Saturday, April 22, 2006

McAfee: Stop Blaming Open Source Culture for Malware

McAfee has posted a whitepaper that discusses the increasing proliferation of rootkits. Nothing unusual here, especially for a major anti-malware vendor. The paper basically says that there has been a large increase in the number of and complexity (as measured by the raw number of components per rootkit) of Windows rootkits over the last three to five years, and that the easy availability of rootkit code has made it proliferate and increase in complexity. They basically finger open source and the Internet as the culprits:

The "open-source" environment, along with online collaboration sites and blogs, is largely to blame for the increased proliferation and complexity of rootkit components. [p. 3]
...
Collaboration does more than just spread stealth technologies. It also fosters the development of new and more sophisticated stealth techniques. [p. 5]

I think proliferation through collaboration is just so obvious that it's not worth mentioning. Crackers have been sharing malicious code for decades, first via BBS's and even printed magazines, then via the early WWW, IRC channels, and now blogs. The point is that bad guys communicate, they always have. The point they missed is that it is probably easier for for the average script-kiddie to find exploit code, given the huge improvements in search quality over the last decade, and the penetration worldwide that the Internet has had. On the other hand, easy access to exploit code works both ways. Academic researchers, curious hackers, and even companies like McAfee also have easy access, enabling them to see how such code works and perhaps ferret out new threats earlier than they otherwise could have. This exposes a flawed (but unstated) assumption that the whitepaper relies on, the assumption that most of those accessing malicious source code online will use it for malicious purpose.

As far as complexity goes, I'm not sure I see even a correlation between increased complexity and increased collaboration. Common-sense would say that what has made rootkits increase in complexity is simply the increasing complexity of the modern operating system and modern countermeasures - simple necessity. In DOS times, for example, trojans and viruses were simple because the OS was simple. Remember the floppy boot-sector viruses? 512 bytes worth of virus code.

Finally, placing the blame for rootkit proliferation on the "open source environment" is crazy. The whitepaper glosses over the fact that there has been a large decrease in Linux rootkits over the very same time period, despite very obvious increases in the number of Linux deployments over the same time period, and a pre-existing culture of sharing and collaboration among Linux users.

Marcus Ranum had this to say on the very same subject in an interview last year:

If we consider the Internet as a big local network, we will see that some of our neighbours keep getting exploited by spyware, virus, and so on. Who should we blame? OS producers? Or our neighbours that chose that particular software and then run it without an appropriate secure setup?

There's enough blame for everyone.

Blame the users who don't secure their systems and applications.

Blame the vendors who write and distribute insecure shovel-ware.

Blame the sleazebags who make their living infecting innocent people with spyware, or sending spam.

Blame Microsoft for producing an operating system that is bloated and has an ineffective permissions model and poor default configurations.

Blame the IT managers who overrule their security practitioners' advice and put their systems at risk in the interest of convenience. Etc.

Truly, the only people who deserve a complete helping of blame are the hackers (emphasis added). Let's not forget that they're the ones doing this to us. They're the ones who are annoying an entire planet. They're the ones who are costing us billions of dollars a year to secure our systems against them. They're the ones who place their desire for fun ahead of everyone on earth's desire for peace and [the] right to privacy.
Technorati Tags: , , ,

1 comment:

kurt wismer said...

i will agree that mcafee made a horrendously bad choice of words when they said "open source environment"... it's clear to me that they were simply referring to public sharing of information/source code/compiled binaries...

that said, they're right that the so-called good guys are contributing to the problem when they share malware source code and binaries with the public at large (which is precisely what the site they mention by name does) - they're adding their knowledge and skills to the collaborative efforts of the bad guys...

as for the complexity-collaboration link - more people collaborating gives you a broader knowledge base from which to draw on when creating the malware and that in turn gives you the potential to overcome a larger set of obstacles... additionally, with the works of more people available to you you can piece together new malware from the bits and pieces of malware from a larger and more diverse library...