Open tools and techniques have found favor among an unlikely community. Malware writers are using open-source ideas and tools to share malicious code, collaborate, and wreak online mayhem, the security firm McAfee said in a report issued Monday.

Cyber criminals are making available source code with documentation so that it can be easily modified using popular open-source project management tools like Content Versioning System (CVS), thus giving malware creation a high degree of efficiency, said McAfee’s Global Threat Report for 2006.

The result is that virus outbreaks and botnet infections are on the rise, costing companies thousands of dollars in cleanup after an attack (see Zotob Cost $97K per Company).

“Like any powerful tool, open source can also be used for malicious purposes, particularly in security,” said the report. “Whether posting a terrorist training manual or a how-to guide for attacking infrastructure, there are consequences to the free and open sharing of information—especially in the realm of computer and network security.”

The malware community has changed its texture over the years. Once dominated by hackers who created worms and viruses for notoriety, it has increasingly moved toward using malware for profit. Open-source tools and methods have helped the community of cyber criminals collaborate better, said experts.

Take the W32/Mydoom virus that was unleashed in January 2004. A month later, another virus, W32/Doomjuice was distributed. When bot writers sought to add a mass distribution feature to DoomJuice, they turned to MyDoom, and the result was a new strain of virus called Mytob. The Mydoom family has hundreds of variants, significantly more than a typical malware family, and that is most likely due to the widespread availability of its source code, said the report.

Creating Awareness

“The open-source code-sharing model has contributed to the rise of malware,” said Dave Marcus, security research and communications director for McAfee AVERT Labs. “Without source-code sharing, we would not see the handful of massive virus families today.”

Cyber criminals are using popular open-source software like CVS that lets developers keep track of the software version they are working on. “We have seen that this software is something that is very well utilized by the underground to keep track of their malware projects,” said Mr. Marcus. “A botwriter will use the software to make change to the bot code, and re-upload it in the same way a project manager would use CVS.”

Hackers are also creating tools and distributing it freely, said McAfee. Documented copies of some rootkits that have been used in Trojan horses are available online and few virus writers start from scratch these days, said the report.

Analysts agree that open source when gone bad can be dangerous. “Open source is a wonderful thing from the standpoint of building up a community to help troubleshoot and magnify development efforts,” said Mike Rothman, an analyst with consultancy firm Security Incite. “On the other hand the same technology can be used by the bad guys.”

Still, the McAfee report is not an indictment of the open-source community’s ideas or tools. “It is not about a negative view of the open-source community,” said Mr. Marcus. “Rather it is about education and awareness. We are raising these ideas so people know how it is done and they are aware of what’s going on.”

Ultimately, the turn toward using malware for profit when coupled with the open-source trend will be very dangerous, said McAfee.

“The fundamentals are in place for this new industry to thrive, virtually guaranteeing that malware will continue to become more robust, more sophisticated, more plentiful, harder to combat, and more dangerous,” said the report.

Contact the writer:PGanapati@RedHerring.com