Slashdot Mirror
Marcus Hutchins' Code Used In Malware May Have Come From GitHub (itwire.com)
troublemaker_23 quotes ITWire: A security researcher says code has been discovered that was written by British hacker Marcus Hutchins that was apparently 'borrowed' by the creator of the banking trojan Kronos. The researcher, known as Hasherezade, posted a tweet identifying the code that had been taken from Hutchins' repository on GitHub.
Hasherezade also found a 2015 tweet where a then-20-year-old Hutchins first announces he's discovered the hooking engine he wrote for his own blog -- being used in a malware sample. ("This is why we can't have nice things," Hutchins jokes.) Hasherezade analyzed Kronos's code and concluded "the author has a prior knowledge in implementing malware solutions... The level of precision lead us to the hypothesis, that Kronos is the work of a mature developer, rather than an experimenting youngster."
Monday on Twitter Hutchins posted that "I'm still on trial, still not allowed to go home, still on house arrest; but now I am allowed online. Will get my computers back soon."
Hasherezade also found a 2015 tweet where a then-20-year-old Hutchins first announces he's discovered the hooking engine he wrote for his own blog -- being used in a malware sample. ("This is why we can't have nice things," Hutchins jokes.) Hasherezade analyzed Kronos's code and concluded "the author has a prior knowledge in implementing malware solutions... The level of precision lead us to the hypothesis, that Kronos is the work of a mature developer, rather than an experimenting youngster."
Monday on Twitter Hutchins posted that "I'm still on trial, still not allowed to go home, still on house arrest; but now I am allowed online. Will get my computers back soon."
If the code existed before on a public resource, it clearly raises a reasonable doubt.
The code is code for a service intercept. Those can be tricky to get right, but are used in all manner of system enhancements, are not primarily useful for malware at all.
Intercept code I have used in the past:
* Added time, place, privilege level, and called-by-code conditions to file accesses
* Allowed file open to alter the running priority of processes
* Allowed failed access for some of the above to optionally open a different file, transparently
* Allowed files stored on backing storage (tape, network, disk, compressed files) to transparently appear local and present (or to be migrated to such storage)
* Allowed file extension or creation that would use space to trigger "get space" processes
* Allowed user mode undelete operations
* Allowed control of storage space use to minimize storage fragmentation
* Allowed controls based on access rate
These and more useful kinds of extensions are among things that can be implemented with an intercept. Not one of these has anything to do with malware.
So kindly stop and think a bit before claiming the code was done to help malware function.