Clues That Identify Where Malware Originates

Clues That Identify Where Malware Originates

We’re used to the idea that web traffic can be tracked to its location, but malicious code developers often take extra steps to try and conceal their identity. However, there are often tell-tale clues even when that happens — everything from the font used on phishing mails to the file structures evident in malware code.

A report from security software developer FireEye identifies seven “calling cards” that can point to the origin of a particular malicious attack. In the example above, while the text is written in Russian, two fonts commonly used in Korea (Batang and KPCheongPong) are also visible. “Those font choices reconfirmed existing evidence from other sources that pointed to North Korea, including the author’s name and the CnC servers used in the attack,” the report notes.

Others on the list include repeated language mistakes (which can sometimes be reverse-engineered to suggest the language of origin) and common patterns of DNS registration across multiple attack sites.

These clues aren’t easily analysed by the casual observer, though bad expression remains one of the most obvious indicators of phishing emails. Hit the link for the full report.

Digital Bread Crumbs [FireEye]


  • Interesting topic, but at least on the evidence within this article.. It seems pretty bullshit.

    For one thing you say this is related to malicious ‘code’, then go on to suggest ‘fonts’ play a role… Perhaps you mean character sets..

    But even then, it all seems like complete guess work.. “Oh there was some korean, and some russian – so it might be korea or russia.. Then, they misspell a word repeatedly.. And they commonly do that in russia – so it’s russian! Here’s a russian server name that was accessed around when we suspect the infection took place so that’s it – LETS TELL THE PRESS THAT RUSSIA IS HACKING US!”

    No. Just no.

Comments are closed.

Log in to comment on this story!