McAfee Cites Open Source for Malware

Antivirus and security giant McAfee stirred up some controversy with the first issue of its security journal Sage, highlighting how hackers and creators of malicious software, or malware, are using open source software development techniques to target computer systems and users.

McAfee, which mainly provides security solutions for Microsoft Windows computers and servers, said its premier issue of the semi-annual publication focuses on this general topic, and describes the collaboration and coordination that are becoming a growing part of malware authors’ and computer attackers’ behavior.

Copy and Paste

Since spring 2004, when the Bagel computer worm emerged, malicious software creators have increasingly been releasing the source code for their latest and greatest exploits and attacks, iDefense Verisign Rapid Response Team Director Ken Dunham told LinuxInsider.

This trend has grown to include other malicious software, such as trojans and bots, Dunham said. He contends the availability of malicious source code has increased because of two things: more aggressive law enforcement efforts to track down malware authors; and Microsoft’s offer of bounties to other code pros encouraging them to track down offenders.

While malicious code is often released in an effort to reduce the culpability of its original author, Dunham explained, security researchers are also profiting from the practice.

The codes are “readily available in the underground,” Dunham said. “And it’s created a copy and paste-type hacking world.”

However, there are significant differences between the approach of developers working on legitimate open source software projects, such as the Linux operating system, and the new wave of hackers, IT-Harvest Founder and Chief Analyst Richard Stiennon told LinuxInsider.

“It’s a good way to twist the story around just to get attention,” Stiennon said of the McAfee Sage article. “The word [in the security community] is this is not a big deal at all.”

Open Incitement

McAfee indeed got some attention and response from some open source software supporters, upset that their method of technology development was being associated with malicious software and attacks. Some of the vitriolic response to McAfee’s contentions lie in the connection some have made in the past between open source and ideologies like communism and terrorism.

For its part, McAfee said the open source principles of sharing and collaborating have assisted the malware-writing community, which is now more profit-motivated.

“We’re not trying to connect malware with the open source community,” McAfee Security Research and Communications Manager David Marcus told LinuxInsider. “What we’re talking about is the open source method of sharing affecting malware.”

Marcus added that the trend is actually an endorsement of the open source method, as it is resulting in malware that is successful, quickly released, and difficult to manage from a security standpoint.

Not FOSS

While they may be borrowing some development ideas from the free and open source software (FOSS) world, malware writers are not actually behaving the same way legitimate open source projects do, Stiennon argued.

“Just because you’re collaborating doesn’t mean it’s open source,” he said. “In no way are they as open as open source, with wikis and conventions.”

In addition, the malware that comes from attacker collaboration is not licensed the way GPL or other open source software is, and it often comes at a price or can be pirated, unlike true open source software code, which is generally available to anyone with a computer connected to the Internet.

McAfee’s Marcus, who conceded the topic was “provocative,” said malware writers are, in fact, using some of the same tools as legitimate open source developers, including collaborative wikis and Concurrent Versions System (CVS) project management software.

Used for Good

There are some active open source software projects listed with legitimate repositories that can be used for ill deeds as well as legitimate remote administration, according to Dunham.

Still, he added, if an exploit code, worm, bot or other malicious software is available for hackers to share, it is also more likely to be discovered by the good guys.

“I think, arguably, if something is open source, it also increases the likelihood it will be patched, with more eyes,” Dunham said.

Stiennon, who just launched a subscriber service allowing individuals to perform their own security research, said open source ideology and approach was aiding the effort to thwart hackers.

“Because of all the researchers, including independent ones, that’s helping the whole industry get healthier,” Stiennon said.

McAfee’s Marcus said he was unsure whether the open availability of malware was also an aid to researchers, but he did refer to a general positive influence from the available code.

“We definitely leverage it for the protection side as well,” he said.