Originally, this post had an incorrect title By mistake I used “3500K” which is equivalent to 3.5M. The number should be 3500 a.k.a. 3.5K
The number of malware writers is enormous. This is a fact. If someone tells you that there are only 10-100 active ppl or groups doing so, then maybe they are right. But… they are most likely not.
Clustering large number of samples allows us to cherrypick a lot of interesting statistics. I shared quite a lot of them back in 2012-2013. Over last weekend I crunched my databases again and this time I focused on Visual Basic ‘goodness’.
Despite being old, this programming platform still has a lot of followers. It ‘helps’ writing RunPE wrappers and their authors often leverage VB’s built-in virtual machine which produces executables that are a big pain to analyze w/o some dedicated tools.
Now, my focus on VB was very specific. If you ever looked at the VB apps before, you know that they often leave traces of the original project path used by the application author inside the file. Yes, the ‘.vbp’ path. Looking through a histogram of all normalized .vbp paths extracted from a decent collection of malware I was able to find over 3500 user names used in the profiles of people who code them (focusing only on c:\users\* and c:\documents and settings\*). The number is pretty high, but that is not surprising. If you add it to 7000 names I extracted in 2013 from debug strings then we are already crossing 10K profiles (possibly people). Multiply it by 2 since I excluded a lot of non-user-accountish paths, and the same name can belong to many people.
Of course, stats are always biased:
- I don’t have all samples
- Some of these paths could be automatically generated/modified/made up
- Lots of other reasons
but numbers speak for themselves anyway.
Here is a list of top user names – lots of variations of the Admin account in multiple languages top the list:
- sher soft
Various interesting names are also on the list:
- Emperor Zhou Tai Nu
- Hacker test Machine
- ghost prince
- SkY-NeT SySteMs
- Sauvegarde [ Don’t Toutch ]
- Evil Karma
- Fuck Yu !
- Oracle Machine
- Jesus Cristo
- OWNED LAN HOUSE
- DeV-PoInT HaCkEr
- BaD HackeR
- Computer Zimmer
- -$-BaNdO’s CoRp-$-
- FUCK OFF
- fucked up