[FIRST Conference Webcast] The Nightmare of Tracking Open-Source Malware: Five Years of Ursnif
Ursnif is a relatively complex and full-featured malware family frequently used for both large-scale and targeted attacks. Five years ago, this malware’s source code leaked. Since then, different criminal groups have created a swarm of variants forked from the leaked code, many of them still actively developed today. Free access to the source code of high-quality malware has created a dangerous, asymmetric situation where development of complex malware is insignificantly cheap compared to the cost of building a successful defense against it. Tracking the development of these many parallel malware projects based on the same source code is an inherently challenging, but also worthwhile effort.
The in-depth analysis of recent Ursnif variants enabled a case study that answers questions about open-source malware which would otherwise be subject to speculation. What are the long-term effects of complex and easily reusable malware source code becoming available to anyone? How do attackers use this source code long-term? What is different in recent variants compared to the leaked code? What defensive techniques are efficient against most variants of the malware? What methodology can malware analysts use to identify the subtle differences between malware variants which are based on the same code?