Code chunk in Kronos malware used long before MalwareTech published it

Enlarge / Marcus Hutchins, security researcher for Kryptos Logic. In May, he registered a domain name that neutralized the WCry ransomware worm. In August, he was charged with developing malware called Kronos. (credit: Bloomberg via Getty Images)

A chunk of code found in the Kronos bank-fraud malware originated more than six years before security researcher Marcus Hutchins is accused of developing the underlying code, a fellow security researcher said Friday.

The conclusion, reached in an analysis of Kronos published by security firm Malwarebytes, by no means proves or disproves federal prosecutors’ allegations that Hutchins wrote Kronos code and played a role in the sale of the malware. It does, however, clarify speculation over a Tweet from January 2015, in which MalwareTech—the online handle Hutchins used—complained that a complex piece of code he had published a month earlier had been added to an unnamed malware sample without his permission.

Shortly after his arrest in Las Vegas two weeks ago, the Tweet resurfaced, and almost immediately it generated speculation that the malware Hutchins was referring to was Kronos. An analysis of Kronos soon showed that one portion used an instruction that was identical to one included in the code Hutchins published in January 2015.

Read 8 remaining paragraphs | Comments

Biz & IT – Ars Technica