Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malware Attribution: Should We Identify the Crooks Who Deploy It?

Posted by Soulskill on from the you-break-it-you-bought-it dept.

Brian Krebs asks: What makes one novel strain of malicious software more dangerous or noteworthy than another? Is it the sheer capability and feature set of the new malware, or are these qualities meaningless without also considering the skills, intentions and ingenuity of the person wielding it? Most experts probably would say it's important to consider attribution insofar as it is knowable, but it's remarkable how seldom companies that regularly publish reports on the latest criminal innovations go the extra mile to add context about the crooks apparently involved in deploying those tools.

43 of 87 comments (clear)

  1. Like Sourceforge? by Anonymous Coward · · Score: 5, Insightful

    [nt]

    1. Re:Like Sourceforge? by NotDrWho · · Score: 5, Funny

      Now, now, there is no need to insult crooks by associating them with Sourceforge.

      --
      SJW's don't eliminate discrimination. They just expropriate it for themselves.
    2. Re:Like Sourceforge? by Em+Adespoton · · Score: 1

      i wonder if apk can fix this with a hosts file. he really is quite obsessed with them, to teh point of not using other tools even when they can complement a good hosts file. like a religious zealot. oh and i love the way he declares victory every time he gets trolled, he takes the bait EVERY SINGLE TIME and pats himself on the back for it. an amazing feat of self-delusion.

      apk can fix this with a hosts file really easily:
      0 slashdot.org

    3. Re:Like Sourceforge? by CastrTroy · · Score: 2

      This has been going on for quite a while. I don't know why this is news to everybody or why all of a sudden we are making a big deal out of it. Here's an article from 2013 about how GIMP was abandoning Sourceforge because of their shoddy, adware ridden, installers.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    4. Re:Like Sourceforge? by Anonymous Coward · · Score: 1

      Crap - you said his name three times!!

    5. Re:Like Sourceforge? by drinkypoo · · Score: 1

      I don't know why it's news all of a sudden, we made a big deal out of it because a highly-voted submission on the subject was ignored, then another one, then another one... the first one was before the weekend...

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    6. Re:Like Sourceforge? by CastrTroy · · Score: 1

      If the first one was accepted, it would have been filled with complaints about "how is this news?", along with a bunch of ranting and raving about how the editors don't know how to do their job. I don't see what we gained from having this story posted on slashdot. Most people who come here probably already know that Sourceforge is a hive of scum and villainy, and has been on most of our ignore lists for quite some time.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  2. Why WOULDN'T you? by argStyopa · · Score: 5, Interesting

    Seriously, if someone is running around breaking windows (pun intended) in your neighborhood, they're outed in the local crime report.
    If they did it to 1.5 million homes, I'd bloody well expect that yes, they should be identified.

    I personally wouldn't object to having them branded, either.
    Or, if you're more Adam Smithy, just suspend their ability to file civil lawsuits allowing people to do whatever they want to them that doesn't actually rise to criminal activity.

    --
    -Styopa
    1. Re:Why WOULDN'T you? by drinkypoo · · Score: 3, Interesting

      The problem is that you don't want to give them notoriety. Some of them are in it just for that. Stupid, sure, but still true.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:Why WOULDN'T you? by SpaceCommander · · Score: 1

      Risk/Benefit is not on the site of actor attribution. Easy to get wrong, hard to get right. And we do things like wage DoS attacks against adversary nations of shaky evidence. Or at least good evidence that they haven't made public. That's why.

    3. Re:Why WOULDN'T you? by geekmux · · Score: 1

      Seriously, if someone is running around breaking windows (pun intended) in your neighborhood, they're outed in the local crime report. If they did it to 1.5 million homes, I'd bloody well expect that yes, they should be identified.

      I personally wouldn't object to having them branded, either. Or, if you're more Adam Smithy, just suspend their ability to file civil lawsuits allowing people to do whatever they want to them that doesn't actually rise to criminal activity.

      I'm curious, what say you when you are the one spending thousands to try and wipe out Google's search history after you're wrongly accused of said hacking crime and you successfully defend yourself and your reputation in court, but it still lingers for all future employers to search and find, all because you "bloody well expect" such a "criminal" to be branded immediately.

      Seems few people really think of the consequences of shit like this, especially if framing professionals for cybercrimes may turn out to be just as popular as committing the crime itself.

    4. Re:Why WOULDN'T you? by chispito · · Score: 1

      Seriously, if someone is running around breaking windows (pun intended) in your neighborhood, they're outed in the local crime report.

      Actually, blotters don't publish the identities of the suspects because they're suspects. In the same way, I'm sure these companies are sharing more information with law enforcement than with the general public.

      I prefer it this way to having a bunch of scripting vigilantes on Reddit doxing the wrong the guy.

      --
      The Daddy casts sleep on the Baby. The Baby resists!
    5. Re:Why WOULDN'T you? by jriding · · Score: 1

      Like Lenovo?? There is no question who pushed it onto YOUR new device. They approved it, they knew what it was, they forced it on you with no way or little way to remove it.
      Yes call them out in a big way.

      --
      love the taste, hate the texture
    6. Re:Why WOULDN'T you? by g01d4 · · Score: 1

      I'd think they'd prefer notoriety under an alias, e.g. "The drinkypoo Bandit" rather than a real name unless they could obtain attribution knowing there wasn't enough evidence to convict.

    7. Re:Why WOULDN'T you? by geekmux · · Score: 1

      Like Lenovo?? There is no question who pushed it onto YOUR new device. They approved it, they knew what it was, they forced it on you with no way or little way to remove it. Yes call them out in a big way.

      You might not have noticed before when I stated a wrongful accusation.

      Lenovo was far from being 100% innocent in their actions, as you state.

      Someone who is truly wrongfully accused will spend years and tens of thousands of dollars or more repairing their reputation, which most individuals can't even afford to defend the accusation, much less the clean-up efforts.

    8. Re:Why WOULDN'T you? by Ravaldy · · Score: 1

      They would get a good 30 seconds of fame. That's about it. To have your name echo through time you need to have done something impactful to the whole world like Snowden did. There are many other examples but you get the point.

    9. Re:Why WOULDN'T you? by requerdanos · · Score: 3, Informative

      Of *course* they publish the names of suspects. Heck, where I live you can go to the county website and see names and photos of people arrested on suspicion of a crime, who have not been convicted, most of whom will never be convicted. You can try it out here.

    10. Re:Why WOULDN'T you? by StikyPad · · Score: 1

      The ones who are in it for notoriety will claim credit anyway. It's the ones who want to remain in the shadows who are generally the most dangerous. This includes state actors.

      The only downside I see to identifying the authors and/or users is that it potentially tips them off as to the identifying characteristics of their software so that they can better cover their tracks in the future. It can be easier to stay ahead of an adversary if they don't know that you're ahead. This is not "security through obscurity," it's just a tactical advantage.

      --
      https://www.eff.org/https-everywhere
    11. Re:Why WOULDN'T you? by chispito · · Score: 1

      After posting I realized I used the wrong term. It was a bad analogy. The point is that attribution is really, really difficult and The Boy Who Cried Wolf and all that.

      --
      The Daddy casts sleep on the Baby. The Baby resists!
    12. Re:Why WOULDN'T you? by bouldin · · Score: 1

      Malware attribution is so difficult that I only know of one company that makes a serious attempt at it: crowdstrike.

    13. Re:Why WOULDN'T you? by drinkypoo · · Score: 1

      I'd think they'd prefer notoriety under an alias, e.g. "The drinkypoo Bandit" rather than a real name unless they could obtain attribution knowing there wasn't enough evidence to convict.

      That's why some antivirus companies deliberately change the names when reporting, from whatever the author wants it to be called (when they can tell.) They don't want to provide them notoriety under their chosen alias.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    14. Re:Why WOULDN'T you? by jrumney · · Score: 1

      If you can identify them by their real name in a way that will lead to them being caught and punished, then go for it. If you are identifying them by an online pseudonym that they use on darknet message boards, you are only giving them notoriety that may help them gain future customers.

    15. Re:Why WOULDN'T you? by Darinbob · · Score: 1

      I suspect they don't know the actual name of the person, but they only know the handle that the person uses in some forums. Like graffiti, sure we know that BadAzz wrote his name up on the overpass but we don't know how to find and fine him.

  3. Kido by __aabppq7737 · · Score: 1

    Did Conficker's authors DDOS trafficconverter.biz? What was the big picture of owning several teraFLOPS of power of hacked home PCs? Probably more than selling SpyProtect 2009.

  4. the mobile site distributes malware in asia by gl4ss · · Score: 1

    or at least it sometimes jumps you into an android apk installation page.

    also the ads on the mobile make the mobile slashdot site pretty much unusable. they're so bad. they not only take the whole screens worth every few articles but also run some javascript that makes the browser crawl and jerk. in addition some of the ads are friggin videos.

    --
    world was created 5 seconds before this post as it is.
    1. Re:the mobile site distributes malware in asia by jrumney · · Score: 1

      Is it only in Asia that this happens? I ticked the "Disable Advertising" box because of the intrusiveness of the advertising, especially on the mobile site, but it seems that box unticks itself in Asia too.

    2. Re:the mobile site distributes malware in asia by gl4ss · · Score: 1

      I just thought that the disable advertising doesn't work on the mobile site(i got adblock on desktop).

      I'd like to think that the slashdot folks would have noticed the malware ads if they appeared in europe.

      --
      world was created 5 seconds before this post as it is.
  5. Re:No don't it will only create notoriety by fustakrakich · · Score: 4, Funny

    We could "ID" them in the obituaries...

    --
    “He’s not deformed, he’s just drunk!”
  6. Not remarkable at all. by Ungrounded+Lightning · · Score: 1

    Anti-malware companies try to appear as experts.

    Malware authors try to be anonymous, leaving minimal personal signature in the malware. Malware authors also share code and reverse-engineer each other's code and use the result, so even style may be misleading. So even experts would have difficulty attributing it to any particular person,

    That means any attempt to identify the author - as a real person, an alias, or a label under which to group multiple products of the same author, will be very error prone. With law-enforcement and other security types attempting to defend against and/or apprehend the authors, and the authors trying to hamper the anti-malware people and companies some of these errors would come to light. This would reduce the reputation of the anti-malware workers and companies, without regard to their success at malware defence.

    So it is no surprise to me that andi-malware people and companies don't publish the results of any attempts they may make to identify the authors in the course of their work. Why should they take a risk like that for no perceivable gain? The risk/benefit ratio says don't even speculate.

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  7. I'd just like to know... by JumpinJohnny · · Score: 2

    How much malware is produced by government/military organizations vs. criminals vs. corporations. There is probably plenty of overlap.

  8. Re:No don't it will only create notoriety by jellomizer · · Score: 3, Insightful

    For many of these folks, they don't see themselves as being the bad guy. But Innovative entrepreneurs, or activist for some cause.
    They don't seem to realize, how much harm they are actually causing.

    This notoriety, could be similar to the notoriety a sex offender has. Not of a lone rogue, fighting the good fight while bucking the system. But as that creepy guy who has access all your personal data, and will use it to profit off of it, and causing people like your grandmother to suffer, during their golden years.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  9. No different than anything else by ScentCone · · Score: 4, Insightful

    It's no longer fashionable to associate human character, judgement, and action with unpleasant results. Malice? There is no malice. There is only the problematic tool or technology, against which we should rage. It's not murder, it's a "gun death." It's not a reckless jackass badly flying a GoPro in a crowded place, it's a "drone incident." It's not a bad driver, it's another "SUV death." It's not a criminal trying to steal your savings or reputation, it's "malware."

    Talking out loud about how actual humans are responsible for the stupid or evil shit they do is no longer acceptable. That would mean assessing their intelligence, or making a considered moral judgement, based on some sort of, you know, identifiable value system. We can't have that! We'd need to post Trigger Warnings near any discussion that might result in the horrifying prospect of recognizing that not everyone is as smart as everyone else, or calling an evil actor evil, because, you know, judging. Much better to talk only about the scary tools, never about the people. Hey, Russian credit card scammers and bot farmers are really the victims, here - the malware made them use it. Probably of some sort of western patriarchal influence and whatnot.

    --
    Don't disappoint your bird dog. Go to the range.
    1. Re:No different than anything else by ScentCone · · Score: 2

      There is a level of craziness to this post

      Of course there is. I'm describing a pervasive, increasingly toxic type of craziness that impacts nearly every bit of public discourse that pops up when anything bad is being discussed. If such discussions were generally rational, there'd be nothing to have to talk about. But rational discussions involving causality and agency are now considered rude, like gluten.

      --
      Don't disappoint your bird dog. Go to the range.
    2. Re: No different than anything else by ScentCone · · Score: 1

      Are you equal in intelligence, as the next person?

      No. I'm smarter than a lot of people, and many many people are smarter than me.

      Did you ever get a "b", or score a 99 on a test

      Oh, I've done MUCH worse than that.

      Why condemned them

      Why are you asking me? Have I condemned anybody? I'm condemning those who try to pretend that nothing bad is ever anybody's fault. That (relative to the article we're talking about, here) fact that focusing on the tools people use (or mis-use) and ignoring the fact that it's people using those tools is intellectual laziness and often cowardice in the face of political correctness.

      Some may be better in an urban, or a wilderness environment. Why complain, you are not robots.

      So you agree - people are different, and not all are equal. But ignoring that, we're talking about when people use tools (like malware) to steal other people's assets and reputations.

      --
      Don't disappoint your bird dog. Go to the range.
    3. Re:No different than anything else by ScentCone · · Score: 1

      My god, the thought that the new generation might have new moral values: what is the world coming to?

      Really? You think a "new generation" is so simple-minded that they can't use reason to put together a value system that arrives at the same destination as so many others? You think it's a good thing to change out values like ... stealing people's stuff is morally bad? Like, using your l33t haxx0r skills to ruin someone's reputation for the lulz is bad? You're confusing the tools and technologies that a new generation finds at their disposal with being somehow related to the philosophical underpinnings of their value system.

      I'm delighted that, despite the fastest growing population in the world appearing to embrace medieval theocratic nonsense as the basis of their value system, that at least a fair portion of the world has gone more down the route of using reason to examine and reinforce their moral code. Yes, a "new generation" may indeed show less of the superstition-based trappings surrounding the fringes of judeo-christian culture, but basic stuff like "don't use your new [whatever technology] to steal people's shit" doesn't mean that a moral code based on that reasonable observation that doing so is objectively bad means that changing [whatever technology] means the moral code is changing. Just, sometimes, the venue in which it's applied.

      That's why pretending that it's malware that's the issue, and not abusive thieves and vandals (people), is an act of moral cowardice. Because it's the same old stuff, different playing field. People who focus on the gun, the car, the piece of viral code, whatever - they're too chickenshit to address what's actually at play: other people whose world views are broken enough to make malicious use of the tools. People scared of making value judgments about other people always, always reach for the tool as the villain. That says more about that person than it does about the actual villain.

      I would dissect your rant if I thought it merited a response

      Hey look! You're doing it right now. That's actually pretty funny.

      --
      Don't disappoint your bird dog. Go to the range.
  10. That is not the real problem by s.petry · · Score: 2, Insightful

    Most malware is hosted and served out by businesses most people consider "legit". This is second only to Governments who infect millions of devices often inadvertently.

    In both of those cases, there is no use in reporting. Oh yeah, some schlep will probably be made to be a fall guy but the shit storm will still be there churning out shit.

    Report when the correct people can be, and are, held accountable for their actions. Until then, all men are created equally and have the same rights under due process. If one class of people puts themselves above the law, the laws are invalid. Unfortunately this is a cyclical problem in history. Expect vigilantism to increase until things are put back into balance.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  11. Re:No don't it will only create notoriety by Noah+Haders · · Score: 1

    typically, the first step in convicting someone of a crime is to identify who did the crime. Second step, arrest that person. So it makes sense to try to identify the person who made the malware.

    non sequiter, it was kinda funny that the silk road guy went by the name 'dread pirate roberts', but nobody came along to pick up the name and keep it going. Ruins the point?

  12. Re:No don't it will only create notoriety by Chris+Mattern · · Score: 1

    non sequiter, it was kinda funny that the silk road guy went by the name 'dread pirate roberts', but nobody came along to pick up the name and keep it going. Ruins the point?

    None of the "Dread Pirate Roberts"es were in fact caught. They all retired on their riches, passing the title down to a successor in the process. So the situations aren't the same.

  13. Of Course by Kozar_The_Malignant · · Score: 1

    Of course they should be identified. How else can we hunt them down and castrate them?

    --
    Some mornings it's hardly worth chewing through the restraints to get out of bed.
  14. Re:Difficult by bouldin · · Score: 1

    The digital information used for attribution is so easily manipulated that it's nearly impossible to be 100% sure you have the right person... without a police style sting where you record the attacker in action.

    For malware, attribution can be inferred by looking at code similarities among the malware.

  15. it would backfire by bloodhawk · · Score: 1

    attribution would backfire and just create competition for who could become the most notorious.

  16. Re:No don't it will only create notoriety by cwsumner · · Score: 1

    ... Some git who manages to do a bunch of harm (scamming retirees) is only going to be looked at in a good light in a Robin Hood scenario. Or it will be looked like a P. T. Barnum... and even though he was noted for using people, he was quite well respected for being able to put one over on others. ...

    That has been true for thousands of years ... in some circles.

    I prefer not to travel in those circles. They are a disaster waiting to happen, stand clear or be collateral damage!

  17. I know this one! by fuzzy2k · · Score: 1

    Should We Identify the Crooks Who Deploy It? Yes. Thanks for asking.

    --
    --- Say something clever. Pretend it was me. Thanks.