Slashdot Mirror

← Back to Stories (view on slashdot.org)

Marcus Hutchins' Code Used In Malware May Have Come From GitHub (itwire.com)

Posted by EditorDavid on from the grabbing-from-GitHub dept.

troublemaker_23 quotes ITWire: A security researcher says code has been discovered that was written by British hacker Marcus Hutchins that was apparently 'borrowed' by the creator of the banking trojan Kronos. The researcher, known as Hasherezade, posted a tweet identifying the code that had been taken from Hutchins' repository on GitHub.
Hasherezade also found a 2015 tweet where a then-20-year-old Hutchins first announces he's discovered the hooking engine he wrote for his own blog -- being used in a malware sample. ("This is why we can't have nice things," Hutchins jokes.) Hasherezade analyzed Kronos's code and concluded "the author has a prior knowledge in implementing malware solutions... The level of precision lead us to the hypothesis, that Kronos is the work of a mature developer, rather than an experimenting youngster."

Monday on Twitter Hutchins posted that "I'm still on trial, still not allowed to go home, still on house arrest; but now I am allowed online. Will get my computers back soon."

52 comments

  1. Re:Negligence by freeze128 · · Score: 2

    No, he's innocent until proven criminally negligent.

  2. Re:Negligence by K.+S.+Kyosuke · · Score: 1

    That makes zero sense. Criminally negligent on basis of what?

    --
    Ezekiel 23:20
  3. ALL I WANTED WAS A PEPSI by Anonymous Coward · · Score: 0

    and she wouldn't give it to me!

  4. Re:Negligence by Anonymous Coward · · Score: 1

    Nothing.. Nothing but innocently writing potentially malicious code can get you in trouble. Welcome to "america"! Land of the (not so) free! (We beat all the world in jail population!!)

  5. REPORTED by Anonymous Coward · · Score: 0
    GITHUB has now been added to the Google/ProPublica hate crime database as a supporter of domestic terrorism against all commercial interests. They have showed lack of control on what their content is providing to the public.

    All Heil GROUPTHINK

  6. Re:Negligence by Anonymous Coward · · Score: 0

    He left his car unattended with the engine running outside a bank where he knew a bank robbery was in progress. Then he acted shocked, shocked to find that his car was stolen and used as the getaway car.

  7. Re:Negligence by Anonymous Coward · · Score: 0

    more like he made a crowbar, which then someone else used it in a robbery... but you know your analogy is more self servant to your point.

  8. Re:Negligence by stevez67 · · Score: 1

    Actually, what he did was more like planning the robbery, made that plan accessible to others, then acted surprised that someone used his plan to rob the bank.

  9. so by symes · · Score: 3

    Smith and Wesson have an awful lot to answer for then.

    1. Re:so by burtosis · · Score: 1

      Smith and Wesson have an awful lot to answer for then.

      Absolutely not! They are a beloved company, a first class citizen. Not a second class 99% citizen nor a *shudders* European. My $0.02 is they fry him anyhow, facts be dammed.

  10. Re:Negligence by svanheulen · · Score: 5, Interesting

    Not at all. There are plenty of legitimate uses for function hooking outside of malware. I know for a fact that the Windows driver for my audio card does it. And there are tons of examples of hooking code that predate his examples. Including Microsoft's own Detours: https://www.microsoft.com/en-us/research/project/detours/

  11. Re:Negligence by Anonymous Coward · · Score: 0

    Bullshit.

    Let's apply this to 3D printing. If somebody makes public the designs and specifications to use some 3D printing hardware to print a functional firearm, for example, is the original publisher to be found liable for any deaths resulting from printed weapons? That's an incredibly slippery slope. We must not be so quick to suppose unlimited liability.

  12. Re:Negligence by Anonymous Coward · · Score: 0

    Actually it's more like he left his car outside a supermarket, locked and with the engine off, but in plain site so that everyone could see exactly what make it was. Then 3 years later a bank is robbed and the robbers got away in another car of the exact same make.

  13. the code is rubbish anyway by Anonymous Coward · · Score: 0

    Bouncing through a stack buffer is not generally atomic in any way. Just pad your data to 8 to begin with.

  14. Reasonable doubt by Martin+S. · · Score: 3, Insightful

    If the code existed before on a public resource, it clearly raises a reasonable doubt.

    1. Re:Reasonable doubt by Zero__Kelvin · · Score: 0

      More like it would be completely unreasonable for one to not doubt he is the perpetrator.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    2. Re:Reasonable doubt by Zero__Kelvin · · Score: 1

      You put the word "Speculation" in the wrong spot in your post. It should have been at the beginning, preceded only by the word "fantastical".

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  15. Re:Negligence by Anonymous Coward · · Score: 0

    Except that this is a criminal case, so "innocent until proven guilty" does apply, even to British citizens who have been illegally arrested by your benevolent government.

  16. Hooking for modding. by Anonymous Coward · · Score: 0

    The old GTA3 era multiplayer mods, TES3: Morrowind's 3rd party graphics updates, all the work done to support windows 3.1/win9x era games on windows xp, vista, 7, and above.

    All of these have required function hooking techniques and dll overrides in order to work. Many of them required because of microsoft changing the functional operation of existing functions rather than creating unique iterations of them/versioned libraries as they did with later dx9 releases (dx3-9 at least involved breakage of various core functions during directx upgrades, some of which caused whole classes of applications to break, whether due to non-standard usage of functions, improper documentation/examples on microsoft's part, or accidental breakage of functions later on which made it to release without being fixed.)

    The result being that hooks and dll overrides are common for all sorts of legacy applications just to ensure they continue working.

  17. Re:Negligence by Anonymous Coward · · Score: 0

    Anyone else looking forward to the future world of chaos where anyone in malware research is by default a bad guy? It's GONNA BE GREAT.

  18. Of course it was . . . by sgt_doom · · Score: 1

    This is the FBI, fer crissakes! The guys who were deeply, deeply penetrated by the Chinese military intelligence during the Clinton/Bush administrations (and are probably still in control). And then there is this: https://www.wired.com/2016/02/... http://www.cnn.com/2016/02/08/... http://fortune.com/2016/02/09/...

  19. Intercept is the basis for all kinds of OS aids by Anonymous Coward · · Score: 4, Insightful

    The code is code for a service intercept. Those can be tricky to get right, but are used in all manner of system enhancements, are not primarily useful for malware at all.
    Intercept code I have used in the past:
    * Added time, place, privilege level, and called-by-code conditions to file accesses
    * Allowed file open to alter the running priority of processes
    * Allowed failed access for some of the above to optionally open a different file, transparently
    * Allowed files stored on backing storage (tape, network, disk, compressed files) to transparently appear local and present (or to be migrated to such storage)
    * Allowed file extension or creation that would use space to trigger "get space" processes
    * Allowed user mode undelete operations
    * Allowed control of storage space use to minimize storage fragmentation
    * Allowed controls based on access rate

    These and more useful kinds of extensions are among things that can be implemented with an intercept. Not one of these has anything to do with malware.

    So kindly stop and think a bit before claiming the code was done to help malware function.

    1. Re:Intercept is the basis for all kinds of OS aids by PmanAce · · Score: 1

      If you have access to your code, why do you need to create a service intercept when you could change your own code? All that you have written is possible to write without an intercept service, unless you were modifying something not meant to be modified...

      --
      Tired of my customary (Score:1)
    2. Re:Intercept is the basis for all kinds of OS aids by Anonymous Coward · · Score: 0

      Microsoft employ this same technology for anti-malware purposes, usually in the form of temporary patches to mitigate 0 day malware. Third party sandbox vendors also use this technology to minimise the harm that malware can do.

      Not only are there useful applications of this technology that don't relate to malware, but there are also useful applications in defence of malware!

    3. Re:Intercept is the basis for all kinds of OS aids by Anonymous Coward · · Score: 0

      You must not be an experienced developer. In my current contract we are responsible for maintaining a piece of software which was no longer supported by the previous contracting company and to which the software is lost. (Or at least our company does not have access to it.) Hooking is the only way for us to implement any changes to the customers crappy old "mission critical" software. Your assumption that developers always have the source code is based on inexperience.

  20. Re:Negligence by Anonymous Coward · · Score: 0

    Or, he just did it and is guilty.

    Which is more likely, a malware analysis specialist creating software that just-so-happens to look like malware and be beneficial to the use-cases of malware being "borrowed" by someone to create malware in such a way that made it look like the analysis created the malware but actually didn't.

    Or,

    A malware analysis specialist created malware with his skills.

  21. Re:Negligence by Anonymous Coward · · Score: 1

    or because someone robbed a bank and was able to get away from the police even after they used spike strips, because they used run flat tires, and then they charged the inventor of run flat tires with being the robber when they couldn't find the actual robber.

    or suing the inventor of the pogo stick because someone used one to beat someone to death.

  22. Re:Negligence by Anonymous Coward · · Score: 0

    "anyone in malware research is by default a bad guy" I guess it depends on why the person is researching malware. As it stands now all the "malware researches" are 6 steps behind those creating and deploying malware for criminal acts. From the guy sitting in his basement to the companies staffed with security "experts" it appears you only get post-mortems 6 months after a particularly damaging malware has been distributed far and wide. Nothing like locking the barn after the horse has already left and taken up residence in your house.

    If you want to avoid being charged with a crime all you have to do is stop doing something you know is illegal. Mainly gaining access to any system that you have no business being in. Doesn't matter how easy it may be to hack someone's system that doesn't make it legal. If you want to show someone the vulnerabilities in their systems ask them before you proceed. The old "it's all for a good cause" excuse is not a legal defense. If you are a security guru but lack the intelligence needed to understand the pretty straight forward laws you should probably associate yourself with someone who does know the difference between right and wrong before you do something you will most likely regret when the FBI shows up at your house.

  23. Which is more likely? by Anonymous Coward · · Score: 0

    A malware developer not posting his malware on GitHub under his own name, I'd imagine.

  24. Re: Negligence by Anonymous Coward · · Score: 1

    Obviously you dont know what a hooking engine is. These pieces of code can be used in many things. It was not written for malware. Are we gonna say the creators of python programming language is responsible everytime someone sends malicious scripts to the interpreter?

  25. Re: Negligence by Anonymous Coward · · Score: 0

    GitHub is a million monkeys. Eventually, Marcus would write something that matches code that's already on github.

  26. Welp that settles it. by Anonymous Coward · · Score: 0

    He's a proven maker of "hacking tools", so off to the slammer already.

    Github is also a hoster of "hacking tools", so part of the conspiracy, and therefore needs a helping of that good old zero tolerance.

    1. Re:Welp that settles it. by gweihir · · Score: 0

      We need to include every compiler maker, every coding teacher and, just to be safe, every make of OSes or computers here as well! They all contribute to making hacking possible, after all.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  27. Terrorist == does security && ! governmen by Anonymous Coward · · Score: 1

    I'd love to go to America to visit yellow stone... but this kinda shit puts me off. Massive jails and anyone vaguely doing computer security is a criminal unless in top secret government 3 letter agency.

  28. Re:Negligence by Anonymous Coward · · Score: 0

    Plus the method he wrote already existed elsewhere, so although he wrote it they could still have got the function elsewhere if he hadn't.

  29. Finally! by Gravis+Zero · · Score: 1

    It's about time we get some GPL'd malware! ;)

    --
    Anons need not reply. Questions end with a question mark.
  30. Re:Negligence by F.Ultra · · Score: 1

    Hardly, he designed a new bumper. Some one later built a car, used his design for the bumper and used the car in a robbery.

  31. still not allowed to go home, still on house arres by h33t+l4x0r · · Score: 1

    Wait, he's on house arrest in someone else's house?

  32. Re:Negligence by gweihir · · Score: 1

    Publishing hooking code (which is in no way, for or shape illegal and has perfectly legal uses). This is just the US police state thinking is does not even need to bother understanding the facts before trying to destroy somebodies life.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  33. Re:Negligence by gweihir · · Score: 1

    Not in the least. This is hooking code, not attack code.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  34. Re: Negligence by Anonymous Coward · · Score: 0

    Are we gonna say the creators of python programming language is responsible everytime someone sends malicious scripts to the interpreter?

    Yes

  35. Re: Negligence by Anonymous Coward · · Score: 0

    With all of the incompetence shown in some of these comments, we should be grateful they even bothered with the court case at this point. If these idiots have their way, eventually just having possession of a compiler will be an illegal act because it could be used to make malware.

  36. Re: Intercept is the basis for all kinds of OS aid by Anonymous Coward · · Score: 0

    Translation: "What are you hiding!? I must assume you are guilty because authority said so and I'm a complete idiot."

    There are plenty of reasons why a function hook is used. Hell the bioses of many computers used it to add support for hardware that the OS would have needed drivers written for. (Hell, on that note, Hardware Interrupts in general could be considered function hooks.) Most of the time a function hook is used because it's not the programmers code, or the source is unavailable, design limitations prohibit altering the existing code permanently, or because the original functionality is still needed in some cases.

    Not all uses of function hooks are for malicious purposes. It's a normal programming technique, and labeling it as "evil" is tantamount to declaring all programming as "evil" because it could have malicious intent. Which if you are going to cast such a wide net, I would suggest reconsidering your use of computers for any purpose. That or maybe take the time to study what you are railing against so you can make a better argument.

  37. Conspiracy/ Transaction Requirement by Anonymous Coward · · Score: 0

    Without the nexus of a (financial) transaction with the perpetrator it is rather difficult to prove a conspiracy to violate the computer fraud and abuse act.

  38. Re:still not allowed to go home, still on house ar by Anonymous Coward · · Score: 0

    For treasonous crimes like this, they lock you in Bieber's house.

  39. Re: Intercept is the basis for all kinds of OS aid by Anonymous Coward · · Score: 0

    Everything is meant to be modified sooner or later. Your statement falls apart if one single valid reason is shown.
    Registry and file monitoring, notifications for printer status require hooking and are perfectly legal if done by the user.

  40. Re:Negligence by Anonymous Coward · · Score: 0

    More examples here.
    Harmony is a function prefix, postfix, and detour library for Unity game engine: https://github.com/pardeike/Harmony/wiki
    Mod Organizer uses hooks to add a virtual filesystem layer on NTFS for Bethesda and Bioware games: https://github.com/TanninOne/modorganizer

    We could go on for years about legitimate uses of techniques used in muh mallwarez.

  41. Re:Negligence by K.+S.+Kyosuke · · Score: 1

    The whole thing goes waaay back.

    --
    Ezekiel 23:20