Hackers have borrowed the same opensource development techniques used to build Firefox Apache and Linux as they collaborate on malware projects a security company's researchers claimed Monday.
The McAfee Avert Labs researchers who contributed to the debut issue of the company's "Sage" security journal laid out their case in several articles ranging from one on opensource software in Windows rootkits to another on opensource and profit.
In fact even though attacks have shifted to a formoney model in the last few years opensource methodologies have become de rigeur said Dave Marcus the security research manager for Avert.
"There is financial incentive for hackers to share code" said Marcus. "He wants to drop as many bots as possible so he wants the most effective bot possible. They don't care if they're all using the same bot since they all have different bot networks they're selling."
Although it's impossible said Marcus to figure out which came first opensource development techniques or the move to criminality it's clear that by copying opensource development tactics attackers have created an explosion of malware.
In particular McAfee's researchers finger the availability of source code for the rapid growth in the number of bots the small programs which control previouslycompromised computers. "Without largescale source code sharing we would not see the handful of massive families that we have today" wrote Igor Muttik a senior research architect with Avert in "Sage."
Bolting on new pieces to existing malware is another way hackers use opensource methods to improve their work said Marcus. "If they want to use some new method of propagation they can just compile it in a separate module then simply call that module. It really allows them to leverage the power of opensource."
Because it's separated from the general code a module can be easily reused. The practice although new has already delivered results McAfee contended.
The release of the first Windows kernel mode IRC bot in April of this year "would not have been developed as quickly without the preexisting kernellevel network sockets code released on www.rootkit.com" wrote Michael Davis a research scientist at Avert. "This public code allowed the author to easily and quickly recreate the functions for interoperating with the IRC protocolwithout specialized knowledge of the Windows kernel."
Other opensource methodologies put into play by malware writers said McAfee include dedicated version control systems multiple contributors regulated testing and defined release schedules.
Not everything is communal Marcus admitted. Vulnerabilities especially socalled "zeroday" bugs that haven't yet been patched can have considerable financial value and are closely guarded secrets or if shared with others come at a price.
"Frankly they've always worked in a distributed development model" said Marcus talking of hackers. "But the anonymity of an open sourcestyle process is very appealing to them."