High Confidence Malware Attribution using the Rich Header

Attribution of malware is a complicated problem as there are many ways to mislead and misdirect attempts to tie back malware to its authors. The Rich header, undocumented by Microsoft, can be a powerful tool in the analyst’s toolbox. It provides a wealth of information about the build environment of software samples, which can be used to uniquely identify the environment a piece of malware was created in, as well as to tie other unknown samples to that environment. We will present our research into how the header is generated, how it can be used to fingerprint build environments, and the metadata hash we developed to scale across large datasets to detect similar samples.

Presented by