When Malware Source Code Leaks: Challenges & Solutions for Tracking New Variants

Tracking malware family’s activity and development are an important part of understanding the threat landscape a necessary step in building better defenses.

Malware family classification typically involves finding a combination of indicators, which together, are unique to a certain family. Such combinations exist because the samples of a malware family are generated from the same code. And this code is predominantly closed source.

Just like legitimate organizations, malware authors occasionally suffer breaches and data leaks, sometimes even leaking their precious malware source code. This leaked code is then re-used by many new malware projects as if it was open-source, making family classification more challenging.

In this webcast, the VMRay Labs Team presents their research and findings after tracking Ursnif/ISFB variants. This malware family leaked its source code more than five years ago giving us an opportunity to perform an analysis on the long-term effects of a malware source code leak.

Watch SANS Analyst Jake Williams and VMRay’s Team Lead – Threat Analysis, Tamas Boczan show viewers:

  • How malware forks modify the original leaked code in the long-term?
  • Which defensive techniques are effective against new variants?
  • The methodology malware analysts can use to identify the subtle differences between malware variants based on the same code