Get Smart about Business Spending
Why virus writers are turning to open source
Malware developers are going open source in an effort to make their malicious software more useful to fraudsters.
By giving criminal coders free access to malware that steals financial and personal details, the malicious software developers are hoping to expand the capabilities of old Trojans.
According to Candid W?est, threat researcher with security firm Symantec, around 10 percent of the Trojan market is now open source.
The move to an open source business model is allowing criminals to add extra features to their malware.
"The advantages are that you have more people involved in developing it, so someone who is into cryptography could add a cryptographic plug-in or somebody who does video streaming could add remote streaming of the desktop," W?est said.
Releasing Trojans as open source dates back to 1999, when the Cult of the Dead Cow group released the source code for its Trojan called Back Orifice.
More recently, the developers of the Limbo Trojan published its source code in an effort to boost take-up following a slump in its use by fraudsters.
Following its release in 2007, the Limbo Trojan became the most widely used Trojan in the world but fell from favor in 2008 after the more sophisticated Zeus Trojan was released, according to security company RSA.
There is a big cash incentive to be the dominant Trojan, with infected machines and the financial and personal details they capture worth millions of dollars on the black market. The Limbo Trojan kit was previously sold to fraudsters for $350 per time before it went open source, while the Zeus Trojan today sells for between $1,000 to $3,000.
However, head of new technologies at RSA, Uri Rivner, said the move to become open source had not reversed Limbo's decline in fortunes.
"It is a move to the same business model as that behind any open source project--to give away a basic version and sell more advanced versions, professional services or customizations.
"At the beginning of it going open source it was big news but people have since stopped investing in it.
"It is not the best Trojan any more but because it's open source you can try it as your first Trojan and it is still used in some places," he said.
Limbo's popularity continues to slump, despite numerous features in the basic version that allow criminals to add extra fields for PIN numbers into fake banking websites and capture the keystrokes and the files saved on an infected computer.
And while open source may not have boosted Limbo's fortunes, it also brings with it separate problems for the fraudsters: open sourcing code also places it in the hands of security professionals.
"If you make (the Trojan) open source, that means that a security company can find the source code and it is easier to make a general heuristic detection for it, as they know what could be in it," Symantec's W?est said.
The majority of Trojan infections occur via drive-by downloads, where the malware is automatically downloaded after browsing an infected website, or messages sent via social networking sites that encourage people to download a Trojan masquerading as a legitimate security update, according to RSA's Rivner.
These infection methods are proving far more effective at getting Trojans onto machines than earlier techniques such as sending an e-mail with a link to an infected file or attachment.
RSA analysts say these new methods have fuelled an exponential growth in the rate of infection, with the security firm detecting 613 Trojan infections in August 2008 compared to 19,102 in August 2009.
Nick Heath of Silicon.com reports from London.
Calling it a Trojan Horse per se is really incorrect, revisionist history.
Of course, I'd laugh my arse off if they released it under the GPL. I just can't see them breaking cover to sue any violaters of the license.
Many eyes make bugs easier to spot, and problems easier to solve.
For Linux, Darwin, and the like, open source helps to improve the OS and make it tougher, more efficient, more useful, and reach the goals of an operating system.
For malware, it helps make the code leaner, meaner, and more able to penetrate the systems they target.
Pitting one against the other would be a rather futile arms race of sorts, with a lot of work for little gain to the malware authors. Now if you happen to have another OS handy that is proprietary.... easy target.
>>>>Before, Vista, I might have agreed with you (although I still believed the security through obscurity argument, which I believe even more strongly now). But since the inception of CanSecWest's Pwn2Own, white hats have proven otherwise. Sorry.
'Pitting one against the other would be a rather futile arms race of sorts, with a lot of work for little gain to the malware authors. Now if you happen to have another OS handy that is proprietary.... easy target.'
>>>>I almost squirted Sprite out my nostrils, laughing at you. I can't believe you are still trying to pretend you actually believe this, when you know which platform is the real "easy pickings" at hacker conferences. Once again, as always with you, where are the post-IE7 exploits for Vista (IE7 didn't use ASLR; IE8 and Fx3 do)?
I wish I could get inside your head, and see exactly what it is that compels you to continue to chant something you WELL KNOW is false. Apple has you by the b*11s; you really are a slave.
Who exactly? The government, who can't tell the difference between open and closed source? Microsoft? Say goodbye to anyone who tries to write a better program that they cover.
Fact is, if they did what you suggested 20 years ago, we'd still be there today. It is allowing anybody to program whatever they want that has advanced computing to where it is today.
'It would be better is Microsoft fixed their operating system. "
Along with Apple and the various *nix versions as well. Instead of addressing the problem, you're just trying to spread blame.
UNIX was faced with massive malware problems a very long time ago (think: 1980's), and vendors changed their respective OSes to toughen up the entire structure.
Microsoft OTOH is still stuck with temp fixes and bandages to their own particular OS. Not entirely their fault, just that they worship backwards compatibility at all costs and can only bloat out their OS in a futile effort to put a shell around it. To their credit, they've somewhat succeeded, but not nearly enough to prevent being the most easily compromised by casual malware authors.
Last I checked, Apple still has multiple unpatched vulnerabilities for OS X.
'Last I checked, Apple and "various *nix flavors" have fixed their operating systems. '
>>>>Really? Then why does your platform keep getting pwned within seconds every year at CanSecWest? Why do security researchers agree unanimously that the most vulnerable OS on the market is made by Apple? Again, your platform doesn't earn any stripes until it's actually been in the line of fire. Only at CanSecWest has this happened, and every time, Mac OS goes down the quickest.
'To their credit, they've somewhat succeeded, but not nearly enough to prevent being the most easily compromised by casual malware authors.'
>>>>Denial is an ugly thing. Do you actually need to believe Windows is a sitting duck, just to be able to sleep at night? Again, where are the exploits since IE8 and Fx3 have fully implemented ASLR? There aren't any. Try to use the obscurity argument here if you like, but remember that Vista and W7 share much of XP's code, along with its vulnerabilities. It's only because of new mitigations that remote attacks fail.
You could use a couple of updates yourself.
For starters try "Security Pros Are Focused on the Wrong Threats" by Riva Richmond, Bits Blog - NYT Sept 15, 2009
If you can handle more than a few paragraphs of factual information try:
Websense Security Labs - State of Internet Security, Q1-Q2, 2009
Symantec Global Internet Security Threat Report - Trends for 2008
- A somewhat sensationalist NYT article that stresses corporate problems from software vulnerabilities that run primarily on (oh, wait - ) Windows. (hint: the software can be hella vulnerable, but if the OS won't cooperate with the malware, it doesn't matter if the thing is self-contained or hitching a ride on Acrobat).
- And, two articles written by A/V and 'security' companies that are all too eager to try and sell useless solutions to specific markets that in turn honestly have no need for their products. It was like reading an article on infectious diseases or accident prevention, but written by a life or medical insurance company.
The NYT article included a link to "a new biannual report from the SANS Institute", which is in agreement with the other two reports I referenced. All of the security researcher's blogs I read also say the same thing. I doubt they are all wrong.
Yes, the software vulnerabilities run primarily on Windows. Primarily because 90 % of the computers on this planet run Windows. No mystery there. The vast majority of exploits targeting Windows have used vulnerabilities that had been patched many months before. By far the largest number of Windows systems being exploited are those running counterfeit or illegal copies of the OS.
The "specific markets" you refer to include businesses, corporations, financial institutions, governments, health care institutions, and military just to name a few. What they all have in common is a need to protect confidential data. I hardly think they have no need for multi layer Enterprise level security products. In case you haven't noticed, providing this level of security is a multi-billion dollar business. I guess there must be a huge market for "useless solutions".
Articles about infectious disease or accident prevention from insurance companies are actually very good resources. INSURANCE companies have a vested interest in preventing people from getting into accidents and contracting diseases. They want healthy people paying premiums on policies that are not being acted upon. Pharmaceutical companies talking about the widespread erectile dysfunction or preying on male insecurities about size on national TV or in magazine articles would prove your point better.
'A somewhat sensationalist NYT article that stresses corporate problems from software vulnerabilities that run primarily on (oh, wait - ) Windows.'
>>>>Uh, yah. When 9 in 10 computers run Windows, you'd kind of expect that. What do you expect professional criminal hackers to do, let the whale go and take the minnow? Their profitability drops tenfold that way. It should be no mystery why the platform that has 90% of the market gets nearly 100% of hackers' attention.
'(hint: the software can be hella vulnerable, but if the OS won't cooperate with the malware, it doesn't matter if the thing is self-contained or hitching a ride on Acrobat)'
>>>>What on OS X is going to stop it, authentication? HA! Ever heard of a "privilege escalation vulnerability?" Aren't you supposed to be a network administrator? I'm calling your bluff.
Jess
www.real-privacy.net.tc
>>>>This is a misnomer. The problem here is that Rivner is thinking of "backdoors," which are the common denominator of Trojans and exploits. Trojan horses, by definition, depend on the user to "take them through the gates of Troy;" they do not scale the high walls themselves. "Exploits" do that. Now, if it's "backdoors" that are going open source, then that's different.
- by Karl Viklund September 21, 2009 2:41 PM PDT
- I think that the OpenSourcing of the Limbo Trojan will make the problem worse. Security companies may know what's in the original file, but now when the Trojan is OpenSource it can fork in hundred and hundred of different versions and other Trojans can borrow from Limbo which will spur new Trojans etc. The Limbo developer probably realized that Limbo was at the end of it life and rather then continue the path to 0 he decided to get back at the security companies and and users to make an even greater mess. If more trojans do like this, I think we will end up with more trouble then we can handle.
- Like this Reply to this comment
-
(28 Comments)