How do virus writers calculate

How do virus writers calculate

Deanon Malvari authors have become so familiar that such incidents do not surprise anyone recently. Well, they burned another coder, it’s never been seen before. Someone and at all braves own invulnerability and impunity: tell, here I am, let them try to catch, but only to whom I am necessary? I need you, sweet man, and so on.

Who needs you?

Let’s start with the fact that both domestic antivirus companies present on the Russian market cooperate very closely with law enforcement agencies, which is not hidden at all. At least for the simple reason that they are compelled to receive regularly from the severe organisations with names from three letters of the licence and certificates on working out of protection frames of the confidential information, on work with cryptography, on protection of the personal data and further with all stops. And it means that the mentioned companies regularly pass checks from outside these organisations and closely communicate with their representatives.
Besides, all of them have licences for carrying out of technical examinations and researches with use of methods of fornazika, and regularly use these licences for the purpose – including in interests of the state. Finally, there are persistent rumours that many firms in the information security market necessarily send regular reports on the current virus and cybercrime situation. If such a report, in addition to dry statistics, can include specific information about the exposed virtual maker, will analysts miss this opportunity? The answer is, in general, obvious.

But there’s good news, too, southerner. If one morning you woke up famous because your name suddenly got on the news feeds of antivirus companies, it means one of two things. Either you’re already sitting in a tightly barred room waiting for trial, or the law hasn’t shown your face the attention it deserves.

There is such a thing as a mystery of investigation that cannot be divulged under any sauce. If there are any actions taken by the law enforcement agencies against an abstract coder Vasya, it is unlikely to be told about it on the Internet until the coder Vasya is not charged or brought before the court. But to be happy, having found yourself, loved one, in the news is also stupid: it clearly indicates that you are already on the pencil, and about your work promptly reported where it should be. And at some not very fine moment indifference from people in epaulets can suddenly be replaced by close interest. Circumstances, you know, sometimes develop in a completely bizarre way.

Absolutely in all cases known to the general public the cause of what happened should be looked for in the mirror. Virmakers sometimes scorch on little things that look ridiculous from the outside. Well, it would seem, why keep personal files on the servo where the botnet’s admin is up? Why dump the status of another botnet by SSMS to the number of mobile phone with the left symphony, if this number has previously been repeatedly shown in ads for the sale of computer giblets indicating the city and even, you would not believe the nearest subway station? Who tricked the young genius into organizing a C&C Trojan on a public hosting site where Daddy’s company’s website spins, while hard hitting the URL right in the code?

It seems that such nonsense is done only by coders, which nature has given a single curvature, and that anatomically located somewhere in the area of direct contact with the body of the chair. But literally anyone can step on a rake. Especially if he has not developed a useful habit to look closely under his feet.

As you know, debugging is an excruciating process of getting rid of lying around. To make this very process easier, some compilers add special debugging strings to the binary. They sometimes contain a full path to the folder where the project sources were stored, and this path sometimes includes the winds’ user name, for example

C:\Users\Vasya Pupkin\Desktop\Super_Virus\ProjectVirus1.vbp

In the process of reversing, all this joy inevitably comes out. It’s one thing if the name of the account is invented by the same guys who write unspoken names for products in the IKEA store. But often the line includes the real name and even – it’s scary to think – the last name of a hapless virtual maker. Thanks to this circumstance, it is much easier to calculate it, although the result is not guaranteed: is there few names on our planet? However, the presence in the sample harmful debugging string with the surname and characteristic structure of folders can be another proof of human involvement in writing the program, if you take it seriously.

Even if the username is replaced by a nickname in the line detected by the researchers, it still gives an important clue. Most people who do not suffer from paranoia use the same nickname on different resources. That’s what brings them down. Anyone can quickly find the posts of the character he is interested in on forums, his githab page and Twitter profile. To understand that all these “digital footprints” left the same face, it’s not difficult: the same avatar, the same signature, the same text posted on different platforms … Next pull a thread that will lead somewhere.

The conclusion is simple: since you are writing a program that someone will probably want to explore, you must follow the rules of elementary hygiene and make sure that nothing unnecessary gets into your code.

There you are, soap, scented soap and towel, fluffy


If soap is suddenly detected in the code, it is immediately hammered into a corner. Further options are possible. At the email address in a few consecutive steps can be found and registration in the telegram, and the user’s page in social networks, and the fact of his registration in forums, along with all posts. Or it may not google anything. The second option happens if a prudent user does not use the same box for technical purposes and personal correspondence.

Don’t knock, it’s open!

It’s even more fun when some unrecognized genius prescribes a username and password right in the code, for example, from a bot admin or from a cloud storage where the trio fills up files that have been pulled off the user’s computer. It’s very good if the same password is used wherever possible – for authorization in the admin, mail server, and social networks.

In this regard, unwittingly recalled one recent case, when a certain anonymous decided to check the Trojan-styler on his own computer. The styler, which is typical, worked out by five points. As a result, in the cloud, the login and password from which were stored in the open form of the three most, with the company of our natural scientist was unloaded all underwear, clearly demonstrate to researchers his uncovered life and the rich inner world. Avoid it as much as possible, juzernem.

I laugh and sin

Pride is a mortal sin. And sinners, according to religious figures, will be inevitably punished. Not all virtuamakers are ready to stay in the shadows and quietly cut money, they want glory, honor and respect, attention of the public and stormy applause. As a result, some people start recording videos of triplets’ compilation and obfuscation and lay out screencasts on YouTube. Having forgotten to close in the browser tabs with their page “Vkontakte” and windows of the conductor, where on HD-resolution you can see a lot of interesting things.

Another character did not shoot compromising videos, but posted on the Internet extremely interesting articles about methods of bypassing UAC, writing rallies, increasing privileges in the system and other virtual maker tricks. With concrete examples, of course. We calculated it very simply: by this very code, or rather by characteristic variable names, comments, manner of implementation of some functions – in general, comparing the public sources and code from IDA Pro. It turned out to be meaningless to unlock – the code was posted in a personal blog with its own signature. Fataliti.


0 0 vote
Article Rating
Notify of
Inline Feedbacks
View all comments

Do NOT follow this link or you will be banned from the site!
Would love your thoughts, please comment.x

Spelling error report

The following text will be sent to our editors: