Trojan code: what is known about the secret signs of hackers inside viruses

Trojan code: what is known about the secret signs of hackers inside viruses


 What phrases and symbols are used by attackers

In the Trojans that Kaspersky Lab specialists and representatives of other information security companies detect, they often find meaningful phrases. 

They can be both curses or addresses, and extracts from Shakespeare's sonnets or quotations from "Crime and Punishment" and "The Brothers Karamazov" by Dostoevsky.  asked IT researchers why virus writers insert such labels into the code of a malicious program, and also collected the most interesting cases of detecting such secret signs.

Digital "poets"

For a computer program to work, as you know, you need to write code. In any programming language, a code is a collection of letters and numbers. That is, instructions for a computer, following which it performs the set algorithm.

Any languages ​​(including for communication) involve borrowings and quotations. Programming languages ​​are no exception. Therefore, from time to time, computer security experts, investigating a particular case, find messages left by them or to humanity inside the code.

The meaning of these messages is not always clear, Kaspersky Lab told Izvestia. One of the latest cases, where phrases from Shakespeare and Dostoevsky were left inside the malware, suggests several reasons why they could have arisen there.

Trojan code: LK told about secret signs of hackers inside viruses

“Maybe it was done as a message to humanity,” says Maria Garnaeva, an expert at Kaspersky Lab, who investigated this Trojan, “either to laugh or to bypass the simplest signature detection.

The digital "poets" were representatives of the Obsydian Gargoyle group. Maria Garnaeva calls them low-skilled scammers, since the tools they use for attacks are very simple: phishing emails about COVID-19, phishing sites, and simple malware. On the other hand, all of their attacks were quite effective.

“These cybercriminals inserted phrases in English into the malicious code macro several times,” the expert says. - A fragment from Shakespeare's sonnet 116, two excerpts from "The Brothers Karamazov" and one from "Crime and Punishment" by Dotsky.

From Shakespeare's Sonnet 116, these lines were used:

Love is a beacon raised over the storm

Not fading in darkness and fog.

Love is the star by which the sailor

Determines the location in the ocean.

Love is not a pathetic doll in the hands

By the time that erases roses

On fiery lips and cheeks

And threats are not scary to her at the time.

And if I'm wrong and my verse is lying,

Then there is no love - and there are no my poems.

Elsewhere in the macro, the following quotes from Dostoevsky were found:

"The main thing - do not lie to yourself. He who lies to himself and to his own lies, the listener, reaches the point that he does not distinguish between any truth either in himself or around him, and therefore enters into disrespect for himself and others. " ("The Brothers Karamazov")

“The terrible thing is that beauty is not only a terrible, but also a mysterious thing. Here the devil fights with God, and the battlefield is the hearts of people. " ("The Brothers Karamazov")

"To lie in your own way - after all, this is almost better than the truth one by one, in another way." ("Crime and Punishment")

Throw out the words from the song

Group-IB specialists recalled a case when, analyzing the malicious file "Contract.docx", which was sent to its banks by the Silence group in 2018 (the file exploited the CVE-2017-0262 vulnerability in MS Word), they found a script that differed in the presence of variables with names made up of the lyrics to a Slipknot song by metallers Snuff (You-sold-me-out-to-save-yourself).

- Before Silence, this malicious file was used by the APT28 group (or Fancy Bear), - noted in Group-IB. - Silence specialists, having borrowed a document from them for their mailings, did not change this part of the script. Curiously, like most of the financially motivated groups of that time (Cobalt, MoneyTaker), the Silence members were Russian-speaking, as evidenced by the program command language, among other things.

According to Group-IB experts, most of the commands of the Silence Trojan are Russian words typed in the English layout: htrjyytrn> reconnect> reconnect. htcnfhn> restart> restart. ytnpflfybq> notasks> no tasks.

Trojan code: LK told about secret signs of hackers inside viruses

Sometimes words appear inside the code that are used to communicate between virus writers and virus detectors. 

However, in this way attackers can communicate with each other.

There is an example when the viruses Mydoom, Netsky and Bagle were endlessly modified to communicate with each other, putting phrases like: “We are Skynet. You cannot hide! " "We are killing malware authors (they have no chance!)." "MyDoom.F is the thief of our idea!"

This 2004 correspondence was examined by both Kaspersky Lab and the Finnish F-Secure Corp.

F-Secure Corp virus researcher Mikko Hipponen complained to the press at the time: “Perhaps most worrisome is that virus writers seem to be taking the cat-and-mouse game with antivirus firms to the next level. If the goal is to tire the antivirus people, they succeed. My team is really tired. We work all night and on weekends. "

Not just curses

However, the most common phrase that virus writers use to “communicate” with the world is, of course, F *** you, which Yandex translates as “Fuck you”. 

It was she who was most often inserted into a variety of codes. These words appear both among APT groups (high-level programmers who are most often recruited to work for espionage purposes ) and among the lowest-level virus writers.

At Kaspersky Lab, Izvestia was shown a piece of code where these two words are used to refer to the laboratory staff.


Trojan code: LK told about secret signs of hackers inside viruses

However, sometimes you don't even need a code to communicate. Once the international hacker group MuddyWater left the following message on the official website under the annual report of Kaspersky Lab, where the company places the main cybercriminals of the year, analyzing their "merits":

“Dear KasperSky, this is a post from MuddyWater.

We are writing this letter to protest the recent report.

We think that third place is unfair for MuddyWater. If you were following us, you would understand that our work is much more than what you described in this post.

By the way, this is just the beginning ...

MuddyWater "

📨 Leave us a comment :