July 17, 2006 6:19 AM PDT

Virus writers use open-source methods

Malicious software writers are increasingly using open-source methodologies when developing their code, according to security company McAfee.

In its Global Threat Report for 2006, McAfee warned that more hackers are sharing source code and ideas freely. This includes distributing source code with documented explanations and annotations of how that code works, which helps programmers adapt it.

McAfee said that this can be an extremely effective way of developing code, both legitimate and malicious.

"Like any powerful tool, open source can also be used for malicious purposes, particularly in security," McAfee said in its Global Threat Report for 2006.

"DoomJuice was a mass-mailer that distributed a copy of MyDoom. Maybe the author was proud of their skills being reused. It contained the documented source code of MyDoom, like a Lego kit with instructions," said McAfee UK security consultant Greg Day.

So-called script kiddies, who download easy-to-use malicious software from the Internet, have long been a reality. But McAfee's report claims that more virus writers, especially those involved in organized crime, are forming communities and typically share information over IRC (Internet Relay Chat) networks.

However, these groups are much harder to join than open-source software communities, as the malicious software writers try hard not to attract the attention of the authorities.

McAfee said that malicious software now has a long-term development cycle, with code being developed, bugs being fixed, and betas and final versions being distributed among the malicious software community in ways similar to those used in legitimate open-source communities.

"You could say open-source methodology allows them to build better-quality attacks," Day told ZDNet UK. "Today's news is group development."

Hacker tools are also created and distributed freely on an open-source model, according to McAfee. Versions of SDBot, a Trojan horse that opens a backdoor, included an add-in for an FU rootkit, a cloaking piece of software available on the Internet. McAfee claims it is possible to find documented copies of the FU rootkit online "if you hunt around." It is also possible to find documented copies of Morphine, a tool used by hackers to circumvent antivirus protection.

Day said that few virus writers are devoting time to coding from scratch and resolving bugs. Hackers are also acting as paid consultants--an enterprise also known as "patronage"--offering guidance once their source code has been opened.

"This is an effective methodology for ill-gotten gains," Day said. "If anything, this shows that open source is an effective way of coding--a good idea being used for bad intent."

Tom Espiner of ZDNet UK reported from London.

See more CNET content tagged:
malicious software, open source, McAfee Inc., Networks Associates Technology Inc., MyDoom virus


Join the conversation!
Add your comment
They have been doing that for years
I dont see the story here, they have been sharing code for years. It is also a misnomer calling it open source, it is shared source.
Posted by groyal (45 comments )
Reply Link Flag
i agree
with you 100%
Posted by dondarko (261 comments )
Link Flag
FUD - Is this a push to make open source illegal through FUD?
Sounds like it to me.
Posted by baswwe (299 comments )
Link Flag
In Other News, Virus Writers Use Toilet Paper!
...your point?

Oh, I see. McAfee thinks that open disclosure is somehow worse than keeping it all hush-hush, in spite of the fact that security through obscurity is disproven to the point of death.

Pfft! Whatever. (as /me turns back to working with his Mac and Linux machines...)

Posted by Penguinisto (5042 comments )
Reply Link Flag
Some restrictions apply
This has to be one of the more...um...well, one of the more stoopid pieces of "tech nooz" that I have ever read. Since when does collaboration equate to open source?

Let's just add a little sarcasm, some hyperbole, and a dash of ridiculosity to spice things up...


Use of this virus is governed by the GNewt Public License. You may install this virus on as many computers as you like if the following conditions are adhered to... [blah, blah, tele-blah] ...You are free to alter or change this virus to suit your personal needs as long as you include the changed source code...

"Open source?"

Sheesh, what incredible idiocrity...
Posted by justwally (32 comments )
Reply Link Flag
They're beating us!
Well, regardless of whether it's open-source or shared-source, whether it's new collaboration, or something they've been doing for years, we can't deny the fact that the problem is getting out of hand....

<a class="jive-link-external" href="http://www.techknowbizzle.com/2006/06/data-security-gets-worse-as-hackers-go.html" target="_newWindow">http://www.techknowbizzle.com/2006/06/data-security-gets-worse-as-hackers-go.html</a>

and WE (which includes the government) aren't doing much about it.

<a class="jive-link-external" href="http://news.cbsi.com/U.K.+agrees+to+extradite+alleged+hacker+to+U.S./2100-7348_3-6091493.html?tag=cd.hed" target="_newWindow">http://news.cbsi.com/U.K.+agrees+to+extradite+alleged+hacker+to+U.S./2100-7348_3-6091493.html?tag=cd.hed</a>

What will it take for people to take internet security seriously? Most of the general public doesn't know enough about computers to know just how damaging it can be for information on your computer to not be protected...We're the ones playing catchup...
Posted by mveronica (40 comments )
Reply Link Flag
openly-sour methods
As open-source software garners increased commercial acceptance as a replacement for high cost big name bloatware,(and more people make the switch to a linux distro), so too will the attacks on open-source increase, both from hacks and those that buy into the "commie" nature of open-source, and especially that which is freely distributed. If the BS is successful, one day it will be anti-american and neighbors will be able to openly-scorn and abuse anyone metioning the word open-source. (insert evil laugh here).
Posted by aqvarivs (38 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.