Wednesday, November 16, 2005

Thoughts on the Sony rootkit

If you purchased a Sony/BMG music CD in the past 8 months and played it on a Windows computer, your computer may be infected with malware. It turns out that the CDs were installing copy protection software1 on users computers. The software would prevent the music on the CDs from being copied by adding noise to attempts to copy them. It would also interfere with other uses of the CD drive. The software would integrate itself into the system and remain on users' computers after the CD was removed. From then on, it would hide its existence. This type of software is known as a rootkit, with origins in the Unix world, where the administrator is known as “root”. Attempts to uninstall the software (once found) could result in the CD drive becoming inoperable. To determine if your computer might be infected, you can read this article from the Electronic Frontier Foundation here. If you are infected, do not use Sony's own removal tool. Firstly, it asks for personally identifiable information (which they really need in order to fix the computer that they broke), including the right to spam you. Secondly, it introduces another security vulnerability that can leave your computer vulnerable to attack from the Internet.

Here are a few things we learn from this incident:

The Windows autorun feature is a security threat. Back in the days of DOS, one of the primary vectors for computer virus infection was the boot sector virus. They kept themselves on the boot sectors of hard disks and floppy disks. Whenever an infected computer was booted with the disk in the drive, the virus would activate and put itself into memory. It would then write itself to the boot sectors of every other disk that was put into the machine. It should come as a surprise that CD-autorun viruses haven't been all that common. The primary reason is that CD's are once-writable media (so, they're not good vectors for infection), and most CD's are burned “at the factory.” But, now that every new computer comes with a CD or DVD writer, why shouldn't malware writers start taking advantage of it?2

But, now, it should be apparent that even corporations with well-known names can't be trusted. They have their own agendas, and protecting their own intellectual property is more important to them than your privacy or security. Computer security (read: data, identity, and personal information) are entirely in your own hands. Incidentally, this kind of thing is not a new practice. Some of the 4.0 versions AOL Instant Messenger had borderline spyware (and still have annoying adware) bundled with them. When I first signed up for Comcast High Speed Internet service, it came with a CD that (1) registered your MAC address on the Comcast network [that's the necessary step], and (2) installed software called “BroadJump Client Foundation”, that was certainly not required to use the service. There is still debate on the Internet as to whether it's spyware.

Many Windows users rely on antivirus software to keep them safe from this type of malware. The Sony rootkit shows that antivirus software is not as good as it claims to be.
Symantec makes the claim that Norton Antivirus contains “Bloodhound technology” that “detects new and unknown viruses by analyzing an executable file’s structure, behavior, and other attributes such as programming logic, computer instructions, and any data that is contained in the file.”
Similar claims are made by other antivirus providers. And, yet, it took eight months for a live computer professional (Mark Russinovich) and the antivirus company F-Secure to find and characterize the Sony rootkit.

A more malicious possibility was strongly suggested (but unproven) on Groklaw:

The creator of the copy-protection software, a British company called First 4 Internet, said the cloaking mechanism was not a risk, and that its team worked closely with big antivirus companies such as Symantec to ensure that was the case. The cloaking function was aimed at making it difficult, though not impossible, to hack the content protection in ways that have been simple in similar products, the company said.


If this is true, then the big antivirus companies may have been complicit in allowing the infection of their customers' computers. It makes me wonder if there is any code in the rootkit or in the versions of the antivirus software from before the backlash that specifically makes the rootkit invisible to antivirus software.

By the way, other Sony-BMG CD's that don't have the XCP rootkit have other DRM spyware known as SunnComm MediaMax. MediaMax does tell you it's going to be installed (it presents you with a EULA), but it installs itself before the EULA is accepted! It includes an incomplete uninstaller that leaves its DRM driver intact and active. And, this one runs on Macs too (but, because Macs don't have the autorun feature, you have to be trusting enough to install it yourself in order for it to infect you).

Technorati tags: , ,

1 aka, DRM, Alternately known as “Digital Rights Managment” or “Digital Restrictions Management”, depending on whether the idea appeals to the speaker. (back)
2 Another factor is that the Internet happens to be a much more effective vector for malware transmission. (back)

Comments: Post a Comment

<< Home