Open Source Blamed for Rootkits?

Outsmart Malicious Hackers


This is the biggest load of shite I’ve read this year I think.

Rootkits are becoming more prevalent and difficult to detect, and security vendor McAfee says the blame falls squarely on the open source community.

In its “Rootkits” report being published today, McAfee says the number of rootkits it has collected as malware samples has jumped ninefold this quarter compared with the same quarter a year ago. Almost all the rootkits McAfee has identified are intended to hide other code (such as spyware or bots) or conceal processes running in Windows systems.

“The predominant reason for the growth in use of stealthy code is because of sites like Rootkit.com,” says Stuart McClure, senior vice president of global threats at McAfee

Excuse me?!

Rootkit.com’s 41,533 members do post rootkit source code anonymously, then discuss and share the open source code. But it’s naive to say the Web site exists for malicious purposes, contends Greg Hoglund, CEO of security firm HBGary and operator of Rootkit.

“It’s there to educate people,” says Hoglund, who’s also the co-author with James Butler of the book Rootkits: Subverting the Windows Kernel. “The site is devoted to the discussion of rootkits. It’s a great resource for anti-virus companies and others. Without it, they’d be far behind in their understanding of rootkits.”

It’s definitely there for education purposes, the Rootkits book is very informative. Sadly this is the same old discussion again and again, non-disclosure vs full-disclosure. Those who really understand the process want to share the information as soon as possible to aid prevention techniques and to promote understanding, not hiding behind ignorance and implementing security through obscurity.

Those pimping anti-virus software, anti-exploit and whatever obviously want to fuel the FUD that opensource software and sharing of knowledge actually exacerbate the problem.

It seems Trend actually understands the issue, unlike McAfee the corporate bitch.

Anti-virus vendor Trend Micro says the Rootkit Web site cuts both ways.

“We need those open source people,” says David Perry, global director of education at Trend Micro. “They uncover things. It’s a laboratory of computer science. They demand the intellectual right to discuss this.”

What more can we say..

Source: Network World

Posted in: Malware

, , , , ,


Latest Posts:


StaCoAn - Mobile App Static Analysis Tool StaCoAn – Mobile App Static Analysis Tool
StaCoAn is a cross-platform tool which aids developers, bug bounty hunters and ethical hackers performing mobile app static analysis on the code of the application for both native Android and iOS applications.
snallygaster - Scan For Secret Files On HTTP Servers snallygaster – Scan For Secret Files On HTTP Servers
snallygaster is a Python-based tool that can help you to scan for secret files on HTTP servers, files that are accessible that shouldn't be public and can pose a s
Portspoof - Spoof All Ports Open & Emulate Valid Services Portspoof – Spoof All Ports Open & Emulate Valid Services
The primary goal of the Portspoof program is to enhance your system security through a set of new camouflage techniques which spoof all ports open and also emulate valid services on every port.
Cambridge Analytica Facebook Data Scandal Cambridge Analytica Facebook Data Scandal
One of the biggest stories of the year so far has been the scandal surrounding Cambridge Analytica that came out after a Channel 4 expose that demonstrated the depths they are willing to go to profile voters, manipulate elections and much more.
GetAltName - Discover Sub-Domains From SSL Certificates GetAltName – Discover Sub-Domains From SSL Certificates
GetAltName it's a little script to discover sub-domains that can extract Subject Alt Names for SSL Certificates directly from HTTPS websites which can provide you with DNS names or virtual servers.
Memcrashed - Memcached DDoS Exploit Tool Memcrashed – Memcached DDoS Exploit Tool
Memcrashed is a Memcached DDoS exploit tool written in Python that allows you to send forged UDP packets to a list of Memcached servers obtained from Shodan.


4 Responses to Open Source Blamed for Rootkits?

  1. Martin Macok May 14, 2006 at 3:46 pm #

    Maybe they just updated their rootkit signature detection according to “new” information from the server … and surprise! Number of rootkits detected jumped nine times!!! :-))

    (just joking… but who knows?)

  2. kurt wismer May 14, 2006 at 7:51 pm #

    i hate to burst your bubble but the folks behind rootkitDOTcom are not the paragons of virtue you seem to think they are… it’s not just source code that’s shared on that site but also compiled binaries… in fact greg hoglund admits that the ‘rootkit‘ james butler wrote and distributed via rootkitDOTcom has become one of the most deployed ‘rootkits‘ in the world and the people deploying it are using the very binaries that are available for download from that site… the ethical misconduct doesn’t end there, either – i blogged about the ethical conflict before (i know you don’t like comment spam, but since i have no ads and no product to peddle i hardly think this qualifies, and i don’t see why i should repeat the entire thing when i can just provide a link)…

    there’s a very wrong-headed notion that anything done under the banner of full disclosure is automagically a good thing, but that’s patently absurd (see bruce schneier’s thoughts on full disclosure, and pay particular attention to what he has to say about responsible disclosure)… in cases where we’re dealing with a vulnerability caused by a software defect public disclosure helps improve security by pressuring the affected vendor(s) to fix the bug and illustrates to the rest of us what not to do in the future… however in the case of malware such as rootkits (or the things that pass for rootkits nowadays) there is no possibility of closing the window of exposure without profound changes to the underlying model of computation that we use (ie. there’s good reason to believe that the ability to support stealth functions is inherent to the general purpose computing platform)…

    public disclosure always arms the bad guys to a certain extent, what makes it ok is when it’s balanced out by a greater good… arming the bad guys with ready-made attack tools (not just the information needed to create their own) with no way to close the window of exposure (and therefore no greater good) is a bad thing, not a good thing…

  3. Darknet May 15, 2006 at 3:41 am #

    kurt: Well I wouldn’t go as far as to call them paragons of virtue, but I far from disagree with what they are doing. All the linux rootkits have been open source and available on various sites for YEARS, just the authors didn’t write books or dedicate whole domains to them, I don’t see anyone crying about it, I see people using HIDS and chkrootkit to fight them, I see people reading the code to see how they work and learning about LKM’s so they can counter them. Now the same thing happens in the Windows world, it’s the fault of the coders? Not poorly designed security architectures? Or bad OS implementations? The ethical conflict happens all the time, McAfee do the same thing by spreading FUD, I’m sure other AV companies have had hands in various ‘virus scares’ too.

    Full disclosure is not always good, it’s not a magic blanket, with that I agree, but in this case I think it’s fine. Perhaps there should be some control, the rootkit thing may have gone a little far (providing pre-rolled malicious code). For example in the realm of exploits, they are obfuscated (the shellcode RET address is often removed or wrong) for the purpose of preventing skiddies from using it. Meaning if you can’t code, and at least understand how the exploit works, it’s useless. Perhaps the same thing could be done in some way for the rootkits?

  4. kurt wismer May 15, 2006 at 4:20 am #

    if, as i contend, the ability to support stealth is inherent to the general purpose computing platform, then no it’s not the fault of poorly designed security architectures or bad OS implementations… it’s inherent, it can be done no matter how the OS is designed…

    an inherent vulnerability is one that is not the result of any mistake, so exploiting it can have no redeeming value… it doesn’t improve security anymore than it would if someone were to come up with new types of weapons to smuggle through airport security…