Milware: Identification and Implications of State Authored Malicious
Software
Trey Herr, Eric Armbrust
The George Washington University
Abstract
The difference between state and non-state authored code
is typically described in vague terms of sophistication,
contributing to the inaccurate confirmation bias of many
in the policy community that states simply ’do it bet-
ter’. Leveraging the results of reverse engineering sev-
eral malware samples, including Sandworm and Tinba,
this paper is an interdisciplinary effort to distinguish be-
tween state authored code, milware, and that produced
by non-state actors, malware. Working through this ini-
tial set of samples, the paper describes a new analytic
framework for differentiating state authored code from
other samples. This MAlicious Software Sophistication
or MASS index relies on a set of characteristics which
describe the behavior and construction of malicious soft-
ware: propagation to and within a target network, ex-
ploit severity, and payload customization. Highlighting
these distinctions then serves to support a larger analy-
sis of the policy implications these separate categories of
malicious code have. By identifying a systematic differ-
ence between non-state authored code and that created
by states, this pilot project is an effort to generate a new
analytic asset for the technical community and highlight
attendant policy implications.
1 Introduction
Pervasive development and use of milware constitutes
not only a direct technical challenge of decomposing and
analyzing well obfuscated code but also threatens a set
of key assumptions underpinning the current information
security research and defense paradigm. States operate in
a different legal regime than criminal groups and individ-
uals, inverting the power relationship between attacker
and defender and altering what is possible in the defense
against and prosecution of sources of information assur-
ance threats. This paper develops the MASS index as a
rudimentary tool for analysts to distinguish between state
and non-state authored code but its primary contribution
is to highlight five major implications of milware:
Public disclosure is not as effective. States have little
to fear from public disclosure of their activities and so the
traditional paradigm of revealing tactics and techniques
to dissuade attackers and aid defenders is less effective.
States may be doing R&D for all malicious actors.
States have far more resources to develop new techniques
and exploits than non-state actors. The eventual prolifer-
ation of this code by individuals and criminals means the
state of the art will continue to advance, funded by gov-
ernments.
Even where they do not build the capabilities, states
may be distorting the market. State’s financial re-
sources may price defenders out of the market for ex-
ploits and even bring new sellers into play.
Existing legal tools presume the targets of prose-
cution are non-state actors. Law enforcement targets
individuals and non-state groups but states are operating
under this same legal regime, allowing them to act with
relative impunity.
Milware privileges access over effects. States have
taken advantage of the current emphasis on defensive and
information assurance standards over software developer
liability.
Before understanding the implications of this dis-
tinct category of code, our first task is to recognize its
existence. Previous work presented has attempted to
move beyond the simple sophisticated/unsophisticated
dichotomy and succeeded in developing a metric that
measured social engineering tactics. [1] We advance this
scholarship by focusing on the functional characteristics
malicious code and comparing the work of state and non-
state actors to better understand what is common to ma-
licious software and what depends on the unique opera-
tional demands of state versus non-state actors.
Starting with a description of the samples analyzed
and our selection process, this paper explains the char-
acteristics we developed to delineate between milware
