"c:\documents and settings\superhacker9001
\projects\malware\targeted\company_1\exploit.pdb"
that contains the username of the person who's system the malware was compiled on, in this case "superhacker9001". That information can be used to search in a number of ways to potentially uncover identities or motives of a specific attacker.
But other types of metadata can be just as valuable.
Recently I observed a phishing attempt that used an embedded flash exploit where the exploit itself was contained within a Microsoft Word document. The exploit-riddled .doc file was stripped of all metadata, but as part of the payload, it created, then opened a new .doc file as to not arise additional suspicion. This new .doc's metadata however was not sanitized and contained not only an "Author" field, but also a "Company" field.
This information in hand, it became incredibly easy to track the author of the malware. A simple Google search using the two fields in tandem gave way to the malware author's personal website. After translating the contents of this foreign language page, it became obvious this was the source. That personal page contained flash exploit code unique binary packers and other compiler obfuscation tools.
Of course this time we had gotten lucky that this phisherman had not taken the time to sanitize both .doc files. Sometimes it takes a great deal of time to be able to properly attribute malware attacks. Another network was constantly bombarded with malware. Each time a new binary was dropped, the command and control server would change ports and change locations. Using WHOIS lookups on the hostnames gave way to interesting results. The registrar name would always change, but the registrar fax number would always remain the same. Using HBGary's network monitoring tool Razor, we were able to create a policy to blackhole even future traffic coming from (or going to) this attacker's command and control servers. That's because Razor does a WHOIS lookup on every new domain it comes in contact with. We can blacklist by registrar name, phone number, email address or any other standard WHOIS field.
