Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

7/27/2007
02:20 AM
50%
50%

Open Source Bots

With most botnets based on open source, it may be time to rethink just what gets open-sourced

I just got my first major update on the bot problem and it scared the crap out of me. I hadn’t really thought through just how bad this was getting. I use Postini, and this month I've noticed a scary rise in emails that appeared to be generated from bots and were chewing up a lot of my time. (Either that, or I suddenly have thousands of friends I didn’t know about sending me executable attachment eCards. If that is the case, I need to have a long chat with those friends.)

Part of the briefing, which was provided by Symantec, was a discussion of just how advanced the hubs are that manage these massively increasing numbers of zombie computers. Evidently, the hubs are made up of state-of-the-art servers, often clusters, which showcase some of the most advanced systems management tools and skills in the industry.

Some of the botnet hubs that have been discovered and taken out of service would incite major IT envy – not many IT shops can afford what some of these botmasters can afford and deploy.

Much, if not almost all, of the technology being used appears to be coming from open source resources, and probably the secondary market for hardware (though I understand some are just buying the software on the open market). I don’t think there's anything that can be done about the hardware, but I’m beginning to wonder if certain types of tools shouldn’t be in the open source arena.

One of my problems with open source, Apple, or anything backed by huge advocacy groups is the all-or-nothing mentality in the face of substantial evidence that moderation is really best. Take nuclear technology – if we made it readily available so that all could gain access to it and use it, we likely would have more cheap power. But we would also likely become extinct as a race, either from the resulting pollution or from a group of folks wanting to make a big-bang statement.

Restricting Open Source
It's obviously too late for a lot of platforms, but I wonder if it wouldn’t be wise, going forward, to refrain from open-sourcing products and tools that allow for the management and control of large numbers of servers or workstations. The tools needed to manage these large numbers are needed by a relatively small number of people. And given the potential for corrupt use of these tools, this should remain a small group of people.

It's time to think about categories of products that, for the safety of all of us, should remain relatively secret and protected – if only to give the security industry and platform vendors more time to create and distribute more secure products. That would mean any technology that enables the mass remote control of any platform or critical application: These are the master keys, and need a higher level of protection and restriction. There are likely other software offerings where open source is either ill-advised or unsafe, but many do not represent the national, and worldwide, security threat that botnets represent. (And Honeynets, of course, need this code.)

Security 2.0
Symantec, as part of its Security 2.0 initiative, is the only company aggressively looking to the future of botnets and figuring out a way to anticipate and mitigate future attacks. Symantec's new AntiBot appears to lead the segment. (See Symantec Unveils Anti-Botware.) We’ll discuss this offering more in the future, and Symantec’s efforts go beyond this product – into tracking and reporting botmasters and botnets to law enforcement for the sole purpose of shutting them down and bringing the folks responsible to justice.

The war against botnets would undoubtedly be more successful if there were fewer of them in the first place. Limiting access to the open-source technology they are using could go a long way in helping get ahead of this threat.

Another option would be for the open source community to go to war with the people who misuse the code to do harm to others. If that were to happen, folks like me would be less worried about open source and much more supportive of it. But it often seems that open-source advocates don't want to be bothered with this kind of community support activity. There are, however, some efforts, such as the Honeynet Project.

I think that messing up and messing with the botmasters would be a fun pastime for aging hackers who used to have fun doing a little mischief. Given the proliferation of honeypot projects, this may already be happening.

But the best way to beat the botnets is probably a combination of determining what should and should not be open, as well as a community response to the threat of the misuse of open tools. My hope is that we get there before my Postini inbox explodes from overcapacity.

— Rob Enderle is President and Founder of Enderle Group . Special to Dark Reading

  • Symantec Corp. (Nasdaq: SYMC)
  • Honeynet Project
  • Postini Inc.
     

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 8/3/2020
    Pen Testers Who Got Arrested Doing Their Jobs Tell All
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
    Exploiting Google Cloud Platform With Ease
    Dark Reading Staff 8/6/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    Special Report: Computing's New Normal, a Dark Reading Perspective
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    The Changing Face of Threat Intelligence
    The Changing Face of Threat Intelligence
    This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-16168
    PUBLISHED: 2020-08-07
    Temi firmware 20190419.165201 does not properly verify that the source of data or communication is valid, aka an Origin Validation Error.
    CVE-2020-8025
    PUBLISHED: 2020-08-07
    A Incorrect Execution-Assigned Permissions vulnerability in the permissions package of SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 15; openSUSE Leap 15.1, openSUSE Tumbleweed sets the permissions for some of the directories of the p...
    CVE-2020-8026
    PUBLISHED: 2020-08-07
    A Incorrect Default Permissions vulnerability in the packaging of inn in openSUSE Leap 15.2, openSUSE Tumbleweed, openSUSE Leap 15.1 allows local attackers with control of the new user to escalate their privileges to root. This issue affects: openSUSE Leap 15.2 inn version 2.6.2-lp152.1.26 and prior...
    CVE-2020-16219
    PUBLISHED: 2020-08-07
    Delta Electronics TPEditor Versions 1.97 and prior. An out-of-bounds read may be exploited by processing specially crafted project files. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.
    CVE-2020-16221
    PUBLISHED: 2020-08-07
    Delta Electronics TPEditor Versions 1.97 and prior. A stack-based buffer overflow may be exploited by processing a specially crafted project file. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.