# McAfee: Stop Blaming Open Source Culture for Malware

McAfee has posted a whitepaper that discusses [the increasing
proliferation of rootkits][1] (PDF). Nothing unusual here,
especially for a major anti-malware vendor. The paper basically says
that there has been a large increase in the number of and complexity
(as measured by the raw number of components per rootkit) of Windows
rootkits over the last three to five years, and that the easy
availability of rootkit code has made it proliferate and increase in
complexity. They basically finger open source and the Internet as
the culprits:

> The "open-source" environment, along with online collaboration
> sites and blogs, is largely to blame for the increased
> proliferation and complexity of rootkit components. [p. 3]
> ... Collaboration does more than just spread stealth
> technologies. It also fosters the development of new and more
> sophisticated stealth techniques. [p. 5]

I think proliferation through collaboration is just so obvious that
it's not worth mentioning. Crackers have been sharing malicious code
for decades, first via BBS's and even printed magazines, then via
the early WWW, IRC channels, and now blogs. The point is that bad
guys communicate, they always have. The point they missed is that it
is probably easier for for the average script-kiddie to find exploit
code, given the huge improvements in search quality over the last
decade, and the penetration worldwide that the Internet has had. On
the other hand, easy access to exploit code works both ways.

Academic researchers, curious hackers, and even companies like
McAfee also have easy access, enabling them to see how such code
works and perhaps ferret out new threats earlier than they otherwise
could have. This exposes a flawed (but unstated) assumption that the
whitepaper relies on, the assumption that most of those accessing
malicious source code online will use it for malicious purpose. As
far as complexity goes, I'm not sure I see even a correlation
between increased complexity and increased collaboration.

Common-sense would say that what has made rootkits increase in
complexity is simply the increasing complexity of the modern
operating system and modern countermeasures - simple necessity. In
DOS times, for example, trojans and viruses were simple because the
OS was simple. Remember the floppy boot-sector viruses? 512 bytes
worth of virus code.

Finally, placing the blame for rootkit proliferation on the "open
source environment" is crazy. The whitepaper glosses over the fact
that there has been a large decrease in Linux rootkits over the very
same time period, despite very obvious increases in the number of
Linux deployments over the same time period, and a pre-existing
culture of sharing and collaboration among Linux users. [Marcus
Ranum had this to say on the very same subject][2] in an interview
last year:

> If we consider the Internet as a big local network, we will see
> that some of our neighbours keep getting exploited by spyware,
> virus, and so on. Who should we blame? OS producers? Or our
> neighbours that chose that particular software and then run it
> without an appropriate secure setup? There's enough blame for
> everyone. Blame the users who don't secure their systems and
> applications. Blame the vendors who write and distribute insecure
> shovel ware. Blame the sleazebags who make their living infecting
> innocent people with spyware, or sending spam. Blame Microsoft for
> producing an operating system that is bloated and has an
> ineffective permissions model and poor default configurations.
> Blame the IT managers who overrule their security practitioners'
> advice and put their systems at risk in the interest of
> convenience. Etc. Truly, the only people who deserve a complete
> helping of blame are the hackers (emphasis added). Let's not
> forget that they're the ones doing this to us. They're the ones
> who are annoying an entire planet. They're the ones who are
> costing us billions of dollars a year to secure our systems
> against them. They're the ones who place their desire for fun
> ahead of everyone on earth's desire for peace and [the] right to
> privacy.

## Comments

**[kurt wismer](#33 "2006-04-23 23:57:00"):** i will agree that
mcafee made a horrendously bad choice of words when they said "open
source environment"... it's clear to me that they were simply
referring to public sharing of information/source code/compiled
binaries...that said, they're right that the so-called good guys are
contributing to the problem when they share malware source code and
binaries with the public at large (which is precisely what the site
they mention by name does) - they're adding their knowledge and
skills to the collaborative efforts of the bad guys...as for the
complexity-collaboration link - more people collaborating gives you
a broader knowledge base from which to draw on when creating the
malware and that in turn gives you the potential to overcome a
larger set of obstacles... additionally, with the works of more
people available to you you can piece together new malware from the
bits and pieces of malware from a larger and more diverse library...

[1]: http://download.nai.com/products/mcafee-avert/WhitePapers/AKapoor_Rootkits1.pdf
[2]: http://www.securityfocus.com/columnists/334