A couple weeks ago we saw a blog posting by a person named tibbar claiming they had written the first kernel mode IRC bot. See http://tibbar.blog.co.uk/2006/04/06/kernel_mode_IRCbot~708256 for the announcement.

Is this really the first kernel mode bot? I think so, but it is purely a proof of concept with no teeth. What makes this announcement important in my eyes is that it illustrates two points that are very important when we look at the future production of bots and malware in general: Use(and reuse) of open source components and the increase in programmer skillsets.

This kernel bot was easily created because it utilized a kernel socket library written and placed in the public domain by Valerino on rootkit.com (Click here for the rootkit.com post). As The Mythical Man Month states, there is no silver bullet in software development but the brass bullet is module reuse, which we are seeing more and more within malware. Would this kernel bot have been created if it wasn’t for the prebuilt components that were available?
The second important point is that the code organization of the project allows for testing the IRC functionality of the kernel bot in usermode where a lot of bot developers are more comfortable, therefore, easing the development of variants with more IRC functionality. Is this a revolutionary ability? No, but it is more advanced than most bot developers. I believe the advancement of skillsets will lead to more destructive bots as more intelligent programmers spend time increasing bot code quality, advanced features (encrypted P2P using proper key exchange for example) and test harnesses. Malware, bot development specifically, will start to exhibit the standard development life cycle seen in other open source projects such as Apache and firefox.