when you are the one spending thousands to try and wipe out Google's search history after you're wrongly accused of said hacking crime and you successfully defend yourself and your reputation in court, but it still lingers for all future employers to search and find, all because you "bloody well expect" such a "criminal" to be branded immediately.

      Seems few people really think of the consequences of shit like this, especially if framing professionals for cybercrimes may turn out to

      • Like Lenovo?? There is no question who pushed it onto YOUR new device. They approved it, they knew what it was, they forced it on you with no way or little way to remove it.
        Yes call them out in a big way.

        • Like Lenovo?? There is no question who pushed it onto YOUR new device. They approved it, they knew what it was, they forced it on you with no way or little way to remove it. Yes call them out in a big way.

          You might not have noticed before when I stated a wrongful accusation.

          Lenovo was far from being 100% innocent in their actions, as you state.

          Someone who is truly wrongfully accused will spend years and tens of thousands of dollars or more repairing their reputation, which most individuals can't even afford to defend the accusation, much less the clean-up efforts.

    • Seriously, if someone is running around breaking windows (pun intended) in your neighborhood, they're outed in the local crime report.

      Actually, blotters don't publish the identities of the suspects because they're suspects. In the same way, I'm sure these companies are sharing more information with law enforcement than with the general public.

      I prefer it this way to having a bunch of scripting vigilantes on Reddit doxing the wrong the guy.

      • Re: (Score:3, Informative)

        by requerdanos ( 1056082 )
        Of *course* they publish the names of suspects. Heck, where I live you can go to the county website and see names and photos of people arrested on suspicion of a crime, who have not been convicted, most of whom will never be convicted. You can try it out here [brunswicksheriff.com].

    • Re: (Score:2)

      by jrumney ( 197329 )
      If you can identify them by their real name in a way that will lead to them being caught and punished, then go for it. If you are identifying them by an online pseudonym that they use on darknet message boards, you are only giving them notoriety that may help them gain future customers.

    • I suspect they don't know the actual name of the person, but they only know the handle that the person uses in some forums. Like graffiti, sure we know that BadAzz wrote his name up on the overpass but we don't know how to find and fine him.

  • Did Conficker's authors DDOS trafficconverter.biz? What was the big picture of owning several teraFLOPS of power of hacked home PCs? Probably more than selling SpyProtect 2009.

  • Anti-malware companies try to appear as experts.

    Malware authors try to be anonymous, leaving minimal personal signature in the malware. Malware authors also share code and reverse-engineer each other's code and use the result, so even style may be misleading. So even experts would have difficulty attributing it to any particular person,

    That means any attempt to identify the author - as a real person, an alias, or a label under which to group multiple products of the same author, will be very error prone

  • How much malware is produced by government/military organizations vs. criminals vs. corporations. There is probably plenty of overlap.

  • No different than anything else (Score:5, Insightful)

    by ScentCone ( 795499 ) on Monday June 01, 2015 @11:28AM (#49815551)
    It's no longer fashionable to associate human character, judgement, and action with unpleasant results. Malice? There is no malice. There is only the problematic tool or technology, against which we should rage. It's not murder, it's a "gun death." It's not a reckless jackass badly flying a GoPro in a crowded place, it's a "drone incident." It's not a bad driver, it's another "SUV death." It's not a criminal trying to steal your savings or reputation, it's "malware."

    Talking out loud about how actual humans are responsible for the stupid or evil shit they do is no longer acceptable. That would mean assessing their intelligence, or making a considered moral judgement, based on some sort of, you know, identifiable value system. We can't have that! We'd need to post Trigger Warnings near any discussion that might result in the horrifying prospect of recognizing that not everyone is as smart as everyone else, or calling an evil actor evil, because, you know, judging. Much better to talk only about the scary tools, never about the people. Hey, Russian credit card scammers and bot farmers are really the victims, here - the malware made them use it. Probably of some sort of western patriarchal influence and whatnot.
  • Of course they should be identified. How else can we hunt them down and castrate them?

  • attribution would backfire and just create competition for who could become the most notorious.

  • Should We Identify the Crooks Who Deploy It? Yes. Thanks for asking.

Slashdot Top Deals

Every nonzero finite dimensional inner product space has an orthonormal basis. It makes sense, when you don't think about it.

Close