Open Source Blamed for Rootkits?


This is the biggest load of shite I’ve read this year I think.

Rootkits are becoming more prevalent and difficult to detect, and security vendor McAfee says the blame falls squarely on the open source community.

In its “Rootkits” report being published today, McAfee says the number of rootkits it has collected as malware samples has jumped ninefold this quarter compared with the same quarter a year ago. Almost all the rootkits McAfee has identified are intended to hide other code (such as spyware or bots) or conceal processes running in Windows systems.

“The predominant reason for the growth in use of stealthy code is because of sites like Rootkit.com,” says Stuart McClure, senior vice president of global threats at McAfee

Excuse me?!

Rootkit.com’s 41,533 members do post rootkit source code anonymously, then discuss and share the open source code. But it’s naive to say the Web site exists for malicious purposes, contends Greg Hoglund, CEO of security firm HBGary and operator of Rootkit.

“It’s there to educate people,” says Hoglund, who’s also the co-author with James Butler of the book Rootkits: Subverting the Windows Kernel. “The site is devoted to the discussion of rootkits. It’s a great resource for anti-virus companies and others. Without it, they’d be far behind in their understanding of rootkits.”

It’s definitely there for education purposes, the Rootkits book is very informative. Sadly this is the same old discussion again and again, non-disclosure vs full-disclosure. Those who really understand the process want to share the information as soon as possible to aid prevention techniques and to promote understanding, not hiding behind ignorance and implementing security through obscurity.

Those pimping anti-virus software, anti-exploit and whatever obviously want to fuel the FUD that opensource software and sharing of knowledge actually exacerbate the problem.

It seems Trend actually understands the issue, unlike McAfee the corporate bitch.

Anti-virus vendor Trend Micro says the Rootkit Web site cuts both ways.

“We need those open source people,” says David Perry, global director of education at Trend Micro. “They uncover things. It’s a laboratory of computer science. They demand the intellectual right to discuss this.”

What more can we say..

Source: Network World

Posted in: Malware

, , , , ,


Latest Posts:


truffleHog - Search Git for High Entropy Strings with Commit History truffleHog – Search Git for High Entropy Strings with Commit History
truffleHog is a Python-based tool to search Git for high entropy strings, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.
AIEngine - AI-driven Network Intrusion Detection System AIEngine – AI-driven Network Intrusion Detection System
AIEngine is a next-generation interactive/programmable Python/Ruby/Java/Lua and Go AI-driven Network Intrusion Detection System engine with many capabilities.
Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.
UBoat - Proof Of Concept PoC HTTP Botnet Project UBoat – Proof Of Concept PoC HTTP Botnet Project
UBoat is a PoC HTTP Botnet designed to replicate a full weaponised commercial botnet like the famous large scale infectors Festi, Grum, Zeus and SpyEye.
LambdaGuard - AWS Lambda Serverless Security Scanner LambdaGuard – AWS Lambda Serverless Security Scanner
LambdaGuard is a tool which allows you to visualise and audit the security of your serverless assets, an open-source AWS Lambda Serverless Security Scanner.
exe2powershell - Convert EXE to BAT Files exe2powershell – Convert EXE to BAT Files
exe2powershell is used to convert EXE to BAT files, the previously well known tool for this was exe2bat, this is a version for modern Windows.


4 Responses to Open Source Blamed for Rootkits?

  1. Martin Macok May 14, 2006 at 3:46 pm #

    Maybe they just updated their rootkit signature detection according to “new” information from the server … and surprise! Number of rootkits detected jumped nine times!!! :-))

    (just joking… but who knows?)

  2. kurt wismer May 14, 2006 at 7:51 pm #

    i hate to burst your bubble but the folks behind rootkitDOTcom are not the paragons of virtue you seem to think they are… it’s not just source code that’s shared on that site but also compiled binaries… in fact greg hoglund admits that the ‘rootkit‘ james butler wrote and distributed via rootkitDOTcom has become one of the most deployed ‘rootkits‘ in the world and the people deploying it are using the very binaries that are available for download from that site… the ethical misconduct doesn’t end there, either – i blogged about the ethical conflict before (i know you don’t like comment spam, but since i have no ads and no product to peddle i hardly think this qualifies, and i don’t see why i should repeat the entire thing when i can just provide a link)…

    there’s a very wrong-headed notion that anything done under the banner of full disclosure is automagically a good thing, but that’s patently absurd (see bruce schneier’s thoughts on full disclosure, and pay particular attention to what he has to say about responsible disclosure)… in cases where we’re dealing with a vulnerability caused by a software defect public disclosure helps improve security by pressuring the affected vendor(s) to fix the bug and illustrates to the rest of us what not to do in the future… however in the case of malware such as rootkits (or the things that pass for rootkits nowadays) there is no possibility of closing the window of exposure without profound changes to the underlying model of computation that we use (ie. there’s good reason to believe that the ability to support stealth functions is inherent to the general purpose computing platform)…

    public disclosure always arms the bad guys to a certain extent, what makes it ok is when it’s balanced out by a greater good… arming the bad guys with ready-made attack tools (not just the information needed to create their own) with no way to close the window of exposure (and therefore no greater good) is a bad thing, not a good thing…

  3. Darknet May 15, 2006 at 3:41 am #

    kurt: Well I wouldn’t go as far as to call them paragons of virtue, but I far from disagree with what they are doing. All the linux rootkits have been open source and available on various sites for YEARS, just the authors didn’t write books or dedicate whole domains to them, I don’t see anyone crying about it, I see people using HIDS and chkrootkit to fight them, I see people reading the code to see how they work and learning about LKM’s so they can counter them. Now the same thing happens in the Windows world, it’s the fault of the coders? Not poorly designed security architectures? Or bad OS implementations? The ethical conflict happens all the time, McAfee do the same thing by spreading FUD, I’m sure other AV companies have had hands in various ‘virus scares’ too.

    Full disclosure is not always good, it’s not a magic blanket, with that I agree, but in this case I think it’s fine. Perhaps there should be some control, the rootkit thing may have gone a little far (providing pre-rolled malicious code). For example in the realm of exploits, they are obfuscated (the shellcode RET address is often removed or wrong) for the purpose of preventing skiddies from using it. Meaning if you can’t code, and at least understand how the exploit works, it’s useless. Perhaps the same thing could be done in some way for the rootkits?

  4. kurt wismer May 15, 2006 at 4:20 am #

    if, as i contend, the ability to support stealth is inherent to the general purpose computing platform, then no it’s not the fault of poorly designed security architectures or bad OS implementations… it’s inherent, it can be done no matter how the OS is designed…

    an inherent vulnerability is one that is not the result of any mistake, so exploiting it can have no redeeming value… it doesn’t improve security anymore than it would if someone were to come up with new types of weapons to smuggle through airport security…