Security experts say Sony BMG Music Entertainment Inc. is playing with fire by using a rootkit-based digital rights management (DRM) system to prevent CD copying.
Rootkits, tools or programs used to mask software
"This service pack removes the cloaking technology component that has been recently discussed in a number of articles...," Sony said on its Web site. "This component is not malicious and does not compromise security. However, to alleviate any concerns that users may have… this update has been released to enable users to remove this component from their computers."
But some already claim the patch offers more than users may bargain for. One blogger notes that the 3.5 MB update almost certainly adds components to the DRM system, which Sony doesn't disclose. Plus, Mark Russinovich, the researcher who discovered the rootkit, said in his blog that the patch may crash users' computers.
Regardless, experts worry that if more companies use the technology the way Sony has, hackers could hijack such rootkits and cause all kinds of trouble.
"This creates opportunities for virus writers," said Mikko Hypponen, director of AV research for Finnish firm F-Secure Corp. "These rootkits can be exploited by any malware, and when it's used this way, it's harder for firms like ours to distinguish the malicious from the legitimate."
Kaspersky Lab of Russia voiced similar concern on its Web site. "Using rootkit technology is an extremely dubious technique, and the poor coding of this particular example also raised our eyebrows," the firm said. "Not only will this software slow down your computer, it can also lead to system instability. We'd hate to see the use of rootkits becoming a habit among mainstream software manufacturers, when there are so many security and ethical arguments against such use."
While Sony is the focus of controversy right now, he said other companies may be making similar use of rootkits unbeknownst to the public, further muddying the waters for AV firms trying to tell the good from the bad.
This is especially troubling because attackers are increasingly using worms, Trojan horses and other malcode to install rootkits on infected machines, he said. The latest example is a worm that spreads through AOL Instant Messenger (AIM) and leaves rootkits in its wake.
W32.Sdbot-ADD downloads a "lockx.exe" rootkit that connects to an IRC server and waits for remote commands from an attacker, according to Chris Boyd, security research manager with Foster City, Calif.-based FaceTime Security Labs, a division of FaceTime Communications Inc. The worm could also change the viewer's search page to http://www.eza1netsearch.com/sp2.php and download applications from the likes of 180Solutions Inc., its subsidiary Zango, MaxSearch, Media Gateway and SearchMiracle. Security firms often classify such applications as spyware or adware.
"If I were an attacker and I was already planning to drop my own rootkit, I probably wouldn't use another existing one," Boyd said. But he agreed with Hypponen that rootkits like the one Sony uses could be altered by attackers for a variety of exploits. "There's always the possibility of them injecting something into an application and hijacking it for their own purposes," he said.
If a company finds it necessary to use rootkits, Hypponen said, it should make their intentions clearer to the user, through simply-worded user-license agreements or through other means.