Tuesday, April 18, 2006

McAfee Points Its Finger in the Wrong Direction Again

I just read Does Open Source Encourage Rootkits? and the associated McAfee report. In the article we have this quote:

Rootkits are becoming more prevalent and difficult to detect, and security vendor McAfee says the blame falls squarely on the open source community.

In its "Rootkits" report being published today, McAfee says the number of rootkits it has collected as malware samples has jumped ninefold this quarter compared with the same quarter a year ago. Almost all the rootkits McAfee has identified are intended to hide other code (such as spyware or bots) or conceal processes running in Windows systems.

"The predominant reason for the growth in use of stealthy code is because of sites like Rootkit.com," says Stuart McClure, senior vice president of global threats at McAfee.


Let's start debunking this argument with the easiest parts of this quote. First, is Stuart McClure in charge of parties with the capabilities and intentions to exploit a target (i.e., a threats)? Probably not. SVP of Global Threats is a weird title, reminiscent of other problems McAfee/Foundstone has with defining threats properly.

Second, there's nothing new about Windows rootkits. I referenced this SecurityFocus article three years ago. The problem is McAfee is late to the game.

Third, the main reason McAfee has any shot at detecting the latest rootkits is they can look at the code published at rootkit.com. Here's what is happening at McAfee AVERT:

  1. Rootkits are deployed, based on code not publicly available. They are tough to detect. AVERT doesn't see them.

  2. Rootkits like NT Rookit, Hacker Defender, and FU are published at rootkit.com.

  3. AVERT looks at these rootkits, gets clued in, and starts looking for them elsewhere.

  4. AVERT publishes a report saying it sees rootkit.com code everywhere and blames the site and "open source" for the world's problems.


For shame. Let's face the truth -- for years the underground has been using techniques revealed in code at rootkit.com. I saw rootkits on Solaris eight years ago that are better than most everything that's published today. Sites like rootkit.com have helped defenders because they give us a clue as to what the bad guys are already doing. Rootkits expose the broken host protection model offered by vendors like McAfee. AVERT should be glad they can learn something from rootkit.com. Without it, a window to the underground would be closed.

Update: Here is Greg Hoglund's response.

7 comments:

Anonymous said...

Ok. I'm looking to eval some AV products for a client. McAfee is now OFF the list.

010101 said...

McLure's comment is certainly myopic. Applying the same logic, one can argue "the predominant reason for the growth of script kiddies is because of books like Hacking Exposed."

Richard Bejtlich said...

T. Arthur -- genius.

jbmoore said...

Richard,

When I saw the byline, I just dismissed the article as nonsense, or at worst, FUD. It is certainly immature to blame open disclosure of known malicious code in the wild which seeks to educate people on the existing dangers. Bruce Schneier has stated that security through obfuscation doesn't work. But, the Buddhists have beaten all of us to the punch:

"It is natural for the immature to harm others.
Getting angry with them is like resenting a fire for burning."
Shantideva

Even though you and T. Arthur are absolutely correct that McAfee and company are hypocrites - that open disclosure of hacking methodology is the same as open disclosure of malicious code doesn't alter the immaturity of the action itself. All you can do is educate and hope that any one who reads such nonsense applies critical thinking and sees the flawed argument. Besides, "Revenge is a dish best served cold." - Shakespeare

John

Anonymous said...

does rootkit.com = cnn?

If you can blame rootkit.com for all evil in the information security world can you then blame cnn/fox/etc for all evil actions in the world?

rootkit.com and the hundreds of other less known sites out there publish information nothing more nothing less.

just because I watched jets being hijacked and run into buildings and learned over time how they perps were able to gain control doesn't mean that I'm going to do it myself - nor does it make sense to blame the media for the actions of terrorists, hackers or anyone with evil or malicious intent.

McAfee is respectable, however Stuart's comments were simply incorrect - inflammatory sure but to blame McAfee as an entire organization for the actions of one person's conversation - that I'm sure was sensationalized a bit, is also irresponsible.

kurt wismer said...

the only myopia i'm seeing is from people who insist on thinking that all vulnerabilities are created equal...

learning about vulnerabilities for learning's sake alone does not make public disclosure a good thing... there is a real security cost to publishing vulnerability information - it increases the risk that the bad guys will use that information and thus increases the risk of exposure for everyone who is vulnerable... it's only a good thing if that cost can be balanced out with a greater good, namely hastening the closure of the window of exposure...

if we learn how to close that window of exposure then a greater good has been achieved, but if the vulnerability is such that the window of exposure can't be closed (which is the case with malware) then there is no way left to justify the security cost of public disclosure...

rootkits have been around for over a decade, the window of exposure is not getting closed....

Richard Bejtlich said...

Last Anonymous, re: "to blame McAfee as an entire organization for the actions of one person's conversation - that I'm sure was sensationalized a bit, is also irresponsible."

How do you figure? McAfee wrote a report that blames open source and rootkit.com for rootkit problems. Stu voiced that conclusion to Network World. Read the McAfee report.