Hackers beware: You are what you type

In an InfoWorld interview, computer forensics expert Dr. Neal Krawetz reveals how key taps and other clues can identify online bad guys

As anyone who’s ever held forth in a barroom debate can attest, strange topics attract strange people. And no one knows that better than Dr. Neal Krawetz, computer science Ph.D. and renowned expert in “nonclassical” computer forensics, who focuses on ways to identify otherwise anonymous people online. Krawetz, who is the head of Hacker Factor Solutions, is a pioneer in offbeat methods of identification — finger tapping, syntax slips, errant blog posts — they’re all fodder for Krawetz’s analysis, which pieces together bits of incriminating evidence to pin down online bad guys.

After Krawetz’s recent presentation at the Black Hat Briefings in Las Vegas, he fielded questions about everything from his involvement in tracking down the Unabomber (he had none), to the fine points of finger drumming, to “writing like a guy” (or gal), and spotting English language posts from people whose native language is Chinese (they don’t use plurals or determiners when they translate).

Krawetz’s research cobbles together facts and telltale signs with actual snippets of writing from newsgroups, blog posts, IRC channels, and other Internet backwaters to build profiles of individuals. Among Krawetz’s conclusions: More than half of the people on MySpace’s blogs page who claim to be women are probably men.

Krawetz sat down with InfoWorld Senior Editor Paul F. Roberts at the Black Hat Briefings in Las Vegas to talk about his research and one of his more contentious claims: that he may have identified the author of the Agobot, Phatbot, and rBot malware.

InfoWorld: How is what you do different from classical forensics?

Dr. Neal Krawetz: Classical forensics are tried and tested. They’ve been proven in a court of law. Most things with computers haven’t been around that long. Most classical computer forensics are things like “How to analyze a hard disk” or “How to use a mail header.” Those have been around a long time. Nonclassical forensics are things that are very much on the experimental side. There’s science behind it. The approach is basically scientific.

IW: What can you do in nonclassical forensics that you can’t in classical forensics? What advantages are there?

NK: Oh, you can pull out a lot more information. For example: Are two documents written by the same author, or is the author left- or right-handed? These are not things you could pull off a hard drive.

IW: In your talk, you analyze the source code for the Agobot and Phatbot worms and make connections between that code and an exploit writer named “Wirepair.” Could you explain that?

NK: The main thing is that there’s a guy named Nils that contributed code to Agobot. In fact, if you look at an overlay of two different files, Wirepair’s [and Nils’], there’s only one difference. It’s not just one section, it’s a huge amount of code. He took the whole [exploit] file. Other code from Wirepair also appears in Phatbot, and it appears to be the basis of the source code from dcom2scanner and wdscanner. That kind of thing. So we have two people that appear to have code that contributed to Agobot. The big question is, Are they the same person?

IW: Are they?

NK: No. What I showed is that, through writing analysis, Nils watched Wirepair for six months to a year. As soon as Wirepair would put out any good exploit, [Nils] would take that code and immediately put it into his code. As for what Wirepair did, he was putting out fully functioning exploits. Some of them are active scanners. I wouldn’t say he wrote something for a virus. But someone else took his code and put it in. So what he put out was an attractive nuisance.

IW: There’s nothing illegal about releasing exploit code, though, is there?

NK: As for the legality, I’m not a lawyer. I can’t tell you whether it’s legal or not. One interpretation would be that it’s like laying a handgun outside a house. You’re not responsible for shooting anyone, but it also falls under full disclosure. He’s giving a working proof of concept.