Open-source methods prove fruitful for virus writers

19 Jul 2006

As virus creation increasingly becomes a big business, its writers are turning to legitimate software development methods, such as those used by the open source community, to improve their output, according to the security software company McAfee.

Its newly published Global Threat Report for 2006 has identified the use of bots in for-profit ventures — such as spamming and collecting confidential information — as driving the need for malware authors to improve the quality and features of the code they develop.

“To those ends, malicious programmers are adopting coding practices and controls akin to those in the legitimate software development world,” said Igor Muttik, senior research architect at McAfee Avert Labs. “They are also adapting social and professional norms established by the open-source community to develop malware and are capitalising on the widespread availability of source code for many of the internet’s popular malware families,” he added.

Muttik cited the example of the MyDoom family, which has hundreds of variants. This is “significantly more than a typical malware family and that is most likely due to the widespread availability of its source code”, he said in the report.

Common practices include distributing source code with documented explanations and annotations of how that code works, which helps programmers to adapt it. McAfee said that this can be an extremely effective way of developing code, both legitimate and malicious.

Muttik also referenced a statement from the Hacker Defender website as a sign that malware authors have embraced the open-source model and are actively sharing and contributing to each others’ development efforts. The statement also suggests that this community “is engaged in an arms race-style of competition with commercial anti-virus software vendors,” Muttik added.

“Without large-scale source-code sharing we would not see the handful of massive families that we have today,” he argued. “Rather, we would expect to find many small families, reflecting the individual efforts of separate researchers. But the malware community is no longer a scattered army of individual hobbyists. The addition of funding from successful botnet deployments and the leveraging of open-source tools and techniques have created a formidable machine for the creation, modification and distribution of threats,” he concluded.

By Gordon Smith