Milware: Identification and Implications of State Authored Malicious Software

New Security Paradigms Workshop 2015

15 Pages Posted: 27 Feb 2015 Last revised: 11 Nov 2015

See all articles by Trey Herr

Trey Herr

Hoover Institution at Stanford University

Eric Armbrust

George Washington University

Date Written: February 25, 2015


The pervasive development and deployment of malicious software by states presents a new challenge for the information security and policy communities because of the resource advantage and legal status of governments. The difference between state and non-state authored code is typically described in vague terms of sophistication, contributing to the inaccurate confirmation bias of many that states simply 'do it better'. This paper attempts to determine if state authored code is demonstrably different from that written by non-state actors and if so, how. To do so, we examine a collection of malware samples which, through existing analytic techniques, have been attributed to a mix of state and non-state actors. Reviewing technical information available in the public domain for each sample, reverse-engineering a sub-set, we determine that there is a set of criteria by which state authored code can be differentiated from the conventional malware of non-state groups. This MAlicious Software Sophistication or MASS index relies on a set of characteristics which describe the behavior and construction of malware including the severity of exploits and customization of the payload. In addition to highlighting these particular differences, the paper discusses several policy implications which arise from identifying a separate class of state-authored code. This is an interdisciplinary effort and pilot project based on a limited dataset however the conclusions drawn have important ramifications for both the information security and relevant policymaking communities.

Keywords: cybersecurity, malware, international security, reverse engineering

Suggested Citation

Herr, Trey and Armbrust, Eric, Milware: Identification and Implications of State Authored Malicious Software (February 25, 2015). New Security Paradigms Workshop 2015, Available at SSRN: or

Trey Herr (Contact Author)

Hoover Institution at Stanford University ( email )

Stanford, CA 94305-6010
United States

HOME PAGE: http://

Eric Armbrust

George Washington University ( email )

2121 I Street NW
Washington, DC 20052
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics