McAfee's libel against open source

Over the weekend Stuart Hicks emailed the OSI about an odd statement made by McAfee in its white paper on botnets [PDF]:

Taking the bot controller offline may kill a botnet. As a result, many bots use a Dynamic Domain Name System (DDNS) or have a list of backup IP addresses to survive such an event. Bot technology is rapidly evolving, often aided and abetted, unfortunately, by the open-source movement. [Emphasis mine.]

Huh? No justification is made for this statement. No follow-on, explanatory comments are made.

Someone at McAfee thinks that the correlation between botnets and open source is clear, but I am struggling to grasp any connection between the two. Perhaps this is just one more example of McAfee's dubious grasp on reality when it comes to open source. Remember its statement that open-source licensing is a threat to its business?

Consider the definition of a botnet:

While the term "botnet" can be used to refer to any group of bots, such as IRC bots, the word is generally used to refer to a collection of compromised computers (called zombie computers) running programs, usually referred to as worms, Trojan horses, or backdoors, under a common command and control infrastructure. The majority of these computers are running Microsoft Windows operating systems, but other operating systems can be affected. A botnet's originator (aka "bot herder") can control the group remotely, usually through a means such as IRC, and usually for nefarious purposes.

See any open source in there? I suppose it's possible that the programs used to manage the zombies could be open source, but the zombies themselves are generally Windows computers. Apparently open-source Linux is more impervious to bot attacks. Or maybe its users are simply not as gullible. Or something.

Regardless, McAfee needs to come clean and own up to its ignorance on open source. It's starting to look ridiculous. Too bad it can't keep that proprietary. No one likes to see their ignorance open sourced.

[odubtaig]

Actually, there is a link, but it's far from 'aiding and abetting'. Given that the easiest attack vector for a Linux box is to hack and install a rootkit and given the prevalence of Linux servers on the internet (and the likelihood that they will have a very long uptime) Linux servers are the perfect vehicle on which to install the controlling software for botnets.



Windows boxes may be the perfect vector for the bots given the number of unpatched home computers out there (believe me, I've seen horrors) but as all other attack vectors for Linux are so much harder, there are a great number of rootkits and these are perfect for taking over a server which will be up for a long time with little, or no, interruption which makes vulnerable servers perfect for controlling botnets.



The only possible reason I can think of for McAfee's tack, is the boneheaded 'security through obscurity' ideal. There are many ways to prevent your server being taken over including a proper security update routine and hardened PHP with Suhosin and the MOPB patches if applicable, tripwire software, etc. but none of these require hidden code, just hidden passwords.

[tristanbob]

I think this is a real world demonstration of the value of open source software.

Simply put, open source is the cheapest and preferred way to develop software. Your IT staff knows it, and so do these malicious hackers.

[royrusso]

I think what they're trying to say is, "Thank you, OSS, for keeping us in business."

[ashimmy]

Matt- I think you are letting your overzealous defense of open source cloud your logic here. I have written more about this at my blog here

[odubtaig]

That was tedious ashimmy, McAfee don't say 'they happen to use open source tools (which could be closed to no avail), they don't even mention the software, they specifically wrote 'open source movement'. That's the people who make the software, not the software itself. The term aided and abetted isn't exactly non-partisan either. It's not a term used for software tools which happen to be used by hackers, it's a term for malicious code only.

[dreggie]

I believe McAfee's statement was made in relation to Agobot, as it was one of the most common open source bots with over 1500 variants due to open its source code. Search for it and you'll see http://searchsecurity.techtarget.com.au/articles/21753-Using-virtual-honeypots-to-track-botnets-Part-1-Bot-and-botnet-1-1 The blog comment was pretty dumb

[uraslacker]

The reason that McAfee dislikes open source is because they rely on broken, poorly design software and (in particular) operating systems to give them a reason to exist. IMO, the whole security industry (like the US tax system) is akin to a Rube Goldberg machine. We _could_ fix the problem, but then McAfee would go out of business :-)

[jorise]

The author of the McAfee whitepaper (who coincidentally had left McAfee for Symantec) has commented on his personal blog...

http://www.darknetworks.org/2008/04/mcafee-botnets-libel-open-source-and-tax-day/

His conclusion: "Sorry Matt, McAfee is NOT your enemy, nor are the ignorant about open source."

[oz_ollie]

The generalisation that bot nets are "aided and abetted, unfortunately, by the open-source movement" is wrong. The same generalisations could also be levelled at closed source, proprietary software. For example:

Bot nets, and the creation zombie computers, are aided and abetted by the poor security in various Microsoft Windows versions.

or

Bot nets, and the creation zombie computers, are aided and abetted by the poor knowledge of Internet users who unwittingly click and install the software from the Internet.

Both statements are true and inflammatory, but employees of companies that depend on Microsoft products and don't want to offend potential customers of their Internet security software won't publish such statements.