[ad]
This is the biggest load of shite I’ve read this year I think.
Rootkits are becoming more prevalent and difficult to detect, and security vendor McAfee says the blame falls squarely on the open source community.
In its “Rootkits” report being published today, McAfee says the number of rootkits it has collected as malware samples has jumped ninefold this quarter compared with the same quarter a year ago. Almost all the rootkits McAfee has identified are intended to hide other code (such as spyware or bots) or conceal processes running in Windows systems.
“The predominant reason for the growth in use of stealthy code is because of sites like Rootkit.com,” says Stuart McClure, senior vice president of global threats at McAfee
Excuse me?!
Rootkit.com’s 41,533 members do post rootkit source code anonymously, then discuss and share the open source code. But it’s naive to say the Web site exists for malicious purposes, contends Greg Hoglund, CEO of security firm HBGary and operator of Rootkit.
“It’s there to educate people,” says Hoglund, who’s also the co-author with James Butler of the book Rootkits: Subverting the Windows Kernel. “The site is devoted to the discussion of rootkits. It’s a great resource for anti-virus companies and others. Without it, they’d be far behind in their understanding of rootkits.”
It’s definitely there for education purposes, the Rootkits book is very informative. Sadly this is the same old discussion again and again, non-disclosure vs full-disclosure. Those who really understand the process want to share the information as soon as possible to aid prevention techniques and to promote understanding, not hiding behind ignorance and implementing security through obscurity.
Those pimping anti-virus software, anti-exploit and whatever obviously want to fuel the FUD that opensource software and sharing of knowledge actually exacerbate the problem.
It seems Trend actually understands the issue, unlike McAfee the corporate bitch.
Anti-virus vendor Trend Micro says the Rootkit Web site cuts both ways.
“We need those open source people,” says David Perry, global director of education at Trend Micro. “They uncover things. It’s a laboratory of computer science. They demand the intellectual right to discuss this.”
What more can we say..
Source: Network World
Martin Macok says
Maybe they just updated their rootkit signature detection according to “new” information from the server … and surprise! Number of rootkits detected jumped nine times!!! :-))
(just joking… but who knows?)
kurt wismer says
i hate to burst your bubble but the folks behind rootkitDOTcom are not the paragons of virtue you seem to think they are… it’s not just source code that’s shared on that site but also compiled binaries… in fact greg hoglund admits that the ‘rootkit‘ james butler wrote and distributed via rootkitDOTcom has become one of the most deployed ‘rootkits‘ in the world and the people deploying it are using the very binaries that are available for download from that site… the ethical misconduct doesn’t end there, either – i blogged about the ethical conflict before (i know you don’t like comment spam, but since i have no ads and no product to peddle i hardly think this qualifies, and i don’t see why i should repeat the entire thing when i can just provide a link)…
there’s a very wrong-headed notion that anything done under the banner of full disclosure is automagically a good thing, but that’s patently absurd (see bruce schneier’s thoughts on full disclosure, and pay particular attention to what he has to say about responsible disclosure)… in cases where we’re dealing with a vulnerability caused by a software defect public disclosure helps improve security by pressuring the affected vendor(s) to fix the bug and illustrates to the rest of us what not to do in the future… however in the case of malware such as rootkits (or the things that pass for rootkits nowadays) there is no possibility of closing the window of exposure without profound changes to the underlying model of computation that we use (ie. there’s good reason to believe that the ability to support stealth functions is inherent to the general purpose computing platform)…
public disclosure always arms the bad guys to a certain extent, what makes it ok is when it’s balanced out by a greater good… arming the bad guys with ready-made attack tools (not just the information needed to create their own) with no way to close the window of exposure (and therefore no greater good) is a bad thing, not a good thing…
Darknet says
kurt: Well I wouldn’t go as far as to call them paragons of virtue, but I far from disagree with what they are doing. All the linux rootkits have been open source and available on various sites for YEARS, just the authors didn’t write books or dedicate whole domains to them, I don’t see anyone crying about it, I see people using HIDS and chkrootkit to fight them, I see people reading the code to see how they work and learning about LKM’s so they can counter them. Now the same thing happens in the Windows world, it’s the fault of the coders? Not poorly designed security architectures? Or bad OS implementations? The ethical conflict happens all the time, McAfee do the same thing by spreading FUD, I’m sure other AV companies have had hands in various ‘virus scares’ too.
Full disclosure is not always good, it’s not a magic blanket, with that I agree, but in this case I think it’s fine. Perhaps there should be some control, the rootkit thing may have gone a little far (providing pre-rolled malicious code). For example in the realm of exploits, they are obfuscated (the shellcode RET address is often removed or wrong) for the purpose of preventing skiddies from using it. Meaning if you can’t code, and at least understand how the exploit works, it’s useless. Perhaps the same thing could be done in some way for the rootkits?
kurt wismer says
if, as i contend, the ability to support stealth is inherent to the general purpose computing platform, then no it’s not the fault of poorly designed security architectures or bad OS implementations… it’s inherent, it can be done no matter how the OS is designed…
an inherent vulnerability is one that is not the result of any mistake, so exploiting it can have no redeeming value… it doesn’t improve security anymore than it would if someone were to come up with new types of weapons to smuggle through airport security…