Open Source Blamed for Rootkits?

Outsmart Malicious Hackers


This is the biggest load of shite I’ve read this year I think.

Rootkits are becoming more prevalent and difficult to detect, and security vendor McAfee says the blame falls squarely on the open source community.

In its “Rootkits” report being published today, McAfee says the number of rootkits it has collected as malware samples has jumped ninefold this quarter compared with the same quarter a year ago. Almost all the rootkits McAfee has identified are intended to hide other code (such as spyware or bots) or conceal processes running in Windows systems.

“The predominant reason for the growth in use of stealthy code is because of sites like Rootkit.com,” says Stuart McClure, senior vice president of global threats at McAfee

Excuse me?!

Rootkit.com’s 41,533 members do post rootkit source code anonymously, then discuss and share the open source code. But it’s naive to say the Web site exists for malicious purposes, contends Greg Hoglund, CEO of security firm HBGary and operator of Rootkit.

“It’s there to educate people,” says Hoglund, who’s also the co-author with James Butler of the book Rootkits: Subverting the Windows Kernel. “The site is devoted to the discussion of rootkits. It’s a great resource for anti-virus companies and others. Without it, they’d be far behind in their understanding of rootkits.”

It’s definitely there for education purposes, the Rootkits book is very informative. Sadly this is the same old discussion again and again, non-disclosure vs full-disclosure. Those who really understand the process want to share the information as soon as possible to aid prevention techniques and to promote understanding, not hiding behind ignorance and implementing security through obscurity.

Those pimping anti-virus software, anti-exploit and whatever obviously want to fuel the FUD that opensource software and sharing of knowledge actually exacerbate the problem.

It seems Trend actually understands the issue, unlike McAfee the corporate bitch.

Anti-virus vendor Trend Micro says the Rootkit Web site cuts both ways.

“We need those open source people,” says David Perry, global director of education at Trend Micro. “They uncover things. It’s a laboratory of computer science. They demand the intellectual right to discuss this.”

What more can we say..

Source: Network World

Posted in: Malware

, , , , ,


Latest Posts:


Spaghetti Download - Web Application Security Scanner Spaghetti Download – Web Application Security Scanner
Spaghetti is an Open-source Web Application Security Scanner, it is designed to find various default and insecure files, configurations etc.
Taringa Hack - 27 Million User Records Leaked Taringa Hack – 27 Million User Records Leaked
The Taringa hack is actually one of the biggest leaks of the year with 27 million weakly hashed passwords breached, but it's not often covered in the West.
A2SV - Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.
VHostScan - Virtual Host Scanner With Alias & Catch-All Detection VHostScan – Virtual Host Scanner With Alias & Catch-All Detection
VHostScan is a Python-based virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.
Equifax Hack Blamed On Single Employee Equifax Hack Blamed On Single Employee
We wrote about the Equifax Hack, Data Breach and Leak last month, which happened due to a flaw in Apache Struts that for some reason hadn't been patched.
LOIC Hivemind - Low Orbit Ion Cannon LOIC Download – Low Orbit Ion Cannon DDoS Booter
LOIC Download below - Low Orbit Ion Cannon is an Open Source Stress Testing and Denial of Service (DoS or DDoS) attack application written in C#.


4 Responses to Open Source Blamed for Rootkits?

  1. Martin Macok May 14, 2006 at 3:46 pm #

    Maybe they just updated their rootkit signature detection according to “new” information from the server … and surprise! Number of rootkits detected jumped nine times!!! :-))

    (just joking… but who knows?)

  2. kurt wismer May 14, 2006 at 7:51 pm #

    i hate to burst your bubble but the folks behind rootkitDOTcom are not the paragons of virtue you seem to think they are… it’s not just source code that’s shared on that site but also compiled binaries… in fact greg hoglund admits that the ‘rootkit‘ james butler wrote and distributed via rootkitDOTcom has become one of the most deployed ‘rootkits‘ in the world and the people deploying it are using the very binaries that are available for download from that site… the ethical misconduct doesn’t end there, either – i blogged about the ethical conflict before (i know you don’t like comment spam, but since i have no ads and no product to peddle i hardly think this qualifies, and i don’t see why i should repeat the entire thing when i can just provide a link)…

    there’s a very wrong-headed notion that anything done under the banner of full disclosure is automagically a good thing, but that’s patently absurd (see bruce schneier’s thoughts on full disclosure, and pay particular attention to what he has to say about responsible disclosure)… in cases where we’re dealing with a vulnerability caused by a software defect public disclosure helps improve security by pressuring the affected vendor(s) to fix the bug and illustrates to the rest of us what not to do in the future… however in the case of malware such as rootkits (or the things that pass for rootkits nowadays) there is no possibility of closing the window of exposure without profound changes to the underlying model of computation that we use (ie. there’s good reason to believe that the ability to support stealth functions is inherent to the general purpose computing platform)…

    public disclosure always arms the bad guys to a certain extent, what makes it ok is when it’s balanced out by a greater good… arming the bad guys with ready-made attack tools (not just the information needed to create their own) with no way to close the window of exposure (and therefore no greater good) is a bad thing, not a good thing…

  3. Darknet May 15, 2006 at 3:41 am #

    kurt: Well I wouldn’t go as far as to call them paragons of virtue, but I far from disagree with what they are doing. All the linux rootkits have been open source and available on various sites for YEARS, just the authors didn’t write books or dedicate whole domains to them, I don’t see anyone crying about it, I see people using HIDS and chkrootkit to fight them, I see people reading the code to see how they work and learning about LKM’s so they can counter them. Now the same thing happens in the Windows world, it’s the fault of the coders? Not poorly designed security architectures? Or bad OS implementations? The ethical conflict happens all the time, McAfee do the same thing by spreading FUD, I’m sure other AV companies have had hands in various ‘virus scares’ too.

    Full disclosure is not always good, it’s not a magic blanket, with that I agree, but in this case I think it’s fine. Perhaps there should be some control, the rootkit thing may have gone a little far (providing pre-rolled malicious code). For example in the realm of exploits, they are obfuscated (the shellcode RET address is often removed or wrong) for the purpose of preventing skiddies from using it. Meaning if you can’t code, and at least understand how the exploit works, it’s useless. Perhaps the same thing could be done in some way for the rootkits?

  4. kurt wismer May 15, 2006 at 4:20 am #

    if, as i contend, the ability to support stealth is inherent to the general purpose computing platform, then no it’s not the fault of poorly designed security architectures or bad OS implementations… it’s inherent, it can be done no matter how the OS is designed…

    an inherent vulnerability is one that is not the result of any mistake, so exploiting it can have no redeeming value… it doesn’t improve security anymore than it would if someone were to come up with new types of weapons to smuggle through airport security…