Well, I was quite surprised by the amount of interest that has been shown in the POC kernelmode ircbot.
So what should come next? Should I continue to develop these kind of kernelmode applications, or is it a bad thing that these come out in the public?
I've seen feedback positive and negative, the arguments against mainly along the lines that malware will become nastier as a result of this code being published...I take an issue with this view.
Ok, so I could have kept this quiet or not have even bothered to write it...but let's get this in perspective. I am a single person in this rather large world, and probably not more than average skilled in kernel mode programming (I'm pretty good in writing usermode applications, but am purely a hobbyist kernel mode programmer).
So, if I can write this POC, you are guaranteed that the full time professional spyware writers, black hat hackers etc are more than capable of this - and I would wager this type of kernel mode application already exists in the wild.
Now, what's better? I keep quiet, and we can all pretend to be safe? (while cybercriminals use this technology in secret...). Or, I should publish every idea and POC I can think of, and share this knowledge with the security community?
I personally favour this being out in the open, as it means the anti-virus and firewall companies can research this type of threat and develop technologies to protect the end user.
This is the general argument for "full disclosure" and I think most will agree it is a policy that works.
I therefore have no moral issues with proceeding with further related research and will be 100% open with the results.
The kernel ircbot was a client network application, the next step will be to write a server network application within the kernel, and I think it will be called "KFtp".
See you next time,
Tibbar.
