Wednesday, April 26, 2006

ethical conflict in the anti-'rootkit' domain

not long ago i blogged about how anti-virus companies don't hire virus writers... now of course there was a somewhat high profile exception involving low profile company (ie. small start-up so far removed from the av industry they didn't know how badly they'd be shooting themselves in the foot) but this example is the exception that proves the rule...

but now i'd like to shed some light on a similar example in the so-called 'rootkit' domain... in a securityfocus.com article from last year we have the following:
Jamie Butler: I am a kernel developer and contributor at rootkit.com, where I go by the name Fuzen. I really enjoyed working with Greg on the book Rootkits: Subverting the Windows Kernel. Most of my time is spent at the bit and byte level.
and
Jamie Butler: I am not sure of the exact time frame that I learned about rootkits. I guess I knew of their existence since the early UNIX Trojan system file replacements. However, I did not become active in the research until 2001 when I was working on my Master's degree. At that time, I was looking for modifications to the operating system in memory used to hide things. After that research, I realized that you could alter data structures directly in kernel memory to hide without modifying any operating system code. That is what the FU rootkit, which I wrote, is intended to demonstrate. It is not malicious but more proof of a premise.
and finally
Greg Hoglund: Not really - I don't spend much time trying to detect rootkits. But, I do know that FU is one of the most widely deployed rootkits in the world. [It] seems to be the rootkit of choice for spyware and bot networks right now, and I've heard that they don't even bother recompiling the source - that the DLL's found in spyware match the checksum of the precompiled stuff available for download from rootkit.com. I think that is kinda lame, these spyware guys don't even bother to use the source.

did you catch that? jamie butler (aka fuzen) created what became one of the most widely deployed 'rootkits' in the world (not the only 'rootkit' he's authored, by the way)... and then he co-authored what some have described as the only book on 'rootkits'...

so? how does that relate to av companies who hire or don't hire virus writers? well, how about this - the same jamie butler is the CTO of komoku, a company that has received $2.4 million from various branches of the US government to develop a solution to the 'rootkit' problem in the form of CoPilot and Gamma... Gamma, being a software product, is intended to be priced similarly to anti-virus products but won't be as successful against 'rootkits' because it's software only... CoPilot, on the other hand, is a hardware product that will probably be going for about $1000 a pop so they'll be pulling down some major cash when they finally get to market... oh, and did i mention they've partnered with symantec?

but wait, there's more - while working for hoglund's security company (hbgary) butler developed a 'rootkit detection technology called VICE and now he and peter silberman (who has also worked at hbgary and authored the FUTo 'rootkit' which is also freely available on hoglund's site) have developed yet another 'rootkit' detection technology called RAIDE - it's still too new for a business to be made out of it yet, we'll have to wait and see...

let me boil that down for you - jamie butler created the FU 'rootkit'... jamie butler and greg hoglund made FU available for free download on greg hoglund's 'rootkit' site... jamie butler and greg hoglund wrote the only book on this new threat, marking them both as experts in the field... FU, a 'rootkit' written by one of the foremost experts in the 'rootkit' field became one of the most popular 'rootkits' amongst those who deploy them, in fact the exact binaries that jamie butler and greg hoglund make available are the same ones getting deployed and greg hoglund admits it... jamie butler and greg hoglund get money for a book about a problem they actively contribute to... jamie butler, while working for greg hoglund, develops anti-'rootkit' technolog - free to use but still it draws people to hoglund's other products and so they both get money as a result of technology meant to thwart a problem they actively contribute to... jamie butler, being an expert in the field, is hired and made CTO by an anti-'rootkit' company called komoku which in turn gets millions from the government and so jamie butler gets still more money for working on technology meant to thwart a problem he actively contributes to... symantec, who correctly refuses to hire virus writers, partners with a company that has a 'rootkit' writer and distributor as their CTO... jamie butler and peter silberman, both 'rootkit' authors whose works are freely downloadable from hoglund's site, develop yet another technology meant to thwart a problem they both actively contribute to ....

so there you have it - people creating, distributing, advertizing, and evangelizing 'rootkits' - basically contributing to the problem by creating the tools, popularizing the threat, and arming the bad guys... and then some write a book about the problem or actually create products to solve the problem and in so doing rake in lots of dough... if this were going on in the anti-virus industry people would be raising a big stink, and it's not like anyone would trust an anti-spam company that hired spammers, so what the heck is going on here? how are these people getting away with this?

VICE? RAIDE? CoPilot or Gamma? i certainly won't be touching any of those with a 10' barge pole - give me sysinternals rootkit revealer or f-secure's blacklight, thanks... i'd rather not support people who are actively part of the problem... it's a shame the US government doesn't feel the same way... also a shame symantec doesn't feel that way - not sure why they seem to have less problems with 'rootkit' creators than with virus writers...

0 comments: