Since it was launched in February, the
Malware
Distribution Project (MD: Pro) has amassed a vast archive of
malware code samples. Its pricey access fees and rigorous vetting
process are intended to keep dangerous digital weaponry from
falling into the wrong hands, but some believe the access
restrictions are tedious and detrimental to the information
security community.
MD: Pro bills itself as a vast archive of downloadable malware,
created to help the security fight back against digital desperados
and their wares. It claims to differentiate itself from other
archive sites such as Milw0rm and the French Security Incident
Response Team (FrSirt) by not only offering access to standard
malware, but also undetectable malware and compiled binaries.
Its goal had been to reach 300,000 files by year's end, but at
press time MD: Pro already had accumulated more than 331,000 files
in its database.
The buzz around MD: Pro
In recent weeks, MD: Pro has attracted the attention of security
luminaries, including Bruce Schneier, who referenced it in his
popular
blog.
Anthony Aykut, managing director of Frame4 Security Systems, the
Netherlands-based security firm that runs MD: Pro, said since its
debut six months ago, the response has been immense. "People are
just realizing we are not just another [virus exchange] shop, so
the interest is increasing by the minute," he said. "We never
realized security companies were so malware-hungry."
Several well-known vendors are among its 20-50 paying customers,
though Aykut declined to identify them. He said most are trying to
develop homegrown firewalls and other defenses for their IT
environments and need malware samples for testing.
MD: Pro offers a tiered access system. Basic Level 1 access is
free and includes read-only access to the database and limited
downloads. Level 2 access allows subscribers to download most files
and costs between $953 per month or $10,478 per year. Level 3
offers unlimited access to those willing to pay as much as $1,588
per month or $17,145 annually.
When someone asks for a subscription, Aykut said the requestor's
human resources department is contacted to ensure that the malware
samples are to be used for legitimate purposes. Since a company's
HR department is brought into the process, Aykut said he doesn't
worry about malicious people with deep pockets subscribing to MD:
Pro posing as legitimate security professionals.
The open door
Aykut said there's a good reason for the high price and the
thorough vetting -- it's designed to keep the bad guys away.
"We made a distinct choice to only cater to paying customers who
are in the security sector," Aykut said. "The people involved in
this project feel that disclosure is good, but when it comes to
live malware, we don't feel comfortable putting this out on the
Web. By making people pay, it keeps most if not all of the
malicious intent outside the gates."
But full-disclosure advocates say such limitations only hurt the
good guys, who need all the intelligence they can get to build
defenses and stay on top of the digital underground.
"If malware is infesting the network you're defending or it's
about to, you want to quickly be able to analyze the malware during
the initial infestation and figure out what its capabilities are
and how to defend against it," said Danny Quist, co-founder of
Offensive Computing, a malware database with
looser access restrictions that makes specimens freely available
via a blog and search engine.
The merits of full disclosure
While he admires MD: Pro's size and scope and its desire to keep
the bad guys out, Quist doesn't believe such safeguards are
reasonable when there are many security professionals in need of
fast, hard intelligence who can't always afford to buy a
subscription.
He said the closed source, highly vetted lists are what prompted
him and others to create Offensive Computing in the first
place.
"We looked for a resource to help [security professionals] and
we determined that this simply wasn't available," Quist said. "The
files available were very limited and often missing key bits of
information necessary to protect a network."
When contrasting that with the way malware authors communicate,
Quist said, "we found that the defensive side was much more
exclusionary. We want to bring the openness that the academic
research community adheres to into malware research."
But, Aykut said, the dangers of cyberspace are growing more
unpredictable and nobody can say for sure which scraps of malware
the bad guys will collect and use in their effort to develop new
attacks. That's why MD: Pro access will remain restricted.
"If you have 350,000-plus malware files and tools that can
significantly alter what's there, it would be irresponsible to make
it available to everyone," he said.
IT pros prefer open access
IT administrators interviewed for this story largely agreed with
Quist's philosophy, but they're not sure such efforts are
necessary. The most dangerous attackers will write their malicious
code from scratch and won't be interested in a database of
already-created malware anyway, they said, so it's best to give
security professionals quick and easy access to malware samples
that can aid in the fight. However,
And if they do want to play with older malware samples and can't
get past MD: Pro's vetting process, they're crafty enough to find
specimens someplace else.
"The way I see it, the bad guys will find a way to get this
information no matter what, so it may as well be made available to
the good guys," said Diane McQueen, a systems engineer for Plano,
Texas-based Perot Systems Corp. "The hackers and hacker-wannabees
are not going to stop what they're doing just because a site like
MD: Pro isn't available to them. I'd bet my bottom dollar that the
black hackers of the world don't even need this site."
Pete Stagman, IT manager for Dedham, Mass.-based Boston Home
Infusion Inc., which provides healthcare services to roughly 13,000
homebound patients in New England, said he's more afraid of the
person who doesn't need sites like MD: Pro or Offensive Computing
to come up with something really nasty.
"Script kiddies don't come up with the original ideas, they just
take someone else's work and modify it a bit," he said in an email
exchange. "That's a nuisance, but because the code is similar to
some other code, it's more likely that it will be caught by an
already existing scanner, or that it won't take much work to modify
an existing scanner or cleaner."
Despite criticism from the full disclosure advocates, Aykut said
his company will press on with efforts to grow MD: Pro. At this
point, he said the progress has exceeded his expectations.
"The ultimate goal is to build MD:Pro into the single
resource for the antimalware industry," he said. "Not just as a
file repository, but a huge, living, learning medium for malware
research professionals."