Virus writers use 'open source' methods

Summary:Malware writers are increasingly using open source methods to develop code, according to antivirus vendor McAfee

Malware writers are increasingly using open source methodologies when developing malicious code, according to antivirus vendor McAfee.

In its Global Threat Report for 2006, McAfee warned that more hackers are sharing source code and ideas freely. This includes distributing source code with documented explanations and annotations of how that code works, which helps programmers to adapt it.

McAfee said that this can be an extremely effective way of developing code, both legitimate and malicious.

"Like any powerful tool, open source can also be used for malicious purposes, particularly in security," McAfee said in its Global Threat Report for 2006.

"DoomJuice was a mass-mailer that distributed a copy of MyDoom. Maybe the author was proud of their skills being reused. It contained the documented source code of MyDoom, like a Lego kit with instructions," said McAfee UK security consultant Greg Day.

So-called script kiddies, who download easy-to-use malware from the Internet, have long been a reality. But McAfee's report claims that more virus writers, especially those involved in organised crime, are forming communities and typically share information over IRC networks.

However, these groups are much harder to join than open source software communities, as the malware writers are keen to avoid attention from the authorities.

McAfee said that malware now has a long-term development lifecycle, with code being developed, bugs being fixed, and betas then final versions being distributed amongst the malware community in a similar way to open source communities.

"You could say open source methodology allows them to build better quality attacks," Day told ZDNet UK. "Today's news is group development."

Hacker tools are also created and distributed freely on an open source model, according to McAfee. Versions of SDBot, a Trojan horse that opens a back door, included an add-in for the FU rootkit, a cloaking piece of software available on the Internet. McAfee claims it is possible to find documented copies of FU rootkit online "if you hunt around". It is also possible to find documented copies of Morphine, a tool used by hackers to circumvent antivirus protection.

Day said that few virus writers are devoting time to coding from scratch and resolving bugs. Hackers are also acting as paid consultants offering guidance once their source code has been opened — also known as "patronage" of their code.

"This is an effective methodology for ill-gotten gains," said Day. "If anything this shows that open source is an effective way of coding — a good idea being used for bad intent," Day added.

Topics: Security

About

Tom is a technology reporter for ZDNet.com, writing about all manner of security and open-source issues.Tom had various jobs after leaving university, including working for a company that hired out computers as props for films and television, and a role turning the entire back catalogue of a publisher into e-books.Tom eventually found tha... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.