Do not fall! How virus writers are calculated.

[Brother]

Someone believes in brownies and poltergeists, someone in Bigfoot, someone in the fact that the developer of malware and other illegal software can guarantee his own anonymity by simply covering the binary with a packer or obfuscating the code. Some individuals are convinced that the competent authorities will never be interested in their activities if the programs they have created do not cause direct material damage, do not spread on the territory of Russia, or the victims do not write a thick packet of statements to the police. It's hard to say what exactly this overconfidence is based on, but personally, I think the most likely reason is that in the recent past such virus-makers were too often beaten in the head with a schoolbag.

The facts stubbornly show us a completely different picture. The deanon of malware authors has become so commonplace that such incidents have surprised no one lately. Well, they burned another coder, it’s unprecedented. Some people even flaunt their own invulnerability and impunity: they say, here I am, let them try to catch, but who needs me? Needed, dear man, and how.

Who needs you?​

To begin with, both domestic antivirus companies present on the Russian market work very closely with law enforcement agencies, which they do not hide at all. At least for the simple reason that they are forced to regularly obtain licenses and certificates from harsh organizations with names of three letters for the development of means of protecting confidential information, for working with cryptography, for protecting personal data, and then with all the stops. This means that these companies are regularly checked by these organizations and are in close contact with their representatives.

In addition, they all have licenses to conduct technical expertise and research using forensics methods, and they regularly use these licenses for their intended purpose, including in the interests of the state. Finally, there are persistent rumors that many companies operating in the information security market are required to send where necessary regular reports on the current viral and cybercriminal environment. If in such a report, in addition to dry statistics, it is possible to include specific information about the exposed virusmaker, will analysts miss this opportunity? The answer is, in general, obvious.

But there is also good news, username. If you woke up famous one morning because your name suddenly hit the news feeds of antivirus companies, that means one of two things. Either you are already sitting in a cramped barred room awaiting trial, or the representatives of the law did not show the attention they deserved to your person.

There is such a thing as the secret of the investigation, which cannot be disclosed under any sauce. If the law enforcement agencies are carrying out any measures against a certain abstract coder Vasya, it is unlikely that they will tell about it on the Internet until the coder Vasya is charged or brought to trial. But it's also stupid to rejoice when you find yourself, your beloved, in the news: this clearly indicates that you are already on the pencil, and your work was promptly reported where it should be. And at some not very beautiful moment, indifference on the part of people in uniform can suddenly be replaced by intent interest. Circumstances, you know, sometimes turn out in completely bizarre ways.

This is it, this is it, your total deanon!​

In absolutely all cases of deanon known to the general public, the cause of what happened should be looked for in the mirror. Wirmakers sometimes scorch at such trifles, which from the outside look like sheer absurdity. Well, it would seem, why store personal files on the server where the botnet admin panel is up? Why drop statuses on the work of another botnet by text messages to a mobile phone number with a left SIM card, if this number has repeatedly been shown in advertisements for the sale of computer giblets indicating the city and even, you won't believe, the nearest metro station? Who advised the young genius to organize a C&C Trojan on a public hosting, where the site of his father's company is running, while hard-driving the URL right into the code?
One gets the impression that such nonsense is done exclusively by coders, whom nature has endowed with a single gyrus, and even that is anatomically located somewhere in the area of direct contact of the body with the chair. However, literally anyone can step on a rake. Especially if he has not developed a useful habit of carefully looking at his feet.

Each line contains only dots​

As you know, debugging is a painful process of getting rid of the mess of a program. To facilitate this very process, some compilers add special debug lines to the binary. They sometimes contain the full path to the folder where the project sources were stored, and this path sometimes includes the Windows username, for example C:\Users\Vasya Pupkin\Desktop\Super_Virus\ProjectVirus1.vbp.
In the process of reversing, all this joy inevitably comes out. It's one thing if the name of the account was invented by the same guys who write unpronounceable names for goods in an IKEA store. But often the line includes the real name and even - it's scary to think - the surname of the unlucky virusmaker. Thanks to this circumstance, it becomes much easier to calculate it, although the result is not guaranteed: you never know how namesakes live on our planet? However, the presence of a debug line with a surname and a characteristic folder structure in a sample of malware can become another proof of a person's involvement in writing a program, if they take it seriously.

Even if instead of a username in the line discovered by the researchers, there is a nickname, it will still give an important clue. Most non-paranoid people use the same nickname on various resources. This is what brings them down. Anyone will very quickly find the posts of the character he is interested in the forums, his page on github and his Twitter profile. It is not difficult to understand that all these “digital footprints” were left by the same face: the same avatar, a similar signature, the same text posted on different sites ... Then a thread will be drawn that will lead somewhere.
The takeaway is simple: since you've started writing a program that someone is likely to want to investigate, you need to follow the rules of basic hygiene and be careful not to get anything extra into the code.

Here's a fragrant soap and a fluffy towel​

Another common natural phenomenon is the storage of email addresses as unencrypted character values. Character strings are the first thing the reverse engineer pays attention to in disassembled code. Moreover, some individuals believe that it is enough to poke a line in order to reliably hide their address on mail.ru from prying eyes. No friends, not enough.

If soap is suddenly found in the code, it is immediately hammered into the google. Further options are possible. At the email address, after several successive steps, you can find the account in the telegram, and the user's page on social networks, and the fact of his registration on the forums along with all messages. Or maybe nothing will google. The second option happens if the prudent username does not use the same mailbox for technical purposes and personal correspondence.

Don't knock, openly!​

It's even more fun when some unrecognized genius prescribes a username and password right in the code, for example, from the bot's admin panel or from the cloud storage, where the trooper uploads files pulled from the user's computer. It is very good if the same password is used wherever possible - for authorization in the admin panel, and on the mail server, and on social networks.
In this regard, I involuntarily recall one recent case, when a certain anonymous author decided to check a Trojan stealer on his own computer. Stiler, which is typical, worked five points. As a result, in the cloud, username and password are stored in clear text in the three, with the company of our naturalist was unloaded all his underwear, clearly demonstrating its blatant researchers Well of ife and rich inner world. Avoid this if possible, username.

Your domain is offline or out of service area​

Some people really like to hammer the addresses of control servers right into the code, even despite the fact that progressive mankind long ago invented DGA - algorithms for dynamic generation of domain names. Examples of such solutions can be found without much difficulty on these Internet sites of yours.

And the point is not that DGA increases the survivability of the trojan (one control server is covered - the software automatically connects to the next one), and not even that the server, if its address is known, can be screwed, zinked or DDoS enabled. You can also calculate the generated address by thoughtfully smoking the algorithm, but here other protection mechanisms come into play - verification of the server signature, encryption during data transmission, and others.

Even if the researcher failed to break the admin panel, a lot of useful information can be obtained using the whois service. And hiding the name of the domain holder does not always help. You can also search for other sites on the same IP address, see what is on them, and try to go from there. In principle, many have heard the term CloudFlare, but everyone is usually too lazy to figure out what it is.

Some humanoids even raise admin panels at public hosters or on sites where their other projects or employer's sites are running. I probably won't comment on this: it is sinful to scoff at something like that, but I already have no strength to cry.

And laughter and sin​

Pride is a mortal sin. And sinners, according to religious leaders, will face inevitable punishment. Not all virmakers are ready to stay in the shadows and quietly cut the loot, they want fame, honor and respect, public attention and thunderous applause. As a result, some people start recording vidos about compilation and obfuscation of the three and posting screencasts on YouTube. At the same time, forgetting to close the tabs with your Vkontakte page and the explorer windows in the browser, where you can see a lot of interesting things at HD resolution.

Another character did not shoot compromising videos, but posted extremely interesting articles on the Internet about methods of bypassing UAC, writing exploits, increasing privileges in the system and other wyrmaker tricks. With specific examples, of course. It was calculated very simply: by this very code, or rather by the characteristic names of variables, comments, the manner of implementation of some functions - in general, by comparing the source codes and codes from IDA Pro laid out in the public. It turned out to be pointless to unlock - he posted the code on his personal blog under his own signature. Fatality.

Instead of an afterword​

There are a lot of methods for identifying malware authors, I have mentioned only the most obvious ones. Also quite Conclusions of The Obvious: the office of the investigator Leads virmeykerov own incompetence and dis disregard for basic security. However, this is perhaps not bad: I remember one uncle who looked like Leo Tolstoy wrote something about natural selection. Which, in his opinion, generally contributes to an increase in the survival rate of the species.