4

My question is:

How can we make any conclusions about malware authors at all, when anyone could just get sample malware online, copy paste the parts they like, and add their own parts to it?

Obviously there are many types of malware this question would apply too, but I'll use WannaCry as an example. Suspicion was based on a lot of techniques and logic parts used in the malicious files because some were identical to malware used by North Korean groups before.

But during this video the reporter even says that this could be a ruse by some other nation state actor. Seems like any assumption regarding malware authors is just made for political reasons, seeing as no one can guarantee that this one particular makeup of binary data is related at all to one particular group.

I'm wondering if a few lines of matching assembly (see video) is justification enough to release headlines like this, getting the general public on the fence about Cyber War One, when it could have literally been a 20 something year old that had access to any possible spam folder?

EDIT:

I am aware that sometimes certain artifacts in the code can help figure out who might have written it, but in the video it looks like they are connecting a government to a world wide cyber attack based on assembly instructions. This seems different than accidentally leaving the authors address in the whois info, or forgetting to delete the hard coded credentials.

PositriesElectron
  • 1,595
  • 1
  • 13
  • 17
  • 6
    Possible duplicate of [Identifying the author(s) of a piece of malware](https://security.stackexchange.com/questions/110600/identifying-the-authors-of-a-piece-of-malware) and [Attributing attacks](https://security.stackexchange.com/questions/81215/attributing-attacks). – Steffen Ullrich Jun 06 '17 at 18:36
  • This is different to those other questions in part due to disinformation techniques and building-block methods which make it hard to extract any kind of reliable unique identifier. In comparison, Stuxnet was similar in that it had suspicioiusly obvious references, but many thought it was a false-flag misdirection. Stuxnet is very different however in that it was far more complex and targeted than Wanacry. So much so that the black market value and sophistication was too high to consider it the act of a lone hacker or vandal. Wanacry was far simpler and should be harder to reliably attribute. – mgjk Jun 06 '17 at 19:25

1 Answers1

7

Mainstream media reporting is not the place to go for this kind of stuff. If you look up Symantec's report you'll get a lot more detail. They claim that WannaCry is probably authored by an outfit called Lazarus Group, and specifically claim that this malware does not fit the pattern you might expect from a nation-state effort.

https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group

In particular, they say:

  1. The networked command & control infrastructure between this attack and another Lazarus attack is similar, using some of the same IP addresses.

  2. The softwares handle network buffers and network communications in identical fashions, specifically they use some of the same constant values.

  3. The softwares have a large set of repeated strings in the binary.

  4. The softwares generate cryptographic numbers the same way.

  5. The softwares have at least one shared function between them.

What this means is that these two softwares share some connection. Either the same group is responsible for writing them, or they're written by two groups that share code and network infrastructures, or it might be the case that someone has gone to a great length to make it look as though there is common authorship when there is not. It's not practically possible that there is no relationship and all of the above just just total random chance.

Some folks have tried to claim that Lazarus Group is a North Korean nation-state group, but there's not really any evidence to support this. Some of their early attacks were against the South Korean government and Sony, but this is pretty circumstantial. They have attacked non-South-Korean and non-Japanese targets as well.

David
  • 1,386
  • 8
  • 8
  • 2
    "software" is an uncountable noun, so it does not have a plural form. – jpmc26 Jun 07 '17 at 02:08
  • @David, is it possible for someone to decompile the code or copy-paste it from other sources (such as from symantec or other sites that publish the source code from the analysis)? Or maybe even just code very similarly using one of these analyses as a reference? This is a way you could get identical/very similar code from completely unrelated people/groups. I've also noticed that the samples in these analyses are generally very well-formatted for decompiled code, I assume that's been clean-up work done by the analysts? (The alternative that they have the original source seems unthinkable). – Bruno Jun 07 '17 at 02:23