*I find it hard to believe that one author wrote that whole thing from scratch, but I find it easy to believe that patterns in software coding could be a dead giveway.
*I wonder if this malefactor ever made the money from this criminal job. Did he manage to cash out from those epochal floods of spam that did such harm to the rest of us?
http://shape-of-code.coding-guidelines.com/2011/05/11/fingerprinting-the-author-of-the-zeus-botnet/
Fingerprinting the author of the ZeuS Botnet
May 11th, 2011Derek-Jones
The source code of the ZeuS Botnet is now available for download. I imagine there are a few organizations who would like to talk to the author(s) of this code.
All developers have coding habits, that is they usually have a particular way of writing each coding construct. Different developers have different sets of habits and sometimes individual developers have a way of writing some language construct that is rarely used by other developers. Are developer habits sufficiently unique that they can be used to identify individuals from their code? I don’t have enough data to answer that question. Reading through the C++ source of ZeuS I spotted a few unusual usage patterns (I don’t know enough about common usage patterns in PHP to say much about this source) which readers might like to look for in code they encounter, perhaps putting name to the author of this code.
The source is written in C++ (32.5 KLOC of client source) and PHP (7.5KLOC of server source) and is of high quality (the C++ code could do with more comments, say to the level given in the PHP code), many companies could increase the quality of their code by following the coding standard that this author seems to be following. The source is well laid out and there are plenty of meaningful variable names.
So what can we tell about the person(s) who wrote this code?
There is one author; this is based on consistent usage patterns and nothing jumping out at me as being sufficiently different that it could be written by somebody else,
The author is fluent in English; based on the fact that I did not spot any identifiers spelled using unusual word combinations that often occur when a developer has a poor grasp of English,
The usage that jumped out at me the most is:
for(;; p++)if(*p == '\\' || *p == '/' || *p == 0)
{
...
This is taking to an extreme the idea that if a ‘control header’ has a single statement associated with it, then they both appear on the same line; this usage commonly occurs with if-statements and this for/while-statement usage is very rare (this usage also occurs in the PHP code),
The usage of true/false in conditionals is similar to that of newbie developers, for instance writing:
return CWA(kernel32, RemoveDirectoryW)(path) == FALSE ? false : true;
// and
return CWA(shlwapi, PathCombineW)(dest, dir, p) == NULL ? false : true;
// also
return CWA(kernel32, DeleteFileW)(file) ? true : false;
in a function returning bool instead of:
return CWA(kernel32, RemoveDirectoryW)(path);
//and
return CWA(shlwapi, PathCombineW)(dest, dir, p) != NULL
// and
return CWA(kernel32, DeleteFileW)(file);
The author is not a newbie developer, perhaps sometime in the past they were badly bitten by a Microsoft C++ compiler bug, found that this usage worked around the problem and have used it ever since...
