PlugX, a Remote Access Tool, or RAT, used for several years to attack computers and steal data from targets in Asia, did not adequately clean and anonymize his code, one security researcher says.
Jaime Blasco, labs manager at AlienVault, has been tracking the activities of a group using PlugX and believes he has identified at least one of the people behind the malicious software.
Blasco in a phone interview said he was able to extract the debug file path from some PlugX malware binaries and then match those file paths to other PlugX samples, samples that included a username in the file path: "whg." The samples also suggested the author was using two separate systems for his work, a Windows XP system and a Vista/7 system.
Blasco scanned other binary files for similar debug file paths and identified an application called SockMon at the Chinese website cnasm.com. The website lists contact information for "whg0001," along with an email address and a QQ number, an identifier used on China's popular QQ messaging service.
[ Learn more about RATs. Read DarkComet Developer Retires Notorious Remote Access Tool. ]
InformationWeek sent an email to "whg0001" asking if he had a hand in the creation of PlugX, as Blasco alleges. We have not heard back.
As Blasco relates in a blog post about his findings, the email address associated with "whg0001" was used as an administrative contact to register a website in China in 2000. The company, Chinansl Technology Co. LTD is listed at Chengdu National Information Security Production Industrialization Base, 2nd Floor, No.8 Chuangye Road, Chengdu, China.
The company appears to have ties to the security industry in China, Blasco observes.
Blasco has found this same file path in components of Chinasl software called "Parent Carefree Filter" and that information about "whg0001" on the Internet identifies him as a "virus expert" who is "proficient in assembly."
A CSDN profile associated with the same whg0001" email address includes a picture.
Searching for more versions of the PlugX RAT reveals a connectivity test URL that points to another picture of the same individual.