Sony rootkit could lead to dangerous exploits

By Bill Brenner, News Writer 07 Nov 2005 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Security experts say Sony BMG Music Entertainment Inc. is playing with fire by using a rootkit-based digital rights management (DRM) system to prevent CD copying.

Rootkits, tools or programs used to mask software or network intrusions, are typically used only by malicious hackers. Sony and First 4 Internet Ltd., its British technology partner, have responded to the criticism with an update that claims to remove the technology from users' PCs, but some fear Sony's move may trigger a variety of dangerous exploits.

"This service pack removes the cloaking technology component that has been recently discussed in a number of articles...," Sony said on its Web site. "This component is not malicious and does not compromise security. However, to alleviate any concerns that users may have… this update has been released to enable users to remove this component from their computers."

But some already claim the patch offers more than users may bargain for. One blogger notes that the 3.5 MB update almost certainly adds components to the DRM system, which Sony doesn't disclose. Plus, Mark Russinovich, the researcher who discovered the rootkit, said in his blog that the patch may crash users' computers.

Regardless, experts worry that if more companies use the technology the way Sony has, hackers could hijack such rootkits and cause all kinds of trouble.

"This creates opportunities for virus writers," said Mikko Hypponen, director of AV research for Finnish firm F-Secure Corp. "These rootkits can be exploited by any malware, and when it's used this way, it's harder for firms like ours to distinguish the malicious from the legitimate."

Kaspersky Lab of Russia voiced similar concern on its Web site. "Using rootkit technology is an extremely dubious technique, and the poor coding of this particular example also raised our eyebrows," the firm said. "Not only will this software slow down your computer, it can also lead to system instability. We'd hate to see the use of rootkits becoming a habit among mainstream software manufacturers, when there are so many security and ethical arguments against such use."

Denfending against rootkits: Sony rootkit uninstaller causes bigger threat: Princeton researchers say a security hole that appears when users try to remove Sony's copy protection software presents an even greater risk than the original rootkit. Sony takes second stab at DRM patch: But a top executive's response to criticism over the company's use of rootkit technology has added fuel to the backlash. Trojans target Sony DRM and Windows: Security researchers track two new Trojan horses. One exploits the Sony DRM program. The other could possibly take aim at the Windows flaw Microsoft patched this week. Three ways phishers are hooking you Botnets more menacing than ever

Hypponen said the Sony rootkit was reported to F-Secure by someone who thought it was a virus. "We thought so too until we dug further," he said. "With these rootkits embedded in computers, it could become tougher to clean infected machines in the future."

While Sony is the focus of controversy right now, he said other companies may be making similar use of rootkits unbeknownst to the public, further muddying the waters for AV firms trying to tell the good from the bad.

This is especially troubling because attackers are increasingly using worms, Trojan horses and other malcode to install rootkits on infected machines, he said. The latest example is a worm that spreads through AOL Instant Messenger (AIM) and leaves rootkits in its wake.

W32.Sdbot-ADD downloads a "lockx.exe" rootkit that connects to an IRC server and waits for remote commands from an attacker, according to Chris Boyd, security research manager with Foster City, Calif.-based FaceTime Security Labs, a division of FaceTime Communications Inc. The worm could also change the viewer's search page to http://www.eza1netsearch.com/sp2.php and download applications from the likes of 180Solutions Inc., its subsidiary Zango, MaxSearch, Media Gateway and SearchMiracle. Security firms often classify such applications as spyware or adware.

"If I were an attacker and I was already planning to drop my own rootkit, I probably wouldn't use another existing one," Boyd said. But he agreed with Hypponen that rootkits like the one Sony uses could be altered by attackers for a variety of exploits. "There's always the possibility of them injecting something into an application and hijacking it for their own purposes," he said.

If a company finds it necessary to use rootkits, Hypponen said, it should make their intentions clearer to the user, through simply-worded user-license agreements or through other means.

Tags: Malware, Viruses, Trojans and Spyware,  Emerging Information Security Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware How to defend against rogue DHCP server malware New Trojan stealing FTP credentials, attacking FTP websites Cybercriminals exploit Michael Jackson, Farrah Fawcett deaths When BIOS updates become malware attacks Antispyware buying guide for Indian enterprises PCI compliance requirement 5: Antivirus Hacker attack techniques and tactics: Understanding hacking strategies Rootkit Hunter demo: Detect and remove Linux rootkits Botnet threats and countermeasures Conficker worm much smaller than feared Emerging Information Security Threats Antispyware buying guide for Indian enterprises ATM malware lets attackers take over machines FTC shutters rogue ISP for hosting malicious content, botnets The failing war against cybercriminals White House cybersecurity czar faces major hurdles Cybercrime and threat management The Pipe Dream of No More Free Bugs Face-off: Who should be in charge of cybersecurity? Federal efforts to secure cyberinfrastrucure Adobe working on patch to correct new zero-day flaw

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com) Zotob  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary