
The alleged NSA malware developers are at risk to be identified - yousry
https://www.yousry.de/the-nsa-malware-developers-are-at-risk-to-be-identified/
======
micaksica
This post seems lacking in the data required to make such a claim; I do not
understand how it has gained so much traction.

Where is the actual research, and where are the probable identified
candidates? Did I miss a data analysis part somewhere that explained the
methodology, and probable attribution to actual people? This appears to be a
basic string search of the code and some simple syntax analysis.

There are learning algorithms for stylometry, and they can probably be adapted
to code. This article appears to state that "it might be possible to use these
anomalies as clues", but does not elaborate on, how, why, or what any
hypothesis is other than this.

~~~
exo762
Haven't analyzed author's claims, but in general programmer identification is
solved problem:

[https://www.youtube.com/watch?v=YMa04HovKfs](https://www.youtube.com/watch?v=YMa04HovKfs)
[De-anonymizing programmers 32c3]

~~~
akerro
My first thoughts were about the demo you linked and about this one:
[https://www.youtube.com/watch?v=xipI-0HU010](https://www.youtube.com/watch?v=xipI-0HU010)

------
zigzigzag
_However, in contrast to 3.5 billions Internet users, only a few hundred
experts have to be identified._

This is the sentence that lets you know the post can be safely ignored. Anyone
who thinks there are only a few hundred people in the world capable of writing
Linux exploits doesn't have a grip on the scale of the world at all.

~~~
micaksica
Agreed. There are probably 5-25K (yes, large range, but still order of
magnitude higher) people in the Bay Area alone that are capable of writing
exploits.

~~~
mseebach
Also, there's a huge difference in the number of people capable of secretly
building exploits alone in their bedrooms at night (probably committing a
crime), and those building them as a day job, where you can solicit feedback
and advice from peers, reference well-organised documentation and study the
original source code of previously successful exploits and freely discuss
ideas and approaches with colleagues over lunch.

Which of course partially challenges this assumption in the article:

 _The developers of the malware [..] were discovered and not trained._

~~~
lawnchair_larry
_people capable of secretly building exploits alone in their bedrooms at night
(probably committing a crime)_

No, that isn't how exploit research works. I don't understand why one would
think that writing exploits is associated with being a criminal.

~~~
mseebach
Research, no, but turning it into malware is.

~~~
lawnchair_larry
Do you consider exploits to be malware? If so, then no, you couldn't be more
wrong.

------
yousry
I'm currently working on anomaly detection algorithms and used the good
opportunity (the Shadow Brokers release) to analyze a number of malware
applications at once.

~~~
bitxbitxbitcoin
I'd love to see your results once you're ready to share them!

------
matt_wulfeck
The author appears to run "strings" on the binaries and then goes on to shoot
a few theories in the dark:

> The developers of the malware are leading experts in the area of Linux,
> Network and Security development.

> They were discovered and not trained.

> Because the archive contains a collection of applications, the calculated
> result-set is reasonable small for further investigations.

~~~
drvdevd
Also:

> LinkedIn will show you the professional discipline, GitHub the shared
> libraries and their publicity.

I would _guess_ that NSA has a firm grasp on this sort of basic OSINT problem
and code attribution techniques.

~~~
wjnc
Retroactively scrubbing a programmers published work and social media
participance is a red flag in itself.

~~~
dogma1138
Indeed from what we also know or is suspected at least this is a group which
is external to the NSA.

It could consist of former NSA employees and military personnel but it's not
clear if this is a fully sanctioned group or just really good hackers for
hire.

------
alfiedotwtf
After seeing this post, the malware devs may have unfollowed/unstarred the
repos used in order to evade discovery.

It would have been interesting to have GitHub's star/follow history...

~~~
andruby
Github has a comprehensive open dataset [1]. I'm not sure if it keeps
historical data, but I'm sure there are people hitting the API's and keeping
the data archived :)

[1] [https://www.githubarchive.org/](https://www.githubarchive.org/)

------
carlsborg
Nice forensic analysis and tutorial.

Note that parsing out strings from a binary and finding names from it gives
you mainly false positives. e.g. from glibc

[https://fossies.org/dox/glibc-2.24/C-identification_8c_sourc...](https://fossies.org/dox/glibc-2.24/C-identification_8c_source.html)

------
pulse7
TLDR: Assumptions: "The developers of the malware are leading experts in the
area of Linux, Network and Security development." and "They were discovered
and not trained."

------
sschueller
Why is it a problem if they are identified? It is probably the only case where
writing Malware doesn't get your in trouble with the government because they
paid you to do it.

------
avh02
a naive question: would sending this code through an obfuscater not mess up
this methodology? (other than lib identification)

It clearly hasn't happened here, but wouldn't that be a reasonable step to
cover tracks given this kind of analysis?

