Unmasking the hackers

A USask computer security researcher is developing a new way to uncover the hidden identities of malware creators.

By Ashleigh Mattern

Webcams, home security systems, baby monitors—even cars.

These days, almost everything you can imagine has a computer running in it, and anything with a computer is under threat from malicious software that can wreak havoc. 

“You could hack a kettle so it wouldn’t boil water as you expect,” says Dr. Natalia Stakhanova, associate professor in the computer science department of the College of Arts and Science. “It sounds silly, but that’s the extent of technology in our day-to-day life.”

Stakhanova is researching a new way to deal with malware: a way that will not only mitigate the effects but uncover the secret identities of the malware writers themselves and stop them before they start.

It’s a challenging goal. 

“The numbers of malware we see these days are completely unprecedented and the system is not able to keep up with this pace,” Stakhanova says. “It’s essentially an arms race between detection and the bad guys.” 

There actually aren’t that many malware writers in the world in comparison to the amount of malware we see.

Instead, aspiring hackers can buy kits online that will create custom-made malware and program it to change automatically so that every iteration looks different. 

“You come to this wonderful interface where you can choose the functionality of your malware—what kind of attack you want to launch,” Stakhanova says.

Unmasking the bad guys

Dr. Natalia Stakhanova is an associate professor in the Department of Computer Science. (Photo: David Stobbe)

Most of the malware that exists is disguised; Stakhanova says you can think of it as putting on a mask. The mask creates problems for detection systems because they’re trained to recognize malware by the way it looks.

“If you change that mask, the detection systems can’t see it because it doesn’t look malicious,” she says.

Stakhanova’s job is to come up with methods to identify whether a mask is being used—whether obfuscation has been employed—and find ways to see through it.

She compares it to an investigation at a crime scene, where detectives gather as much information as possible to identify who is behind that particular crime. 

“We’re trying to do the same thing—create a profile of the person who wrote that malware so we can then catch them,” she says. 

The long-term goal is to attribute the malware to the actual person who wrote it, the developer. 

She says there are only a few groups in the world that are trying to attribute malware to a specific developer, but this kind of work has been done before—in the literary world.

J.K. Rowling and Shakespeare

In literature, writers and poets have a signature style; they use unique vocabulary and sentence structure that can be examined to determine authorship.

Shakespeare’s works have long been studied through this lens and, more recently, it was used to determine that the book The Cuckoo’s Calling by Robert Galbraith was actually written by J.K. Rowling. 

With malware analysis, Stakhanova is applying the same idea to computer code.

“Every person has a unique style and you can see that in the way the software was written,” she says.

Developers will prefer particular tools and libraries, they’ll make comments in the program in a unique way, and the overall logic and flow of the program will reflect their preferences.

Stakhanova can use that signature style to create technical profiles of known malware writers.

So far, the research has been successful—her team has built profiles of malware developers—but it has a long way to go. The next step is to be able to tell you the name and address of the hackers.

If the hackers could be identified, keeping track of the people and groups creating malicious software would be easier.

There is potential, says Stakhanova, for “knowing their profiles, their tactics, and being able to not just mitigate after the fact but anticipate that something might be happening and prevent it.”

(Photo: David Stobbe)

Sharing knowledge

Although Stakhanova’s job requires her to understand hackers and sometimes even use similar tactics, she doesn’t see herself as a “white hat hacker”—the term for hackers who use their skills for good, reporting security flaws and generally ensuring the safety of various computer systems.

Instead, she considers herself an educator.

She literally wrote the book on being hacked. Stakhanova said she found friends and family asking for security advice, so she gathered all of her tips together and wrote the book Have You Been Hacked Yet?: How to Protect Your Personal and Financial Information Today.

The book offers security basics, like what you can do to protect your online banking and how to make passwords that work.

Her number one tip? Get a password manager and use strong, different passwords for each service.

“Don’t try to write them down. Don’t try to keep one wonderful password for all your services,” she says.

Article first appeared in Arts&Science: the magazine. Click here for more.