[Infowarrior] - Does open source encourage rootkits?

Mon Apr 17 21:22:30 EDT 2006

Another case of FUD.....the fact folks openly analyze technology doesn't
mean they're responsible for the potential malicious application of it.  How
many other such technologies has this argument been applied to in recent
years?  -rf

This story appeared on Network World at
http://www.networkworld.com/news/2006/041706-open-source-rootkits.html

Does open source encourage rootkits?

By Ellen Messmer, Network World, 04/17/06

Rootkits are becoming more prevalent and difficult to detect, and security
vendor McAfee says the blame falls squarely on the open source community.

In its "Rootkits" report being published today, McAfee says the number of
rootkits it has collected as malware samples has jumped ninefold this
quarter compared with the same quarter a year ago. Almost all the rootkits
McAfee has identified are intended to hide other code (such as spyware or
bots) or conceal processes running in Windows systems.

"The predominant reason for the growth in use of stealthy code is because of
sites like Rootkit.com," says Stuart McClure, senior vice president of
global threats at McAfee

Rootkit.com's 41,533 members do post rootkit source code anonymously, then
discuss and share the open source code. But it's naïve to say the Web site
exists for malicious purposes, contends Greg Hoglund, CEO of security firm
HBGary and operator of Rootkit.

"It's there to educate people," says Hoglund, who's also the co-author with
James Butler of the book Rootkits: Subverting the Windows Kernel. "The site
is devoted to the discussion of rootkits. It's a great resource for
anti-virus companies and others. Without it, they'd be far behind in their
understanding of rootkits."

No one with a profoundly malicious intent would post his rootkit on the
site, because it would be publicly analyzed for detection purposes, Hoglund
says. He concedes, however, that out of the tens of thousands of Rootkit
participants, there are bound to be those whose intent is to exploit rather
than learn.

Anti-virus vendor Trend Micro says the Rootkit Web site cuts both ways.

"We need those open source people," says David Perry, global director of
education at Trend Micro. "They uncover things. It's a laboratory of
computer science. They demand the intellectual right to discuss this."

That said, Perry notes there are a lot of hacker wannabes who would be drawn
to using the Rootkit site "as one-stop shopping for them to pick up the
tools."

Designing a rootkit is a complex programming process. Hoglund says there are
probably no more than 20 or 30 main types today, along with a wide number of
variants.

Detecting rootkits has become a software research frontier, but eradicating
them and what they hide is proving even more difficult.

"I don't think it's fair to say Root kit.com is abetting the spread of
rootkits. They were present before Rootkit.com," says co-author Butler, CTO
at Komoku. Komoku is getting ready to release a rootkit-detector code-named
Gamma.

Butler says Rootkit.com has made it easier to use such software. "Technology
being deployed today is now more sophisticated than it was two years ago.
It's very advanced," he says.

"Eradication is extremely difficult to do in 100% of the cases, while
restoring a system and keeping it stable," Butler says. Some rootkits that
can get into the [basic input/output system] might make it advisable "to
throw the computer away" if you want to be sure you got rid of the rootkit,
he says.

A Microsoft official offered similar advice two weeks ago at the InfoSec
Conference in Orlando.

Rootkits with names including HackerDefender, AFXRootkit, PWS-Progent and
FURootkit are cited by McAfee as among the most prevalent today.

The trend is toward embedding stealth technologies with varying forms of
spyware and malware, such as Backdoor-CEB, AdClicker-BA, W32/Feebs,
Backdoor-CTV, Qoolaid, PWS-LDPinch, Opanki.worm, and W32/Sdbot.worm.

This makes it harder to detect and eradicate spyware, adware and other
unwanted code, McAfee's McClure says.

The growing fear in the security world is that it won't be long before
someone creates a worm that can scan networks for vulnerabilities and then
effectively deliver a malicious payload - such as something that can wipe
out files, change data or spy on organizations - that can be kept hidden by
a well-made rootkit.

"It's quite possible, once you've got a piece of code on someone's
computer," Perry says.