Determining the country of origin for an exe/dll file

Question

I have a doubt, as to how does one come to the conclusion that an exe/dll is from a specific country? Is there a field in the PE structure that saves this information?

I know that such information(timestamp etc.) can be overwritten and there is no way that one can be 100% sure but still... There is always a statement in most analysis reports of malicious samples saying something like "This sample seems to have originated from xyz country".

I would love an answer which doesn't have a tool as a solution.

Answer 1

There are no fields or metadata within the PE/COFF format which gives away any indication of a program's country of origin. The PE specification is available here: http://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx - it does contain a timestamp field which should be set by the compiler, but this is easily forged.

I understand (though am uncertain) that the country-of-origin of malware is determined via the same means that biological epidemiology works: by tracing the infections back to the source, and given how the Internet works, it's very hard. Often infections spread via HTTP (for example) can be examined via the webserver logfiles which would have the source IP address, which can then be geolocated.

Other times malware contains direct clues as to its origin - with the old-school malware (think: ILOVEYOU) the hubris of the author is their downfall, in the ILOVEYOU case, the author actually put "by: spyder / [email protected] / @GRAMMERSoft Group / Manila,Philippines" directly in the VBScript source code that the virus was written in.

For viruses ostensibly written in China or North Korea (which you're probably aluding to - considering the recent news of the Sony Pictures attack), it's possible they're making an educated guess based on strings contained within the program that are in Chinese or Korean script/characters.

...the problem with relying on these kinds of heuristics is that it's easy to "frame" a country and throw someone off your trail. If I were lacking in the moral department I could conceivably commit a false-flag operation by composing a virus such that it contained foreign language strings and used Tor or some other network to launch the attack from within another country, leaving no hint as to its true origins.

In short, I don't believe anyone can really know for certain - most times it's guesses based on the target and who hates the target the most - or cases where entities inadvertently reveal that they wrote it (e.g. Israel and Stuxnet).

Answer 2

A possible way of getting to know the country of origin of an executable is to check in the strings section to see if you can find out any link back to some host server. This may indicate that the user is trying to send back some information/data back to its own server using your exe.

The other solution as suggested by Dai is to search for strings to find strings and check its language which may indicate the country of origin.

But for both these solutions, there's a possibility that language has been changed to throw you off track, or a server has been chosen in some different country owing to various reasons. So, there's no definite way of telling the country of origin for a exe/dll file, but you can make a logical guess.