September 5th, 2008

An open source rootkit kit

Posted by Dana Blankenhorn @ 7:43 am

Categories: Applications, Distributions, GPL, General, Implementations, Internet, Linux, Security

Tags: Register, Honeypot, Rootkits, Security, Open Source, Spyware, Adware & Malware, Dana Blankenhorn

The Register is convinced that former NSA programmer Dave Aitel has gone over to the dark side by making his DR Rootkit open source under GPL 2.

While it’s true that the program can make rootkits, I don’t see it as a net loss for Linux security.

I think it may be more of a honeypot.

A honeypot is set up to attract bad guys. It looks innocent, but behind it good guys are tracking the malware being dropped into it, taking it apart, and teaching the rest of the Internet how to beat it.

The boys at Zero Day can tell you more about the quality of the DR Rootkit than I can. (This picture of Aitel appeared at Zero Day in 2007.) If it’s not great then where is the beef? If it’s really great then there are two big opportunities:

1. You can track downloads and learn where potential script kiddies are living.
2. You can track improvements and, if they’re not donated back, hit the hackers up on license violations.
3. You spread security knowledge, because as Dave himself wrote last year “vulnerability information is worth money.

Yes, I know. Going after a hacker for violating the GPL is a bit like nabbing Al Capone for tax evasion. But in Capone’s case it worked.

Aitel, a valuable speaker at security events, has already put several other security programs into the open source pot, including SPIKE, SPIKE Proxy, and Unmask, a utility that can fingerprint users based on their e-mails and IRC postings.

I’m not ready to throw a security guru under the bus simply because he believes that an open source process can do what the older proprietary and highly secretive processes have not, namely deliver real security.

Are you?