Malware research primarily studies the results, the methods, and the impact. Even from an offensive security perspective, what is examined is the method, not the development strategy of the offender. This study investigates the behavioral signatures and coding patterns embedded in the malware source code. By analyzing a large corpus of leaked malware code and comparing it with carefully selected benign open-source software, we apply static application security testing and compute multiple software metrics. Based on cognitive psychology and criminological theories, our work interprets differences in code structure and quality as behavioral indicators, reflecting distinct motivational structures, risk tolerances, and development strategies of malware authors compared to benign software developers. Our findings reveal that malware code is generally smaller, less documented, and exhibits higher cyclomatic complexity per function, with reduced use of abstraction mechanisms such as classes and closures. Vulnerability analysis further reveals that malware exhibits more issues of the types that benign code typically avoids, suggesting a minimal investment in secure development practices. These patterns imply a development style optimized for expedience, operational secrecy, and evasion rather than long-term maintainability. Nonetheless, the code quality metrics indicate that it does not deviate significantly from benign software enough to be distinctive. By framing code metrics as proxies for behavioral signals and strategic choices, we demonstrate how quantitative software analysis can enrich behavioral cybersecurity research, offering new insights into the practices and priorities of malware developers. Our results pave the way for further research in the behavioral profiling of cyber offenders.

翻译：恶意软件研究主要聚焦于结果、方法和影响。即便从攻击性安全视角出发，所审视的也是方法而非攻击者的开发策略。本研究调查了恶意软件源代码中嵌入的行为特征与编码模式。通过分析大规模泄露的恶意软件代码库，并将其与精心挑选的良性开源软件进行对比，我们应用了静态应用安全测试，并计算了多项软件度量指标。基于认知心理学与犯罪学理论，我们的研究将代码结构与质量上的差异解读为行为指标，这些指标反映了恶意软件作者相较于良性软件开发者不同的动机结构、风险承受能力与开发策略。研究结果显示，恶意软件代码通常规模更小、文档更少，且每个函数的圈复杂度更高，同时类与闭包等抽象机制的使用率较低。漏洞分析进一步揭示，恶意软件中存在更多良性代码通常避免的问题类型，这表明其在安全开发实践方面的投入极低。这些模式暗示了一种以效率、操作隐秘性和规避性而非长期可维护性为优先的开发风格。然而，代码质量指标表明，其与良性软件之间的差异尚未显著到足以具备区分性。通过将代码度量指标视为行为信号与策略选择的代理，我们展示了定量软件分析如何丰富行为网络安全研究，为理解恶意软件开发者的实践与优先级提供了新见解。我们的研究成果为网络犯罪者行为画像的进一步研究奠定了基础。