McAfee Blames Open Source for Botnets

v3xt0r writes "It seems that 'the Open Source Development Model' is to be blamed for the recent increase in botnet development. 'We're not taking aim at the open-source movement; we're talking about the full-disclosure model and how that effectively serves malware development,' the spokesman for McAfee says. Why not just blame the IRC Protocol? Or simply admit that Proprietary vendors cannot keep pace with the Open Source Model?"

Gee, and I always thought

[cyber_rigger]

...it was the conspiracy to create insecure operating systems.

An endorsement of open source?

[Maru Dubshinki]

Amusingly, you could read this article as an endorsement of open source software and methods- as in, "Open source methods and tools are so awesome that crackers and blackhats have switched to using them and now run rings around the antivirus corporations who don't."

Don't forget that these are the same guys......

[8127972]

..... who said that that OSX is the next Windows:

http://download.nai.com/products/mcafee-avert/Whit ePapers/NewAppleofMalwaresEye.pdf [nai.com]

So take anything they say with a grain of salt.

Re:What?

[deathy_epl+ccs]

Certain vendors of anti-virus software appear to believe so. I wrote an exe-packer primarly so I could pack dotnet executables and distributed it for free. It got used by some malware author out there, and this anti-virus vendor decided then that anything packed with my exe-packer must be a virus.

I swear, it doesn't pay to share anything any more. ;-)

From the experts...

[helmutvs]

Who brought you an "update" the other month that categorized files from "IBM (Rational), GreenHills, MS Office, Ansys, Adobe, Autocad, Hyperion, Win MPM, MS Shared, MapInfo, Macromedia, MySQL, CA, Cold Fusion, ATI, FTP Voyager, Visual Studio, PTC, ADS, FEMAP, STAT" as viruses and promptly deleted them. Here's the story. [slashdot.org]

Dude, again, it's _not_ about OSS

[Moraelin]

RTFA, seriously. That disclosure that they mention is _not_ the disclosure of OS code. If you RTFA, at that point they explain very well what they mean by "full disclosure" and it has _nothing_ to do with OSS any more. Their "full disclosure" is about researchers disclosing a vulnerability, together with ample instructions and proof of concept code of how it can be exploited. It has _nothing_ to do with Linux vs Windows, Closed Source vs F/OSS, etc. It's about disclosing vulnerabilities.

Basically what McAffee says is, "I wish researchers stopped telling everyone everything about this and that buffer overflow. Telling people everything about a bug only helps the evil hackers use it in a virus!!!111one1eleventeen" Not an exact quote, but that's the general idea they're peddling there.

Which is, in the nutshell, just the old "security by obscurity" argument. Which has already been debated to hell and back and is known to not work that way. And, frankly, it's weird to see McAffee preaching that attitude, because the anti-virus makers should know the best that it never worked that way.

'scuse me, McA, but that's bollocks

[Opportunist]

Could be that they have to get that air of being against closed source off them after they found Excel to be a trojan (ok... some might claim it's not really a false positive, but still... a few companies didn't enjoy the idea of having their Excel removed...).

But quite seriously, could anyone please explain just HOW a malware author would benefit from open source? Because of the tools? Seriously, if you're writing software that's considered "illegal" in most places of this planet, would you care about licensing? Whether the software is free (as in beer and as in software) is pointless for him. If it's not free, he'll copy it illegaly.

Because they could learn how to write malware? The "real" malware projects are not open source, actually anything BUT it. First of all, major exploits are not shared, they're sold. Plain and simple. Malware is a business, just like a lot of other software, and they are by far the last to go for open sourcing, simply because it would cut into their revenue. Actually, the few snippets and code parts that ARE open source is one of the key sources for AV researchers, unless they want to go for the darker venues in the trade. And, finally, when knowledge becomes illegal, gimme a ring. Then it's time to leave the planet.

If you want to learn how to write malware, you needn't wade through open source projects. You won't find much worth finding.

So I don't really understand just why McA is targeting the OSS movement. There is little to be gained by malware writers through OSS, but a lot for those opposing malware. If anyone, it's the AV researchers who benefit from open sourcing malware. Because they would have a hard time explaining just why they would have sent money towards people wearing darker colored hats.

Once again, Free Speech is causing problems

[AllParadox]

Just as the vendors claimed, this full-open-disclosure business is promoting distribution of powerful tools to, well, just anybody. Now the bad guys know about it and are using it. Can it get worse than this? Oh, sure. Try stopping it. __________________________________________ AllParadox - Retired Attorney, no legal opinions, just my opinion.

It is soo tempting to read between the lines.

[dilvish_the_damned]

I know he is suggesting that they are not throwing snowballs at Open Source, but specifically at full disclosure. However, if you go ahead and a read a little more into it, phrases such as

"We're not taking aim at the open-source movement; we're talking about the full-disclosure model and how that effectively serves malware development," he said.

become more transparent.

What effectivly serves malware development also serves things like clamav and snort. I suspect this botnet thing is just a short term issue for them, the long term problem is full-disclosure used to defend oneself.
Maybe I am wrong. Maybe it is all about malware developers becoming more effective. If thats true then this reads like an appology for being ineffective.

Or maybe its just a sad cry for help. Like a suicide note left in a conspicuous place.
Its fun reading things into things.

The real complaint here can be summarized

[Anonymous Coward]

"Opensource is a threat to our existance, after all, full disclosure means non-anti-virus companies can fix the problem without us and dont need our software, or those dirty filthy pesky free solutions for virus scanning can get to our slice of the pie faster."

They have made exploits and viruses their business, and they see OSS as the biggest threat as one day, OSS virus databases could rack up more viruses than they could at a much faster rate. It scares them.

Watch, next companies like McAfee and Norton will push congress to pass the "National CyberSecurity act" which will outlaw open code and free virus scanners.

I'm actually afraid when that happens. Bad enough McAfee sucks.

plus dont be shocked by the idea that McAfee and Norton wouldnt be as low as to create their own worms and viruses, that could be another take on this, they dont like "open sourced" viruses prolly because they CAN be caught quicker. Meanwhile a closed virus means great business for them. let it wreak havoc and then slowly deploy a cure for it. I wouldnt be shocked if they released a few on a slow year in the past or in the future.

People who make money off others' suffering should be shot.

Re:When has the AV industry really cared about ...

[Opportunist]

I concur. Security is not a product, it's a process. Unfortunately, we let all the clueless people in who don't know the first thing about security. What should we do? Lock them out? Throw them out of the 'net 'til they learn how to keep their crate secure? I'm the first to sign that petition, but you'll have a very hard time getting it passed past the counter pressure of the industry trying to sell the 'net to them, since they are by definition a more interesting target group than people who know their tools and their net. Would you buy a virus scanner? A firewall solution? Hell, would you click a "punch the monkey" ad? Would you follow a spam mail?

Nope. But they do. And there's money to be made.

So those people are here, and they're here to stay. You can't teach them security. It's futile, I've tried. They care about their inter...thingwebsomething and mailing their auntie in Greece and that they can buy some pr0n online but being a spambot or trojan distributor, who cares?

Yes, MS's APIs contain some horribly insecure functions, coupled with the predominant (ab)use of admin privilege accounts (because some horribly written software requires it), and the fact that people would rather switch "everything on" before trying which setting is REALLY required. "Just make yourself admin and all works" is the creed.

Don't think it would be different if Linux/BSD was the dominant system. We'd get to see the same problem, except that people would surf around the 'net as root. The main difference would probably be that patches would start popping up more quickly, and if some program relies on an insecure function it would break 'til the programmer fixes it. Linux/BSD core people tend to be less lenient, especially with functions labeled "for debugging purposes only".

So AV tools are a stopgag against that problem. Yes, we see the same entry points abused time and again. Yes, it starts to be boring every time I dissect another trojan, only to find it uses the same routines to sink its hooks into the system. Yes, we tell MS to get rid of those functions and the only thing we get in return is "we can't".

So tell me how to solve this problem.