McAfee Blames Open Source for Botnets

v3xt0r writes "It seems that 'the Open Source Development Model' is to be blamed for the recent increase in botnet development. 'We're not taking aim at the open-source movement; we're talking about the full-disclosure model and how that effectively serves malware development,' the spokesman for McAfee says. Why not just blame the IRC Protocol? Or simply admit that Proprietary vendors cannot keep pace with the Open Source Model?"

What?

[NiteMair]

So, here is an article simply claiming that some "malicious developers" have found a way to collaborate using open-source tools...

Wow, I've seen a lot of commercial vendors doing that in the recent years also - maybe they're all suspect.

Re:What?

[deathy_epl+ccs]

Certain vendors of anti-virus software appear to believe so. I wrote an exe-packer primarly so I could pack dotnet executables and distributed it for free. It got used by some malware author out there, and this anti-virus vendor decided then that anything packed with my exe-packer must be a virus.

I swear, it doesn't pay to share anything any more. ;-)

Re:What?

[bwt]

Exactly. The open source model is a higher productivity model, so the black hats use it, just like everybody else that produces a lot.

And of course, we have to suffer another dig at the full disclosure doctrine. But the part they left out was how they plan to get the black hats not to share information with each other. Full disclosure just assures that the white hats all have the same information and that the battle is fought on pure technology lines and not on who is better at hiding things (a battle the good guys would lose).

Load of BS

[Wieland]

From TFA:

The current generation of bot software has grown to the point where open-source software development tools make a natural fit. With hundreds of source files now being managed, developers of the Agobot family of malware, for example, are using the open-source CVS (Concurrent Versions System) software to manage their project.

If that's the best example they can come up with... Geezz, malware writers probably eat cereal, too. Why not blame Kellogg's?

Re:Load of BS

[TheOtherChimeraTwin]

No, he really has a point here. Pass a law forcing Botnet developers to use SourceSafe and you'll see Botnet development slow to a crawl.

Re:Load of BS

[cspring007]

Wait, i thought SourceSafe was malware.

Re:Load of BS

[Kesch]

ScriptK1dd13 has joined irc channel #botnet
M$BlowsMyBalls: ...and then I totally DDoSed the mofo!
CS_Ownerrer: LOL!
ScriptK1dd13: There's a bug in the bots. Some of them are spelling Vi4gra and C14lis correctly.
CS_Ownerrer: Fixed in CVS
M$BlowsMyBalls: RTFM, noob!
ScriptK1dd13: There is no manual...
M$BlowsMyBalls: ...
ScriptK1dd13 has been kicked.
M$BlowsMyBalls: Damn noobs.

Re:Load of BS

[TheOtherChimeraTwin]

Indeed, one can only speculate how much subversive activity would result from outlawing CVS.

Full Disclosure Vs Secrets

[eldavojohn]

'We're not taking aim at the open-source movement; we're talking about the full-disclosure model and how that effectively serves malware development,' the spokesman for McAfee says.

Yeah, you could probably blame a few people who altered a little bit of a virus/bot and re-released it to the public on the full disclosure model.

But what model would you blame for the hundreds of PC viruses that devestated home and corporate computers in the 90's up to today? I think the exploits they relied upon were simple coding flaws and insecure type checking or buffer overflows that wer simply poor coding kept as a secret.

So, in light of what causes the malware, would I rather the code be fully disclosed or instead guess that there's probably no major exploit possible? I'd probably go with the former considering the sheer number of viruses based on the latter and the fact that it's the exploits based on proprietary code that often do the most severe damage to society.

I would like to ask McAfee what they would think if a competitor found a virus and figured out how to fix it but couldn't tell McAfee that information because it would be considered disclosure. That would be the real irony here. Sites that host viruses and describe/publish them are often very useful sources for people looking to rid them from their computers or even how to avoid exploits in the future.

This article is entitled "Hackers Learn from Open Source" but they only learn as much as the researchers and patchers do. I would rather the community be progressing towards solid impenetrable code than have guarded secrets that keep everyone under a thin veil of security. Because if those secrets are ever discovered by the wrong people, we will not know about them and we'll essentially be caught with our pants down. I'd rather have every programmer know the pitfalls of coding than to have thousands of applications deployed world wide all waiting for one hacker to stumble upon a secret.

You really have to question McAfee's motives here in their Sage magazine ... are they doing this with the customer in mind or are they attempting to place themselves in the leader seat of virus protection with even more exploits running rampant on our machines?

They're missing the real culprit.

[Rob+T+Firefly]

The actual blame rests on Charles Babbage, and that "computer" idea of his. But to be fair, he might never have done that if it hadn't been for those damned ancient Greeks with their abacus...

They don't explain how the alternative is better

[AmiMoJo]

Say there is an vulnerability, only known to black hats which is being exploited. Someone finds it, reports it to the vendor. The vendor sits on it for months while a massive botnet spams the hell out of us using it.

Isn't it better to release info so people can do something about it? Network admins can use it to help block the attacks, or disable the vulnerable software. Users can stop using it. And people can ever make their own patches, or use the shared knowledge to look for similar flaws in other software.

We have seen this happen. Can anyone provide a good alternative, because McAfee certainly can't?

Schools and colleges are evil!

[InfiniteWisdom]

Evil hackers learn programming techniques in schools and colleges!

Well...

[voice_of_all_reason]

Why not just blame the IRC Protocol?

Because McAfee has an unterior motive and wants to discredit the competition.

With there be anything else?

Full disclosure != open source

[Moraelin]

Basically it seems to me that McAffee _isn't_ complaining about OSS, and explicitly says they don't. There are two _very_ distinct and unrelated parts of the article:

1. The open source part. Which doesn't contain any kind of anti-OSS slant. It just says that people now have a lot of F/OSS tools to manage their files and whatnot.

2. The part about full disclosure. Where they basically whine that they'd like to have what we all call "security by obscurity." Basically McAffee would like a world where researchers keep a lot more stuff secret, because supposedly being public about that helps evil hackers. Which is as stupid as it gets, yes, but it also has nothing to do with OSS at this point.

So why the fanboy slant in the summary?

Re:Full disclosure != open source

[dzfoo]

They *are* complaining. Its called "planting the seed of distrust":

From the article:
"Over the last year and a half, we've noticed how bot development in particular has latched on to open-source tools and the open-source development model,"

Further down:
Marcus said his company is drawing attention to the open-source trend to educate users, and not as an attempt to discredit open-source alternatives to its own proprietary software products. "We think [open-source antivirus products] are fine. They've never been something that was really in the same class as ours, but we've always been big supporters of open-source antivirus," he said.

In other words, McAfee is saying "Bot writers are using Open Source tools to develop, maintain, collaborate on, and distribute malware. We're just saying, you know. Not that we're accusing them of anything; we're just saying."

Then later in the article they start bad-mouthing Full Disclosure. That's, as you say, a separate topic.

    -dZ.

An endorsement of open source?

[Maru+Dubshinki]

Amusingly, you could read this article as an endorsement of open source software and methods- as in, "Open source methods and tools are so awesome that crackers and blackhats have switched to using them and now run rings around the antivirus corporations who don't."

Most IT workers blame McAffee for Current Viruses

[Lumpy]

My headline is as credible as theirs. If they want to start flinging mud we can fling it back. Outsourcing virus writers to help perpetuate sales of Anti Virus software is good for business has a large return on investment and a practical way of making sure that the next incremental release is purchased by all your customers.

Headline is a Troll

[algae]

Given that the summary itself says that this is not about the open-source development model, I've got to conclude that the headline is a troll. You can apply the full-disclosure model of security notification to any software, open or closed.

This is about whether the finders of security vulnerabilities give the vendor a grace period to fix the problem before disclosing the vulnerability to the general public. It has nothing to do with open source.

From the experts...

[helmutvs]

Who brought you an "update" the other month that categorized files from "IBM (Rational), GreenHills, MS Office, Ansys, Adobe, Autocad, Hyperion, Win MPM, MS Shared, MapInfo, Macromedia, MySQL, CA, Cold Fusion, ATI, FTP Voyager, Visual Studio, PTC, ADS, FEMAP, STAT" as viruses and promptly deleted them. Here's the story.

Dude, again, it's _not_ about OSS

[Moraelin]

RTFA, seriously. That disclosure that they mention is _not_ the disclosure of OS code. If you RTFA, at that point they explain very well what they mean by "full disclosure" and it has _nothing_ to do with OSS any more. Their "full disclosure" is about researchers disclosing a vulnerability, together with ample instructions and proof of concept code of how it can be exploited. It has _nothing_ to do with Linux vs Windows, Closed Source vs F/OSS, etc. It's about disclosing vulnerabilities.

Basically what McAffee says is, "I wish researchers stopped telling everyone everything about this and that buffer overflow. Telling people everything about a bug only helps the evil hackers use it in a virus!!!111one1eleventeen" Not an exact quote, but that's the general idea they're peddling there.

Which is, in the nutshell, just the old "security by obscurity" argument. Which has already been debated to hell and back and is known to not work that way. And, frankly, it's weird to see McAffee preaching that attitude, because the anti-virus makers should know the best that it never worked that way.

People shouldn't blame McAfee.....

[Dcnjoe60]

People shouldn't blame McAfee. They're just really stressed out. You'd be too, if you had to make Windows a secure OS.

In related news

[rs79]

I blame open source for the development of the interent.

'scuse me, McA, but that's bollocks

[Opportunist]

Could be that they have to get that air of being against closed source off them after they found Excel to be a trojan (ok... some might claim it's not really a false positive, but still... a few companies didn't enjoy the idea of having their Excel removed...).

But quite seriously, could anyone please explain just HOW a malware author would benefit from open source? Because of the tools? Seriously, if you're writing software that's considered "illegal" in most places of this planet, would you care about licensing? Whether the software is free (as in beer and as in software) is pointless for him. If it's not free, he'll copy it illegaly.

Because they could learn how to write malware? The "real" malware projects are not open source, actually anything BUT it. First of all, major exploits are not shared, they're sold. Plain and simple. Malware is a business, just like a lot of other software, and they are by far the last to go for open sourcing, simply because it would cut into their revenue. Actually, the few snippets and code parts that ARE open source is one of the key sources for AV researchers, unless they want to go for the darker venues in the trade. And, finally, when knowledge becomes illegal, gimme a ring. Then it's time to leave the planet.

If you want to learn how to write malware, you needn't wade through open source projects. You won't find much worth finding.

So I don't really understand just why McA is targeting the OSS movement. There is little to be gained by malware writers through OSS, but a lot for those opposing malware. If anyone, it's the AV researchers who benefit from open sourcing malware. Because they would have a hard time explaining just why they would have sent money towards people wearing darker colored hats.

Once again, Free Speech is causing problems

[AllParadox]

Just as the vendors claimed, this full-open-disclosure business is promoting distribution of powerful tools to, well, just anybody. Now the bad guys know about it and are using it. Can it get worse than this? Oh, sure. Try stopping it. __________________________________________ AllParadox - Retired Attorney, no legal opinions, just my opinion.

CVS

[Kelson]

Hackers use CVS? Seriously, who cares where they get their drugs, anyway?

On locks and Open Source

[crono_deus]

Dammit, I've heard just about enough of these arguments. About 150 years ago, this man called Charles Tomlinson published a paper regarding how the mechanical workings of all locks should be public knowledge because, he reasoned, if the public knew about the weaknesses and strengths of each lock, they could 1) force the lockmaker into making a better lock, and 2) choose the one that suited them the best.

Below are two excerpts from the paper, found, interestingly enough, using the "fortune" program. Yes, I know that the making of locks isn't exactly like the creation of software, but the principle remains the same. Security through obscurity is no security at all; however, if the standards and techniques are open and available to the public, we, the "experts" in the field, will actually be hold companies accountable for problems and shortcomings in their software.

"A commercial, and in some respects a social, doubt has been started within the last year or two, whether or not it is right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that the discussion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by showing others how to be dishonest. This is a fallacy. Rogues are very keen in their profession, and already know much more than we can teach them respecting their several kinds of roguery. Rogues knew a good deal about lockpicking long before locksmiths discussed it among themselves, as they have lately done. If a lock -- let it have been made in whatever country, or by whatever maker -- is not so inviolable as it has hitherto been deemed to be, surely it is in the interest of *honest* persons to know this fact, because the *dishonest* are tolerably certain to be the first to apply the knowledge practically; and the spread of knowledge is necessary to give fair play to those who might suffer by ignorance. It cannot be too earnestly urged, that an acquaintance with real facts will, in the end, be better for all parties."

-- Charles Tomlinson's Rudimentary Treatise on the Construction of Locks, published around 1850

"In respect to lock-making, there can scarcely be such a thing as dishonesty of intention: the inventor produces a lock which he honestly thinks will possess such and such qualities; and he declares his belief to the world. If others differ from him in opinion concerning those qualities, it is open to them to say so; and the discussion, truthfully conducted, must lead to public advantage: the discussion stimulates curiosity, and curiosity stimulates invention. Nothing but a partial and limited view of the question could lead to the opinion that harm can result: if there be harm, it will be much more than counterbalanced by good."
-- Charles Tomlinson's Rudimentary Treatise on the Construction of Locks, published around 1850.

If you ever wanted to send anything defending OSS to anyone, this would be a very good thing to send.

Full Disclosure Lowers the Barriers to Entry

[BeBoxer]

Maybe that's what McAfee really cares about. Full disclosure means, in part, that it's easier for new vendors and products to compete in the security field. Sticking with limited disclosure, where only the OS vendors and established security vendors are informed, just lets the established vendors get complacent. Which given the quality of modern security software I would say has already happened. So they throw a bunch of FUD around, as though the problem isn't in large part due to closed-source software vendors being incapable of getting their shit together when it comes to security.