Saturday, January 2, 2016

More possible explanations for the Ukrainian malware compile timestamp

I posted about some possible origins of the Ukrainian malware compile timestamp two days ago.  I noted then that the timestamp was January 6, 1999 (GMT) or January 7, 1999 Ukraine time.  I noted at the time that this could be completely random, but probably has meaning to someone.

Two new meanings have been suggested to me as possibilities.  The first was suggested by "Lin S" on Twitter.  She noted that the copyright for the program KillDisk was 1999 and that perhaps this was related.  I haven't checked the KillDisk copyright for the program itself, only the website (which notes an initial copyright of 1998).  I'm not sure about this explanation, but interesting observation nonetheless.

The second interesting idea came from another Twitter follower who replied but then apparently deleted those replies (so I'll assume he wants to remain anonymous).  He noted that on January 6, 1999 a Serbian security guard was killed at a power plant attack by Albanian rebels in Pristina.  Could be a coincidence as well, but I love the power plant angle.

Again, we may never know the significance of the timestamp but calling cards like these often reveal small data points about the attacker that would otherwise go unnoticed.

1 comment:

  1. I'm using Kaspersky protection for a few years, I would recommend this product to all of you.


Note: Only a member of this blog may post a comment.