Hackers Turn To Open Source
Hackers have borrowed the same open-source development techniques used to build Firefox, Apache, and Linux as they collaborate on malware projects.
July 17, 2006
Hackers have borrowed the same open-source development techniques used to build Firefox, Apache, and Linux as they collaborate on malware projects, a security company's researchers claimed Monday.
The McAfee Avert Labs researchers who contributed to the debut issue of the company's "Sage" security journal laid out their case in several articles, ranging from one on open-source software in Windows rootkits to another on open-source and profit.
In fact, even though attacks have shifted to a for-money model in the last few years, open-source methodologies have become de rigeur, said Dave Marcus, the security research manager for Avert.
"There is financial incentive for [hackers] to share code," said Marcus. "He wants to drop as many bots as possible, so he wants the most effective bot possible. They don't care if they're all using the same bot, since they all have different bot networks they're selling."
Although it's impossible, said Marcus, to figure out which came first -- open-source development techniques or the move to criminality -- it's clear that by copying open-source development tactics, attackers have created an explosion of malware.In particular, McAfee's researchers finger the availability of source code for the rapid growth in the number of bots, the small programs which control previously-compromised computers. "Without large-scale source code sharing, we would not see the handful of massive families that we have today," wrote Igor Muttik, a senior research architect with Avert in "Sage."
Bolting on new pieces to existing malware is another way hackers use open-source methods to improve their work, said Marcus. "If they want to use some new method of propagation, they can just compile it in a separate module, then simply call that module. It really allows them to leverage the power of open-source."
Because it's separated from the general code, a module can be easily reused. The practice, although new, has already delivered results, McAfee contended.
The release of the first Windows kernel mode IRC bot in April of this year "would not have been developed as quickly without the preexisting kernel-level network sockets code released on www.rootkit.com," wrote Michael Davis, a research scientist at Avert. "This public code allowed the author to easily and quickly recreate the functions for interoperating with the IRC protocolwithout specialized knowledge of the Windows kernel."
Other open-source methodologies put into play by malware writers, said McAfee, include dedicated version control systems, multiple contributors, regulated testing, and defined release schedules.Not everything is communal, Marcus admitted. Vulnerabilities, especially so-called "zero-day" bugs that haven't yet been patched, can have considerable financial value, and are closely guarded secrets, or if shared with others, come at a price.
"Frankly, they've always worked in a distributed development model," said Marcus, talking of hackers. "But the anonymity of an open source-style process is very appealing to them."
Not to mention the money.
"They figured out that it they applied a business-like development model to what they did, that they could make money," Marcus said.
McAfee's "Sage" can be downloaded as a PDF file from the company's Web site.0
Read more about:
2006You May Also Like