Security firm HBGary said today it has an open source tool that can help identify the creators of malware spread on the internet, simply by looking at the code itself.
Greg Hoglund, chief executive of HBGary (pictured), said in an interview that the tool looks for the unique artifacts that appear in code when malware authors create it and then compile it into executable programs. Each piece of data in the code may not mean much, but the whole collection can uniquely identify a criminal hacker. Hoglund released the data at the Black Hat security conference in Las Vegas today. (See our roundup of all Black Hat and Defcon stories).
“It doesn’t mean you know who they are,” he said. “But it does mean that when you have a large set of programs, you can see that they are related by a common author.
Hoglund revealed details of his free open source tool that companies can use to produce a “digital fingerprint.” By giving it away, Hoglund hopes to speed the maturation of the technology.
Hoglund said he could easily figure out if someone wrote a piece of code and then came up with a slightly different variant in hopes of making it spread widely. As cyberattacks explode, the U.S. military in particular wants to know where the attacks are coming from. Sometimes, cybercriminals can mask their involvement by launching an attack from computers in another country. If law enforcement or the military tried to retaliate, they would want to make sure they were going after the right perpetrator.
Hoglund has been working on security technology for more than a decade and was known in the past for hacking World of Warcraft; he co-authored “Exploiting Online Games” as a side job. Intelligence agencies are more interested in the work he is doing on identifying malware authors.
“This is more like what I want to do, improving the detection of threats,” he said. “If I know the source code that an attacker typically uses, I can identify it quickly and know what to do when he breaks in.”
Hoglund founded HBGary in 2004 and it now has 25 employees in Sacramento, Calif. It is self funded and makes an enterprise security product for detecting intruders.