Code chunk in Kronos malware used long before MalwareTech published it

by
Dan Goodin
from Ars Technica - All content on (#2ZN53)
hutchins-1-800x534.jpg

Enlarge / Marcus Hutchins, security researcher for Kryptos Logic. In May, he registered a domain name that neutralized the WCry ransomware worm. In August, he was charged with developing malware called Kronos. (credit: Bloomberg via Getty Images)

A chunk of code found in the Kronos bank-fraud malware originated more than six years before security researcher Marcus Hutchins is accused of developing the underlying code, a fellow security researcher said Friday.

The conclusion, reached in an analysis of Kronos published by security firm Malwarebytes, by no means proves or disproves federal prosecutors' allegations that Hutchins wrote Kronos code and played a role in the sale of the malware. It does, however, clarify speculation over a Tweet from January 2015, in which MalwareTech-the online handle Hutchins used-complained that a complex piece of code he had published a month earlier had been added to an unnamed malware sample without his permission.

Just found the hooking engine I made for my blog in a malware sample. This is why we can't have nice things, fuckers.

- MalwareTech (@MalwareTechBlog) February 7, 2015

Shortly after his arrest in Las Vegas two weeks ago, the Tweet resurfaced, and almost immediately it generated speculation that the malware Hutchins was referring to was Kronos. An analysis of Kronos soon showed that one portion used an instruction that was identical to one included in the code Hutchins published in January 2015.

Read 8 remaining paragraphs | Comments

index?i=P_DQpcQsr5U:aXVAnplA8UM:V_sGLiPB index?i=P_DQpcQsr5U:aXVAnplA8UM:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments