While enjoying my holiday and catching up on my reading this morning, I discovered a post that raises some concerns I would like to share with you. I use the social networking service LinkedIn to keep in touch with colleagues and co-workers, much the same way many people use Facebook. I am a member of a few industry groups including Malware/Spyware/Security-Researchers/Analysts.
A topic in the discussion forums - "Mac OSX Bot" - caught my eye. In his post, Rohit Bansal, a "Security Researcher," outlines some OSX malware he wrote that includes spam bot capability, keylogging, spreading through shares and iChat, multi-platform support (Windows and Linux), the ability to DDoS, etc. He provides a link to the source code as well...
Is this really security research? Is this in any way ethical? I believe that it is absolutely neither. Providing known malicious source to the community at large in the name of "research" can only lead to greater danger and exploitation of systems. Only a couple of weeks after the Ikee worm author posted his code to Google Code, the Duh worm had iterated on Ikee's work and started behaving in a much more dangerous manner.
Ethical security research requires a great deal of planning and thought. It can often be difficult to choose the correct and virtuous path to properly notify software authors of new exploits and apply enough pressure on them to fix the vulnerability without stepping over the line. When SophosLabs scans web pages and finds a well-known site to be infected, it often takes weeks to get the site administrators' attention to resolve the exploit and remove the malware. There are no clear guidelines on how to do this; you have to evaluate the risks of available options and determine the most reasonable action.
Joining a discussion group, reading forums, and playing with malware does not make you a security researcher... and writing and releasing malicious code makes you a criminal in most jurisdictions. On his anti-virus rants blog, Kurt Wismer has some well-stated thoughts about this topic.
Can anyone be a malware researcher? Sure. But it takes a lot more thought than simply toying around and writing your own malicious code. It requires caution, air-gapped networks, appropriate tools, and careful ethical evaluation to prevent your work from assisting the dark side.
We have been encouraging Apple and Adobe to establish programs for working with the security community (as Microsoft has done so well); likewise, we should apply this to the community as a whole. We need standard methods of reporting vulnerabilities, flaws, and implementation mistakes to developers, web site operators, and all the other parties involved in our digital security. It is far more difficult to be a good guy than a bad one, so I think it is high time we lower the bar to make it easier to do the right thing.
We've made great progress on a lot of fronts in combatting cybercrime in 2009, and I look forward to being even more involved in 2010. Happy new year to all of you, and I hope to see you all working with us to make the Internet a little safer in the coming year.
Creative Commons image of fireworks courtesy of thelastminute's Flickr photostream