Why malware writers are turning to open source

Malware developers are going open source in an effort to make their malicious software more useful to fraudsters.

By giving criminal coders free access to malware that steals financial and personal details, the malicious software developers are hoping to expand the capabilities of old Trojans.

According to Candid Wüest, threat researcher with security firm Symantec, around 10 per cent of the Trojan market is now open source.

The move to an open source business model is allowing criminals to add extra features to their malware.

"The advantages are that you have more people involved in developing it, so someone who is into cryptography could add a cryptographic plug-in or somebody who does video streaming could add remote streaming of the desktop," Wüest said.

Releasing Trojans as open source dates back to 1999, when the Cult of the Dead Cow group released the source code for its Trojan called Back Orifice.

More recently, the developers of the Limbo Trojan published its source code in an effort to boost take-up following a slump in its use by fraudsters.

Following its release in 2007, the Limbo Trojan became the most widely used Trojan in the world but fell from favour in 2008 after the more sophisticated Zeus Trojan was released, according to security company RSA.

There is a big cash incentive to be the dominant Trojan, with infected machines and the financial and personal details they capture worth millions of dollars on the black market. The Limbo Trojan kit was previously sold to fraudsters for $350 per time before it went open source, while the Zeus Trojan today sells for between $1,000 to $3,000.

However, head of new technologies at RSA Uri Rivner said the move to become open source had not reversed Limbo's decline in fortunes.

"It is a move to the same business model as that behind any open source project - to give away a basic version and sell more advanced versions, professional services or customisations.

"At the beginning of it going open source it was big news but people have since stopped investing in it.

"It is not the best Trojan any more but because it's open source you can try it as your first Trojan and it is still used in some places," he said.

An artist's interpretation of a Trojan (photo credit: MessageLabs)

Limbo's popularity continues to slump, despite numerous features in the basic version that allow criminals to add extra fields for PIN numbers into fake banking websites and capture the keystrokes and the files saved on an infected computer.

And while open source may not have boosted Limbo's fortunes, it also brings with it separate problems for the fraudsters: open sourcing code also places it in the hands of security professionals.

"If you make [the Trojan] open source that means that a security company can find the source code and it is easier to make a general heuristic detection for it, as they know what could be in it," Symantec's Wüest said.

The majority of Trojan infections occur via driv- by downloads, where the malware is automatically downloaded after browsing an infected website, or messages sent via social networking sites that encourage people to download a Trojan masquerading as a legitimate security update, according to RSA's Rivner.

These infection methods are proving far more effective at getting Trojans onto machines than earlier techniques such as sending an email with a link to an infected file or attachment.

RSA analysts say these new methods have fuelled an exponential growth in the rate of infection, with the security firm detecting 613 Trojan infections in August 2008 compared to 19,102 in August 2009.