Analytics
7/27/2007
02:20 AM
Connect Directly
RSS
E-Mail
50%
50%

Open Source Bots

With most botnets based on open source, it may be time to rethink just what gets open-sourced

I just got my first major update on the bot problem and it scared the crap out of me. I hadn’t really thought through just how bad this was getting. I use Postini, and this month I've noticed a scary rise in emails that appeared to be generated from bots and were chewing up a lot of my time. (Either that, or I suddenly have thousands of friends I didn’t know about sending me executable attachment eCards. If that is the case, I need to have a long chat with those friends.)

Part of the briefing, which was provided by Symantec, was a discussion of just how advanced the hubs are that manage these massively increasing numbers of zombie computers. Evidently, the hubs are made up of state-of-the-art servers, often clusters, which showcase some of the most advanced systems management tools and skills in the industry.

Some of the botnet hubs that have been discovered and taken out of service would incite major IT envy – not many IT shops can afford what some of these botmasters can afford and deploy.

Much, if not almost all, of the technology being used appears to be coming from open source resources, and probably the secondary market for hardware (though I understand some are just buying the software on the open market). I don’t think there's anything that can be done about the hardware, but I’m beginning to wonder if certain types of tools shouldn’t be in the open source arena.

One of my problems with open source, Apple, or anything backed by huge advocacy groups is the all-or-nothing mentality in the face of substantial evidence that moderation is really best. Take nuclear technology – if we made it readily available so that all could gain access to it and use it, we likely would have more cheap power. But we would also likely become extinct as a race, either from the resulting pollution or from a group of folks wanting to make a big-bang statement.

Restricting Open Source
It's obviously too late for a lot of platforms, but I wonder if it wouldn’t be wise, going forward, to refrain from open-sourcing products and tools that allow for the management and control of large numbers of servers or workstations. The tools needed to manage these large numbers are needed by a relatively small number of people. And given the potential for corrupt use of these tools, this should remain a small group of people.

It's time to think about categories of products that, for the safety of all of us, should remain relatively secret and protected – if only to give the security industry and platform vendors more time to create and distribute more secure products. That would mean any technology that enables the mass remote control of any platform or critical application: These are the master keys, and need a higher level of protection and restriction. There are likely other software offerings where open source is either ill-advised or unsafe, but many do not represent the national, and worldwide, security threat that botnets represent. (And Honeynets, of course, need this code.)

Security 2.0
Symantec, as part of its Security 2.0 initiative, is the only company aggressively looking to the future of botnets and figuring out a way to anticipate and mitigate future attacks. Symantec's new AntiBot appears to lead the segment. (See Symantec Unveils Anti-Botware.) We’ll discuss this offering more in the future, and Symantec’s efforts go beyond this product – into tracking and reporting botmasters and botnets to law enforcement for the sole purpose of shutting them down and bringing the folks responsible to justice.

The war against botnets would undoubtedly be more successful if there were fewer of them in the first place. Limiting access to the open-source technology they are using could go a long way in helping get ahead of this threat.

Another option would be for the open source community to go to war with the people who misuse the code to do harm to others. If that were to happen, folks like me would be less worried about open source and much more supportive of it. But it often seems that open-source advocates don't want to be bothered with this kind of community support activity. There are, however, some efforts, such as the Honeynet Project.

I think that messing up and messing with the botmasters would be a fun pastime for aging hackers who used to have fun doing a little mischief. Given the proliferation of honeypot projects, this may already be happening.

But the best way to beat the botnets is probably a combination of determining what should and should not be open, as well as a community response to the threat of the misuse of open tools. My hope is that we get there before my Postini inbox explodes from overcapacity.

— Rob Enderle is President and Founder of Enderle Group . Special to Dark Reading

  • Symantec Corp. (Nasdaq: SYMC)
  • Honeynet Project
  • Postini Inc.

    Comment  | 
    Print  | 
    More Insights
  • Register for Dark Reading Newsletters
    Partner Perspectives
    What's This?
    In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

    As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
    Featured Writers
    White Papers
    Cartoon
    Current Issue
    Dark Reading's October Tech Digest
    Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
    Flash Poll
    Threat Intel Today
    Threat Intel Today
    The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
    Video
    Slideshows
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2014-7298
    Published: 2014-10-24
    adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

    CVE-2014-8346
    Published: 2014-10-24
    The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

    CVE-2014-0619
    Published: 2014-10-23
    Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

    CVE-2014-2230
    Published: 2014-10-23
    Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

    CVE-2014-7281
    Published: 2014-10-23
    Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

    Best of the Web
    Dark Reading Radio
    Archived Dark Reading Radio
    Follow Dark Reading editors into the field as they talk with noted experts from the security world.