Malware database access sparks debate

MD: Pro bills itself as a vast archive of downloadable malware, created to help the security fight back against digital desperados and their wares. It claims to differentiate itself from other archive sites such as Milw0rm and the French Security Incident Response Team (FrSirt) by not only offering access to standard malware, but also undetectable malware and compiled binaries.

Its goal had been to reach 300,000 files by year's end, but at press time MD: Pro already had accumulated more than 331,000 files in its database.

The buzz around MD: Pro
In recent weeks, MD: Pro has attracted the attention of security luminaries, including Bruce Schneier, who referenced it in his popular blog.

Anthony Aykut, managing director of Frame4 Security Systems, the Netherlands-based security firm that runs MD: Pro, said since its debut six months ago, the response has been immense. "People are just realizing we are not just another [virus exchange] shop, so the interest is increasing by the minute," he said. "We never realized security companies were so malware-hungry."

Several well-known vendors are among its 20-50 paying customers, though Aykut declined to identify them. He said most are trying to develop homegrown firewalls and other defenses for their IT environments and need malware samples for testing.

MD: Pro offers a tiered access system. Basic Level 1 access is free and includes read-only access to the database and limited downloads. Level 2 access allows subscribers to download most files and costs between $953 per month or $10,478 per year. Level 3 offers unlimited access to those willing to pay as much as $1,588 per month or $17,145 annually.

When someone asks for a subscription, Aykut said the requestor's human resources department is contacted to ensure that the malware samples are to be used for legitimate purposes. Since a company's HR department is brought into the process, Aykut said he doesn't worry about malicious people with deep pockets subscribing to MD: Pro posing as legitimate security professionals.

The open door
Aykut said there's a good reason for the high price and the thorough vetting -- it's designed to keep the bad guys away.

"We made a distinct choice to only cater to paying customers who are in the security sector," Aykut said. "The people involved in this project feel that disclosure is good, but when it comes to live malware, we don't feel comfortable putting this out on the Web. By making people pay, it keeps most if not all of the malicious intent outside the gates."

But full-disclosure advocates say such limitations only hurt the good guys, who need all the intelligence they can get to build defenses and stay on top of the digital underground.

"If malware is infesting the network you're defending or it's about to, you want to quickly be able to analyze the malware during the initial infestation and figure out what its capabilities are and how to defend against it," said Danny Quist, co-founder of Offensive Computing, a malware database with looser access restrictions that makes specimens freely available via a blog and search engine.

The merits of full disclosure
While he admires MD: Pro's size and scope and its desire to keep the bad guys out, Quist doesn't believe such safeguards are reasonable when there are many security professionals in need of fast, hard intelligence who can't always afford to buy a subscription.

He said the closed source, highly vetted lists are what prompted him and others to create Offensive Computing in the first place.

"We looked for a resource to help [security professionals] and we determined that this simply wasn't available," Quist said. "The files available were very limited and often missing key bits of information necessary to protect a network."

When contrasting that with the way malware authors communicate, Quist said, "we found that the defensive side was much more exclusionary. We want to bring the openness that the academic research community adheres to into malware research."

But, Aykut said, the dangers of cyberspace are growing more unpredictable and nobody can say for sure which scraps of malware the bad guys will collect and use in their effort to develop new attacks. That's why MD: Pro access will remain restricted.

"If you have 350,000-plus malware files and tools that can significantly alter what's there, it would be irresponsible to make it available to everyone," he said.

IT pros prefer open access
IT administrators interviewed for this story largely agreed with Quist's philosophy, but they're not sure such efforts are necessary. The most dangerous attackers will write their malicious code from scratch and won't be interested in a database of already-created malware anyway, they said, so it's best to give security professionals quick and easy access to malware samples that can aid in the fight. However,

And if they do want to play with older malware samples and can't get past MD: Pro's vetting process, they're crafty enough to find specimens someplace else.

"The way I see it, the bad guys will find a way to get this information no matter what, so it may as well be made available to the good guys," said Diane McQueen, a systems engineer for Plano, Texas-based Perot Systems Corp. "The hackers and hacker-wannabees are not going to stop what they're doing just because a site like MD: Pro isn't available to them. I'd bet my bottom dollar that the black hackers of the world don't even need this site."

Pete Stagman, IT manager for Dedham, Mass.-based Boston Home Infusion Inc., which provides healthcare services to roughly 13,000 homebound patients in New England, said he's more afraid of the person who doesn't need sites like MD: Pro or Offensive Computing to come up with something really nasty.

"Script kiddies don't come up with the original ideas, they just take someone else's work and modify it a bit," he said in an email exchange. "That's a nuisance, but because the code is similar to some other code, it's more likely that it will be caught by an already existing scanner, or that it won't take much work to modify an existing scanner or cleaner."

Despite criticism from the full disclosure advocates, Aykut said his company will press on with efforts to grow MD: Pro. At this point, he said the progress has exceeded his expectations.

"The ultimate goal is to build MD:Pro into the single resource for the antimalware industry," he said. "Not just as a file repository, but a huge, living, learning medium for malware research professionals."