Code chunk in Kronos malware used long before MalwareTech published it

Dan Goodin

Marcus Hutchins, security researcher for Kryptos Logic. In May, he registered a domain name that neutralized the WCry ransomware worm. In August, he was charged with developing malware called Kronos.

Bloomberg via Getty Images

A chunk of code found in the Kronos bank-fraud malware originated more than six years before security researcher Marcus Hutchins is accused of developing the underlying code, a fellow security researcher said Friday.

The conclusion, reached in an analysis of Kronos published by security firm Malwarebytes, by no means proves or disproves federal prosecutors' allegations that Hutchins wrote Kronos code and played a role in the sale of the malware. It does, however, clarify speculation over a Tweet from January 2015, in which MalwareTech—the online handle Hutchins used—complained that a complex piece of code he had published a month earlier had been added to an unnamed malware sample without his permission.

Just found the hooking engine I made for my blog in a malware sample. This is why we can't have nice things, fuckers.

— MalwareTech (@MalwareTechBlog) February 7, 2015

Slayer of WCry worm charged with creating unrelated banking malware

Shortly after his arrest in Las Vegas two weeks ago, the Tweet resurfaced, and almost immediately it generated speculation that the malware Hutchins was referring to was Kronos. An analysis of Kronos soon showed that one portion used an instruction that was identical to one included in the code Hutchins published in January 2015.

The Malwarebytes post confirms that there's "a big overlap" between code chunks in Kronos and the MalwareTech post, but it went on to report something else. The same technique in the two code chunks—and the same instruction—was published in 2009 and "both authors learned it from other sources rather than inventing it." In other words, the technique is old.

By hook or by crook

The code chunks implement a programming technique known as "hooking," in which an application binds itself to processes already running in the operating system so that it can intercept the calls or data they receive. Legitimate software uses hooking for a variety of reasons—for instance, so an antivirus product can scan e-mail before it's read. Malware often uses hooking to evade detection by intercepting OS or AV calls and faking the responses sent back to them.

The hooking routine that Hutchins complained in 2015 was lifted—again, he said, without his permission—provided the means to make the hooking process more stable. As Malwarebytes researcher hasherezade explained it:

Let’s have a look at the technique itself. During hooking, one may experience concurrency issues. If a half-overwritten function will start to be used by another thread, the application will crash. To avoid this, it is best to install a hook by a single assembly instruction. MalwareTech described a idea of utilizing for this purpose an instruction lock cmpxch8b. The same trick and similar implementation can be found in Kronos.

Assembly is the low-level programming language that's one step removed from the ones and zeros of native machine code and can be used to directly program the behavior of a processor. As the Malwarebytes post makes clear, the similar approach and the identical instruction were used for the same purpose six years earlier and was described even earlier than that. Kronos also used the same instruction for the same thing, but its approach was "overall more sophisticated," Friday's analysis said.

Given how old the technique is, it is not clear why Hutchins would complain his hooking routine was stolen, assuming the malware and code he was referring to were Kronos and the hooking engine, respectively. The Malwarebytes post suggests he was referring to different malware and a different chunk of code.

Hutchins was the UK-based researcher who in May registered a domain name that largely stopped the highly virulent WCry ransomware worm from spreading. He has pleaded not guilty to the charges relating to Kronos and is currently free on bail.

As noted earlier, the confirmed overlap between Kronos and Hutchins' code chunks and the revelation that the same technique was used in 2009 doesn't prove or disprove any of the allegations leveled at Hutchins. Prosecutors have yet to unseal any of the evidence they may have that shows he willingly or knowingly developed, or helped to sell, Kronos. Still, the code chunk comparisons may be a sample of the types of evidence prosecutors or defense attorneys are likely to present should this case ever go to trial.

Post updated to change description of Assembly.