Sony rootkit special edition
We’ve grown accustomed to thinking that virus and malware is without exceptions being created by social misfits with too much time on their hands and not enough scruples.
Nobody imagined that a large corporation like Sony would go rogue and release malware unto its unsuspecting customers. Worse yet, Sony used a new vector that had not been exploited before, namely its music CDs to covertly plant a digital rights management application on customers’ computers. The application was written as a “rootkit” or a program that hid itself from Windows using methods more commonly employed by malware writers such as patching the operating system kernel. It does this so that it can intercept I/O from optical drives
The rootkit copies itself over to Windows computers without warning when customers install the media player that is bundled with many Sony BMG music CDs and which starts up automatically on insertion of the disc into the drive. Sony says that purpose of the DRM application, called XCP (Extended Copy Protection) and written by First4Internet in the UK, is to limit the number of copies that can be made of each disc to three.
However, it also appears that the DRM applications “phones home” over the internet to Sony’s servers each time a disc is played. Although the XCP rootkit returns an identifying number for the disc playing in the drive, there’s no evidence that Sony is using the information to track user behaviour. It can be seen as a privacy intrusion though, and as with the XCP rootkit itself, Sony never mentions the “phoning home” in its end-user licence.
Sony attempted to defuse some of the damage done by issuing a patch on its website that would update the XCP rootkit files and “de-cloak” it. It didn’t remove the rootkit however and the patch has been criticised by experts as being poorly written and potentially a bigger security risk than the original cloaked program.
Later on, Sony issued a rootkit uninstaller, but you have fill in an application form to receive it. Why people who never asked to have their computers infected in the first place should have to apply for a remedy like this isn’t immediately obvious.
Meanwhile, virus and malware writers have already discovered that Sony’s rootkit is easy to abuse for hiding their creations. Antivirus vendors are also adding detection for the Sony rootkit thanks to this.
Over the past two weeks, the PR fall-out for Sony has been enormous and it faces civil action in Italy, California and New York but the big question is: will Sony and First4Internet be prosecuted for computer crimes by a state government? Can corporations as well as individuals be held responsible for actions such as these which appear to be in breach of computer crimes legislation in many countries?
Experts around the world say that we can expect more of the same when it comes to DRM abuse; one interesting point raised is what will happen when two or more obtrusive DRM systems like the Sony rootkit collide? This could easily lead to damaged computer systems on a large scale.
In the wake of the tsunami of bad press against Sony, Microsoft decided to add detection and removal for the DRM rootkit into its Windows AntiSpyWare Beta, a utility it bought from Giant last year. However, it isn’t clear that the AntiSpyware Beta removes all of the rootkit, such as the filter driver because doing so could compromise operating system stability.
Interestingly enough, Microsoft’s senior VP of its server division was recently talking up the new 64-bit editions of Windows Server, stating that nothing could patch the kernel in those. Muglia reckons that this will eliminate the attack vector for the worst kind of viruses that exist, namely rootkits. The “unpatchable” kernel is nothing new however: it comes from Windows XP 64-bit Edition, which according to MS techies that I’ve spoken to cannot be rootkitted the same way as the 32-bit OS can. Unfortunately, it doesn’t look like there’s a way to back-port this kernel “unpatchability” to 32-bit Windows.
“The hiding techniques used by the DRM software can be abused by less technical malware authors to hide their backdoors and other tools. If a malware names its files beginning with the prefix "$sys$", the files will also be hidden by the DRM software. Thus it is very inappropriate for commercial software to use these techniques.”
Security researcher Dan Kaminsky estimates that at least 568,200 DNS servers around the world have had queries from Sony’s rootkit “phoning home”, indicating that a vast number of computers are infected, possibly many millions. Some of these are government and military computers.
National Business review gets the techie details badly wrong (it’s not the name servers that are infected...), but good on them for pursuing the local angle nevertheless:
Sony tries to undo the damage by recalling 4.7 million (!) infected CDs – surely a world first?
“It [Sony’s rootkit uninstaller] allows any Web page you visit to download, install, and run any code it likes on your computer. Any Web page can seize control of your computer; then it can do anything it likes. That’s about as serious as a security flaw can get.”
Windows low-level guru Mark Russinovich of Sysinternals, who exposed the rootkit on his blog, has kept up the pressure on Sony with terrier-like tenacity:
Sony now humbly apologises and promises a way to remove the rootkit, except it doesn’t own up to planting it:
First4Internet however still crows over its intrusive DRM software and conveniently omits all the bad press it has received lately: