Rootkits are becoming more prevalent and difficult to detect, and security vendor McAfee says the blame falls squarely on the open source community.
In its "Rootkits" report being published today, McAfee says the number of rootkits it has collected as malware samples has jumped ninefold this quarter compared with the same quarter a year ago. Almost all the rootkits McAfee has identified are intended to hide other code (such as spyware or bots) or conceal processes running in Windows systems.
"The predominant reason for the growth in use of stealthy code is because of sites like Rootkit.com," says Stuart McClure, senior vice president of global threats at McAfee.
Let's start debunking this argument with the easiest parts of this quote. First, is Stuart McClure in charge of parties with the capabilities and intentions to exploit a target (i.e., a threats)? Probably not. SVP of Global Threats is a weird title, reminiscent of other problems McAfee/Foundstone has with defining threats properly.
Second, there's nothing new about Windows rootkits. I referenced this SecurityFocus article three years ago. The problem is McAfee is late to the game.
Third, the main reason McAfee has any shot at detecting the latest rootkits is they can look at the code published at rootkit.com. Here's what is happening at McAfee AVERT:
- Rootkits are deployed, based on code not publicly available. They are tough to detect. AVERT doesn't see them.
- Rootkits like NT Rookit, Hacker Defender, and FU are published at rootkit.com.
- AVERT looks at these rootkits, gets clued in, and starts looking for them elsewhere.
- AVERT publishes a report saying it sees rootkit.com code everywhere and blames the site and "open source" for the world's problems.
For shame. Let's face the truth -- for years the underground has been using techniques revealed in code at rootkit.com. I saw rootkits on Solaris eight years ago that are better than most everything that's published today. Sites like rootkit.com have helped defenders because they give us a clue as to what the bad guys are already doing. Rootkits expose the broken host protection model offered by vendors like McAfee. AVERT should be glad they can learn something from rootkit.com. Without it, a window to the underground would be closed.
Update: Here is Greg Hoglund's response.