Man
Professional
- Messages
- 3,222
- Reaction score
- 820
- Points
- 113
Contents of the article:
Some people believe in brownies and poltergeists, some in the yeti, some in the fact that a developer of malware and other illegal software can guarantee their own anonymity by simply covering the binary with a packer or obfuscating the code. Some individuals are convinced that their activities will never be of interest to the competent authorities if the programs they create do not cause direct material damage, are not distributed on the territory of Russia, or the victims do not write a thick stack of statements to the police. It is difficult to say what exactly such self-confidence is based on.
The facts stubbornly show us a completely different picture. Deanonymization of malware authors has become such a common thing that such incidents have not surprised anyone lately. Well, another coder has been burned. Some even boast of their own invulnerability and impunity: like, here I am, let them try to catch me, but who needs me? They do, and how.
In addition, they all have licenses to conduct technical examinations and research using forensic methods, and regularly use these licenses for their intended purpose - including in the interests of the state. Finally, there are persistent rumors that many companies operating in the information security market are required to send regular reports on the current virus and cybercrime situation to the appropriate authorities. If such a report, in addition to dry statistics, can include specific information about the exposed virus maker, will analysts miss this opportunity? The answer is, in general, obvious.
But here's the good news, username. If you wake up famous one morning because your name suddenly appears in the antivirus companies' news feeds, it means one of two things. Either you're already sitting in a cramped, barred room awaiting trial, or the law hasn't given you the attention you deserve.
There is such a thing as a secret investigation, which cannot be disclosed under any circumstances. If law enforcement agencies are conducting any measures against some abstract hacker Vanya, it is unlikely to be reported on the Internet until the coder Vanya is charged or appears in court. But it is also stupid to rejoice at finding yourself, your beloved, in the news: this clearly indicates that you are already on the radar, and your work has been promptly reported to the appropriate authorities. And at some not very wonderful moment, indifference on the part of people in uniform can suddenly give way to keen interest. Circumstances, you know, sometimes develop in a completely bizarre way.
It seems that such stupidities are committed exclusively by coders, whom nature has endowed with a single convolution, and even that is anatomically located somewhere in the area of direct contact of the body with the chair. However, literally anyone can step on a rake. Especially if he has not developed a useful habit of looking carefully under his feet.
In the process of reversing, all this joy inevitably comes to light. It's one thing if the account name was invented by the same guys who come up with unpronounceable names for products in the IKEA store. But often the string includes the real name and even - it's scary to think - the surname of the hapless creator of the virus. Thanks to this circumstance, it becomes much easier to figure him out, although the result is not guaranteed: who knows how many people with the same surname live on our planet? However, the presence of a debug line with a surname and a characteristic folder structure in the malware sample can become another proof of a person's involvement in writing the program, if they take it seriously.
Even if the line found by the researchers contains a nickname instead of a username, it will still provide an important clue. Most people who are not paranoid use the same nickname on different resources. This is what lets them down. Anyone can very quickly find the posts of the person they are interested in on forums, their GitHub page, and their Twitter profile. It is easy to understand that all these “digital traces” were left by the same person: the same avatar, similar signature, the same text posted on different sites… Then a thread will stretch that will lead somewhere.
The conclusion is simple: once a coder has taken on the task of writing a program that someone might want to examine, he must observe the rules of basic hygiene and carefully monitor that nothing unnecessary gets into the code.
If an email address is suddenly found in the code, it is immediately entered into Google. Then there are several options. The email address, after several successive steps, can be used to find a Telegram account, a user page on social networks, and the fact of his registration on forums along with all messages. Or nothing can be found on Google. The second option happens if a prudent coder does not use the same box for technical purposes and personal correspondence.
In this regard, one recent case involuntarily comes to mind, when a certain anonymous person decided to test a Trojan stealer on his own computer. The stealer, characteristically, worked perfectly. As a result, all the underwear of our natural scientist's computer was uploaded to the cloud, the login and password for which were stored in the open form in the troy itself, clearly demonstrating to the researchers his nakedlife and rich inner world.
And it's not that DGA increases the survivability of the Trojan (if one control server goes down, the software automatically connects to the next one), and it's not even that the server, if its address is known, can be brute-forced, sinkholed, or DDoSed. You can also figure out the generated address by carefully studying the algorithm, but then other protection mechanisms come into play - server signature verification, encryption during data transfer, and others.
Even if the researcher failed to hack the admin panel, a lot of useful information can be obtained using the whois service. And hiding the domain holder's name does not always help. You can also search for other sites on the same IP address, see what is on them, and try to access them from there. In principle, many have heard the term CloudFlare, but usually everyone is too lazy to figure out what it is.
Some humanoids even raise admin panels at public hosts or on platforms where their other projects or employer sites are running. I probably won't comment on this: it's a sin to mock such things, and I have no strength left to cry.
Another character did not shoot any compromising videos, but posted extremely interesting articles on the Internet about methods of bypassing UAC, writing exploits, escalating privileges in the system and other virus-making tricks. With specific examples, of course. They figured him out very simply: by this very code, or rather by the characteristic names of variables, comments, the manner of implementing some functions - in general, by comparing the source codes posted to the public and the code from IDA Pro. It turned out to be pointless to deny it - he posted the code on his personal blog under his own signature. Fatality.
disregard for basic security issues. However, this may not be a bad thing: I remember one guy who looked like Leo Tolstoy wrote something about natural selection. Which, in his opinion, generally contributes to increasing the survival rate of a species.
Source
- Who needs me?
- This is him, this is him, your total deanonymization!
- Each line contains only dots.
- Here you have some scented soap and a fluffy towel.
- Don't knock, it's open!
- Your domain is down or out of service area
- It's both funny and sad
- Instead of an afterword
Some people believe in brownies and poltergeists, some in the yeti, some in the fact that a developer of malware and other illegal software can guarantee their own anonymity by simply covering the binary with a packer or obfuscating the code. Some individuals are convinced that their activities will never be of interest to the competent authorities if the programs they create do not cause direct material damage, are not distributed on the territory of Russia, or the victims do not write a thick stack of statements to the police. It is difficult to say what exactly such self-confidence is based on.
The facts stubbornly show us a completely different picture. Deanonymization of malware authors has become such a common thing that such incidents have not surprised anyone lately. Well, another coder has been burned. Some even boast of their own invulnerability and impunity: like, here I am, let them try to catch me, but who needs me? They do, and how.
Who needs me?
Let's start with the fact that both domestic antivirus companies present on the Russian market interact very closely with law enforcement agencies, which they do not hide at all. At least for the simple reason that they are forced to regularly obtain licenses and certificates from stern organizations with three-letter names for the development of means of protecting confidential information, for working with cryptography, for protecting personal data, and so on with all the stops. And this means that the aforementioned companies are regularly inspected by these organizations and closely communicate with their representatives.In addition, they all have licenses to conduct technical examinations and research using forensic methods, and regularly use these licenses for their intended purpose - including in the interests of the state. Finally, there are persistent rumors that many companies operating in the information security market are required to send regular reports on the current virus and cybercrime situation to the appropriate authorities. If such a report, in addition to dry statistics, can include specific information about the exposed virus maker, will analysts miss this opportunity? The answer is, in general, obvious.
But here's the good news, username. If you wake up famous one morning because your name suddenly appears in the antivirus companies' news feeds, it means one of two things. Either you're already sitting in a cramped, barred room awaiting trial, or the law hasn't given you the attention you deserve.
There is such a thing as a secret investigation, which cannot be disclosed under any circumstances. If law enforcement agencies are conducting any measures against some abstract hacker Vanya, it is unlikely to be reported on the Internet until the coder Vanya is charged or appears in court. But it is also stupid to rejoice at finding yourself, your beloved, in the news: this clearly indicates that you are already on the radar, and your work has been promptly reported to the appropriate authorities. And at some not very wonderful moment, indifference on the part of people in uniform can suddenly give way to keen interest. Circumstances, you know, sometimes develop in a completely bizarre way.
This is him, this is him, your total deanonymization!
In absolutely all cases of deanonymization known to the general public, the reason for what happened should be sought in the mirror. Virus makers sometimes get caught on such trifles that from the outside look like complete nonsense. Well, it would seem, why store personal files on a server where the botnet admin panel is running? Why dump the status of another botnet by SMS to a mobile phone number with a left SIM card, if this number has previously repeatedly appeared in ads for the sale of computer guts indicating the city and even, you won’t believe it, the nearest metro station? Who advised the young genius to organize a C&C Trojan on a public hosting where his dad’s company’s website is running, while hard-coding the URL directly into the code?It seems that such stupidities are committed exclusively by coders, whom nature has endowed with a single convolution, and even that is anatomically located somewhere in the area of direct contact of the body with the chair. However, literally anyone can step on a rake. Especially if he has not developed a useful habit of looking carefully under his feet.
Each line contains only dots.
As you know, debugging is a painful process of getting rid of a program's bugs. To make this process easier, some compilers add special debug lines to the binary. They sometimes contain the full path to the folder where the project's source code was stored, and this path sometimes includes the Windows user name, for example:
Code:
C:\Users\Vasya Pupkin\Desktop\Super_Virus\ProjectVirus1.vbpIn the process of reversing, all this joy inevitably comes to light. It's one thing if the account name was invented by the same guys who come up with unpronounceable names for products in the IKEA store. But often the string includes the real name and even - it's scary to think - the surname of the hapless creator of the virus. Thanks to this circumstance, it becomes much easier to figure him out, although the result is not guaranteed: who knows how many people with the same surname live on our planet? However, the presence of a debug line with a surname and a characteristic folder structure in the malware sample can become another proof of a person's involvement in writing the program, if they take it seriously.
Even if the line found by the researchers contains a nickname instead of a username, it will still provide an important clue. Most people who are not paranoid use the same nickname on different resources. This is what lets them down. Anyone can very quickly find the posts of the person they are interested in on forums, their GitHub page, and their Twitter profile. It is easy to understand that all these “digital traces” were left by the same person: the same avatar, similar signature, the same text posted on different sites… Then a thread will stretch that will lead somewhere.
The conclusion is simple: once a coder has taken on the task of writing a program that someone might want to examine, he must observe the rules of basic hygiene and carefully monitor that nothing unnecessary gets into the code.
Here you have some scented soap and a fluffy towel.
Another common natural phenomenon is storing email addresses as unencrypted character values. Character strings are the first thing a reverse engineer notices in disassembled code . Moreover, some individuals believe that it is enough to xerox a string to reliably hide their mail.ru address from prying eyes. No, it is not enough.If an email address is suddenly found in the code, it is immediately entered into Google. Then there are several options. The email address, after several successive steps, can be used to find a Telegram account, a user page on social networks, and the fact of his registration on forums along with all messages. Or nothing can be found on Google. The second option happens if a prudent coder does not use the same box for technical purposes and personal correspondence.
Don't knock, it's open!
It's even more fun when some unrecognized genius writes the login and password directly into the code, for example, from the bot's admin panel or from the cloud storage where the Trojan uploads files stolen from the user's computer. It's even better if the same password is used everywhere possible - for authorization in the admin panel, on the mail server, and in social networks.In this regard, one recent case involuntarily comes to mind, when a certain anonymous person decided to test a Trojan stealer on his own computer. The stealer, characteristically, worked perfectly. As a result, all the underwear of our natural scientist's computer was uploaded to the cloud, the login and password for which were stored in the open form in the troy itself, clearly demonstrating to the researchers his naked
Your domain is down or out of service area
Some people really like to hammer the addresses of control servers directly into the code, even though progressive humanity has long ago come up with DGA — algorithms for dynamic generation of domain names. Examples of such solutions can be easily found on these Internets of yours.And it's not that DGA increases the survivability of the Trojan (if one control server goes down, the software automatically connects to the next one), and it's not even that the server, if its address is known, can be brute-forced, sinkholed, or DDoSed. You can also figure out the generated address by carefully studying the algorithm, but then other protection mechanisms come into play - server signature verification, encryption during data transfer, and others.
Even if the researcher failed to hack the admin panel, a lot of useful information can be obtained using the whois service. And hiding the domain holder's name does not always help. You can also search for other sites on the same IP address, see what is on them, and try to access them from there. In principle, many have heard the term CloudFlare, but usually everyone is too lazy to figure out what it is.
Some humanoids even raise admin panels at public hosts or on platforms where their other projects or employer sites are running. I probably won't comment on this: it's a sin to mock such things, and I have no strength left to cry.
It's both funny and sad
Pride is a mortal sin. And sinners, as religious figures claim, will face inevitable punishment. Not all virus makers are ready to remain in the shadows and quietly make money, they want fame, honor and respect, public attention and thunderous applause. As a result, some start recording videos about compiling and obfuscating trojans and posting screencasts on YouTube. Forgetting to close the browser tabs with their VKontakte page and the Explorer windows, where you can see a lot of interesting things in HD resolution.Another character did not shoot any compromising videos, but posted extremely interesting articles on the Internet about methods of bypassing UAC, writing exploits, escalating privileges in the system and other virus-making tricks. With specific examples, of course. They figured him out very simply: by this very code, or rather by the characteristic names of variables, comments, the manner of implementing some functions - in general, by comparing the source codes posted to the public and the code from IDA Pro. It turned out to be pointless to deny it - he posted the code on his personal blog under his own signature. Fatality.
Instead of an afterword
There are a great many methods for identifying malware authors, I have mentioned only the most obvious of them. The conclusions are also quite obvious: virus makers are brought to the investigator's office by their own incompetence andSource
