Analytics
7/27/2007
02:20 AM
Connect Directly
RSS
E-Mail
50%
50%

Open Source Bots

With most botnets based on open source, it may be time to rethink just what gets open-sourced

I just got my first major update on the bot problem and it scared the crap out of me. I hadn’t really thought through just how bad this was getting. I use Postini, and this month I've noticed a scary rise in emails that appeared to be generated from bots and were chewing up a lot of my time. (Either that, or I suddenly have thousands of friends I didn’t know about sending me executable attachment eCards. If that is the case, I need to have a long chat with those friends.)

Part of the briefing, which was provided by Symantec, was a discussion of just how advanced the hubs are that manage these massively increasing numbers of zombie computers. Evidently, the hubs are made up of state-of-the-art servers, often clusters, which showcase some of the most advanced systems management tools and skills in the industry.

Some of the botnet hubs that have been discovered and taken out of service would incite major IT envy – not many IT shops can afford what some of these botmasters can afford and deploy.

Much, if not almost all, of the technology being used appears to be coming from open source resources, and probably the secondary market for hardware (though I understand some are just buying the software on the open market). I don’t think there's anything that can be done about the hardware, but I’m beginning to wonder if certain types of tools shouldn’t be in the open source arena.

One of my problems with open source, Apple, or anything backed by huge advocacy groups is the all-or-nothing mentality in the face of substantial evidence that moderation is really best. Take nuclear technology – if we made it readily available so that all could gain access to it and use it, we likely would have more cheap power. But we would also likely become extinct as a race, either from the resulting pollution or from a group of folks wanting to make a big-bang statement.

Restricting Open Source
It's obviously too late for a lot of platforms, but I wonder if it wouldn’t be wise, going forward, to refrain from open-sourcing products and tools that allow for the management and control of large numbers of servers or workstations. The tools needed to manage these large numbers are needed by a relatively small number of people. And given the potential for corrupt use of these tools, this should remain a small group of people.

It's time to think about categories of products that, for the safety of all of us, should remain relatively secret and protected – if only to give the security industry and platform vendors more time to create and distribute more secure products. That would mean any technology that enables the mass remote control of any platform or critical application: These are the master keys, and need a higher level of protection and restriction. There are likely other software offerings where open source is either ill-advised or unsafe, but many do not represent the national, and worldwide, security threat that botnets represent. (And Honeynets, of course, need this code.)

Security 2.0
Symantec, as part of its Security 2.0 initiative, is the only company aggressively looking to the future of botnets and figuring out a way to anticipate and mitigate future attacks. Symantec's new AntiBot appears to lead the segment. (See Symantec Unveils Anti-Botware.) We’ll discuss this offering more in the future, and Symantec’s efforts go beyond this product – into tracking and reporting botmasters and botnets to law enforcement for the sole purpose of shutting them down and bringing the folks responsible to justice.

The war against botnets would undoubtedly be more successful if there were fewer of them in the first place. Limiting access to the open-source technology they are using could go a long way in helping get ahead of this threat.

Another option would be for the open source community to go to war with the people who misuse the code to do harm to others. If that were to happen, folks like me would be less worried about open source and much more supportive of it. But it often seems that open-source advocates don't want to be bothered with this kind of community support activity. There are, however, some efforts, such as the Honeynet Project.

I think that messing up and messing with the botmasters would be a fun pastime for aging hackers who used to have fun doing a little mischief. Given the proliferation of honeypot projects, this may already be happening.

But the best way to beat the botnets is probably a combination of determining what should and should not be open, as well as a community response to the threat of the misuse of open tools. My hope is that we get there before my Postini inbox explodes from overcapacity.

— Rob Enderle is President and Founder of Enderle Group . Special to Dark Reading

  • Symantec Corp. (Nasdaq: SYMC)
  • Honeynet Project
  • Postini Inc.

    Comment  | 
    Print  | 
    More Insights
  • Register for Dark Reading Newsletters
    Partner Perspectives
    What's This?
    In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

    As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
    Featured Writers
    White Papers
    Cartoon
    Current Issue
    Dark Reading's October Tech Digest
    Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
    Flash Poll
    Threat Intel Today
    Threat Intel Today
    The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
    Video
    Slideshows
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2013-0334
    Published: 2014-10-31
    Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

    CVE-2014-2334
    Published: 2014-10-31
    Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

    CVE-2014-2335
    Published: 2014-10-31
    Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

    CVE-2014-2336
    Published: 2014-10-31
    Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

    CVE-2014-3366
    Published: 2014-10-31
    SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

    Best of the Web
    Dark Reading Radio
    Archived Dark Reading Radio
    Follow Dark Reading editors into the field as they talk with noted experts from the security world.