Thursday, December 31, 2015

Significance of the compile time stamp in the Ukrainian power malware

Earlier, I did some analysis on the Ukrainian malware for a post on the SANS ICS blog with Robert M. Lee.  I noted that my analysis was hasty, and sure enough I screwed something up.  I failed to notice that my tool was reporting the compile time stamp in local time rather than UTC.  Classic forensics fail...

When the compile timestamp is converted to UTC, we see that the time is 2202 on January 6, 1999.  Since Ukraine is UTC+2, the local Ukraine time is 0002 on January 7, 1999.  What significance might this date play?

Many Orthodox Ukrainians celebrate Christmas starting on January 7th.  This might be significant, though I'm no history scholar so I'm not sure if something special happened that year.  Google didn't turn up anything interesting there.

January 7, 1999 is also the date that Clinton was impeached.  Is that significant for the malware authors?  Hard to say.  Doesn't seem likely, but maybe they were big fans of Lewinsky's blue dress.

One possibly interesting happening on January 6, 1999 has to do with the possible establishment of a solid waste disposal site as noted here.

If the date has something to do with Crimea, it looks like the Constitution of the Autonomous Republic of Crimea came into effect Jan 12, 1999. Yeah, it's not Jan 7, but maybe it means something to someone.

A final possibility has to do with the fact that the Prince Rostislav Romanov of the Russian Imperial Family died January 7, 1999.

Or it could all be coincidence.  With things like this, we may never know.

1 comment:

  1. Been using Kaspersky protection for a few years, and I'd recommend this product to all of you.


Note: Only a member of this blog may post a comment.