Black Hat talk to reveal analysis of hacker fingerprints

If that's the case, using these fingerprints as signatures by which malware is detected, intrusion-detection engines could focus on filtering them rather than the wrappers in which they are sent. That would mean a more stable library of signatures since the attackers are slow to change their code. These IDS signatures would work better over a longer period.

To do this the IDS needs to be on endpoints where the code executes and can be seen in the memory of the computer as a human-readable text. At the network layer, a packed executable would not reveal these attributes.

At the conference, Hoglund plans to release a tool called Fingerprint that analyzes and compares the similarities among the underlying artifacts found in different pieces of malware. Businesses could use the tool to determine what identifiable attacker wrote the code and what its intent is.

That in turn can give businesses an idea of whether they are under a concerted assault from a common group rather than being the victim of random attacks. Using this type of analysis, Hoglund says he found that one identifiable attacker was responsible for targeting the Department of Defense as well as a particular military base five years before.

That indicated the attacker was the same, and use of a Chinese-language development environment indicated the attacks came from there. Some of the source code used was exact copies of code traded on China hacker sites.