McAfee: Stop Blaming Open Source Culture for Malware
Apr 22nd, 2006 by Doug
McAfee has posted a whitepaper that
discusses the
increasing proliferation of rootkits. Nothing unusual here,
especially for a major anti-malware vendor. The paper basically says
that there has been a large increase in the number of and complexity
(as measured by the raw number of components per rootkit) of Windows
rootkits over the last three to five years, and that the easy
availability of rootkit code has made it proliferate and increase in
complexity. They basically finger open source and the Internet as the
culprits:
I think proliferation through collaboration is just so obvious that it’s not worth mentioning. Crackers have been sharing malicious code for decades, first via BBS’s and even printed magazines, then via the early WWW, IRC channels, and now blogs. The point is that bad guys communicate, they always have. The point they missed is that it is probably easier for for the average script-kiddie to find exploit code, given the huge improvements in search quality over the last decade, and the penetration worldwide that the Internet has had. On the other hand, easy access to exploit code works both ways. Academic researchers, curious hackers, and even companies like McAfee also have easy access, enabling them to see how such code works and perhaps ferret out new threats earlier than they otherwise could have. This exposes a flawed (but unstated) assumption that the whitepaper relies on, the assumption that most of those accessing malicious source code online will use it for malicious purpose.
As far as complexity goes, I’m not sure I see even a correlation between increased complexity and increased collaboration. Common-sense would say that what has made rootkits increase in complexity is simply the increasing complexity of the modern operating system and modern countermeasures - simple necessity. In DOS times, for example, trojans and viruses were simple because the OS was simple. Remember the floppy boot-sector viruses? 512 bytes worth of virus code.
Finally, placing the blame for rootkit proliferation on the “open source environment” is crazy. The whitepaper glosses over the fact that there has been a large decrease in Linux rootkits over the very same time period, despite very obvious increases in the number of Linux deployments over the same time period, and a pre-existing culture of sharing and collaboration among Linux users.
Marcus Ranum had this to say on the very same subject in an interview last year:
The “open-source” environment, along with online collaboration sites and blogs, is largely to blame for the increased proliferation and complexity of rootkit components. [p. 3]
…
Collaboration does more than just spread stealth technologies. It also fosters the development of new and more sophisticated stealth techniques. [p. 5]
I think proliferation through collaboration is just so obvious that it’s not worth mentioning. Crackers have been sharing malicious code for decades, first via BBS’s and even printed magazines, then via the early WWW, IRC channels, and now blogs. The point is that bad guys communicate, they always have. The point they missed is that it is probably easier for for the average script-kiddie to find exploit code, given the huge improvements in search quality over the last decade, and the penetration worldwide that the Internet has had. On the other hand, easy access to exploit code works both ways. Academic researchers, curious hackers, and even companies like McAfee also have easy access, enabling them to see how such code works and perhaps ferret out new threats earlier than they otherwise could have. This exposes a flawed (but unstated) assumption that the whitepaper relies on, the assumption that most of those accessing malicious source code online will use it for malicious purpose.
As far as complexity goes, I’m not sure I see even a correlation between increased complexity and increased collaboration. Common-sense would say that what has made rootkits increase in complexity is simply the increasing complexity of the modern operating system and modern countermeasures - simple necessity. In DOS times, for example, trojans and viruses were simple because the OS was simple. Remember the floppy boot-sector viruses? 512 bytes worth of virus code.
Finally, placing the blame for rootkit proliferation on the “open source environment” is crazy. The whitepaper glosses over the fact that there has been a large decrease in Linux rootkits over the very same time period, despite very obvious increases in the number of Linux deployments over the same time period, and a pre-existing culture of sharing and collaboration among Linux users.
Marcus Ranum had this to say on the very same subject in an interview last year:
If we consider the Internet as a big local network, we will see that some of our neighbours keep getting exploited by spyware, virus, and so on. Who should we blame? OS producers? Or our neighbours that chose that particular software and then run it without an appropriate secure setup?Technorati Tags: Rootkits, Opensource, Windows, Linux
There’s enough blame for everyone.
Blame the users who don’t secure their systems and applications.
Blame the vendors who write and distribute insecure shovel-ware.
Blame the sleazebags who make their living infecting innocent people with spyware, or sending spam.
Blame Microsoft for producing an operating system that is bloated and has an ineffective permissions model and poor default configurations.
Blame the IT managers who overrule their security practitioners’ advice and put their systems at risk in the interest of convenience. Etc.
Truly, the only people who deserve a complete helping of blame are the hackers (emphasis added). Let’s not forget that they’re the ones doing this to us. They’re the ones who are annoying an entire planet. They’re the ones who are costing us billions of dollars a year to secure our systems against them. They’re the ones who place their desire for fun ahead of everyone on earth’s desire for peace and [the] right to privacy.
![[Post to Yahoo Buzz]](http://blog.unixlore.net/wp-content/plugins/tweet-this/icons/tt-buzz.png){kind=icon}
![[Post to Delicious]](http://blog.unixlore.net/wp-content/plugins/tweet-this/icons/tt-delicious.png){kind=icon}
![[Post to Digg]](http://blog.unixlore.net/wp-content/plugins/tweet-this/icons/tt-digg.png){kind=icon}
![[Post to Reddit]](http://blog.unixlore.net/wp-content/plugins/tweet-this/icons/tt-reddit.png){kind=icon}
![[Post to StumbleUpon]](http://blog.unixlore.net/wp-content/plugins/tweet-this/icons/tt-su.png){kind=icon}
![[FSF Associate Member]](http://www.unixlore.net/images/fsf_button.png "[FSF Associate Member]"){kind=small}