Dual use possibility of tools which strip metadata and build artifacts

Giacomo Benedetti giacomo.benedetti at ge.imati.cnr.it
Wed Mar 12 14:07:30 UTC 2025 

Hi,

From my perspective, if metadata can be used to attribute malware, a threat actor would likely manipulate it to mislead attribution — regardless of whether the tools you mentioned are available.

If malware attribution relies heavily on metadata, then this remains a problem even if reproducibility were never discussed. From an attacker's standpoint, if misleading attribution is as simple as altering metadata, they would certainly take advantage of it. That said, I’m curious about how strongly metadata is actually tied to malware family classification.

A related point: if attackers are aware that metadata plays a key role in attribution, they will likely manipulate it. Given this, wouldn’t it be more effective to strip metadata away and focus the analysis on parts of the artifact that are harder to alter?


-Giacomo



> On 12 Mar 2025, at 14:30, feikkiheikki via rb-general <rb-general at lists.reproducible-builds.org> wrote:
> 
> Hi,
> 
> Have you considered the "dual use" possibility of the tools that strip away metadata and build artifacts?
> 
> Malware developed today still contain enough metadata and build artifacts that allow for somewhat reliable attribution or at the very least allows researchers worldwide connect different malware families to the same author(s).
> 
> Being able to easily strip build artifacts and metadata away from malicious software in order to avoid attribution will eventually happen if the usage of these tools becomes commonplace and provided that the tools work (nearly) flawlessly.
> 
> It's only a matter of time when and where we'll see the first nation state actors/other actors employing these tools, if it hasn't happened already.
> 
> From nation state actor standpoint it would make sense to encourage taking these tools into use and to develop them further, since eventually it means that only (the most capable) nation state actors have the means and capability to track who is developing what.
> 
> -- 
> This message has been scanned for viruses and dangerous content by 
> E.F.A. Project <http://www.efa-project.org/>, and is believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20250312/16461542/attachment.htm>

More information about the rb-general mailing list