Open source malware is actually a possibility

For a long time we’ve assumed that, if the software that we use is open source, we’re safe from malware. It was too difficult, and the reward was too small compared to traditional forms of distributing malware. But as open source software is gaining popularity, and more and more single-handed projects are popping up, this may not be true anymore. Today, it would in fact be feasible for an open source trojan to exist, which disguises malware inside another, seemingly innocent and presumably useful enough to be attractive, application. And why has this really become so much easier? Because users and developers alike don’t pay enough attention to the code they’re running.

Why do we assume that open source software is safe?

Let’s start with why we naturally assume that open source software is safe and free from malware:

  • The code is written by a team of independent developers. If one developer tries to slip malware into a project, it’ll be caught by the other developers.
  • The code is publicly available, meaning that if there was malware hidden within it someone would find it.
  • If malware is hidden in some open source code and someone does find it, the code can be traced back to the developer who wrote and distributed it. Most developers don’t want to take that risk.
  • The code is reviewed by the package maintainers of popular Linux distributions before they compile it to produce packages for their users. If there is any malware hidden in the code, they should find it.

Unfortunately, these all rely on one assumption: people actually read the code. There are a number of other reasons why these points don’t necessarily apply, though, so let’s look at them in turn and see how an open source trojan could actually exist.Read More »