Sony rootkit could lead to dangerous exploits

By Bill Brenner, News Writer 07 Nov 2005 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Security experts say Sony BMG Music Entertainment Inc. is playing with fire by using a rootkit-based digital rights management (DRM) system to prevent CD copying.

Rootkits, tools or programs used to mask software or network intrusions, are typically used only by malicious hackers. Sony and First 4 Internet Ltd., its British technology partner, have responded to the criticism with an update that claims to remove the technology from users' PCs, but some fear Sony's move may trigger a variety of dangerous exploits.

"This service pack removes the cloaking technology component that has been recently discussed in a number of articles...," Sony said on its Web site. "This component is not malicious and does not compromise security. However, to alleviate any concerns that users may have… this update has been released to enable users to remove this component from their computers."

But some already claim the patch offers more than users may bargain for. One blogger notes that the 3.5 MB update almost certainly adds components to the DRM system, which Sony doesn't disclose. Plus, Mark Russinovich, the researcher who discovered the rootkit, said in his blog that the patch may crash users' computers.

Regardless, experts worry that if more companies use the technology the way Sony has, hackers could hijack such rootkits and cause all kinds of trouble.

"This creates opportunities for virus writers," said Mikko Hypponen, director of AV research for Finnish firm F-Secure Corp. "These rootkits can be exploited by any malware, and when it's used this way, it's harder for firms like ours to distinguish the malicious from the legitimate."

Kaspersky Lab of Russia voiced similar concern on its Web site. "Using rootkit technology is an extremely dubious technique, and the poor coding of this particular example also raised our eyebrows," the firm said. "Not only will this software slow down your computer, it can also lead to system instability. We'd hate to see the use of rootkits becoming a habit among mainstream software manufacturers, when there are so many security and ethical arguments against such use."

Denfending against rootkits: Sony rootkit uninstaller causes bigger threat: Princeton researchers say a security hole that appears when users try to remove Sony's copy protection software presents an even greater risk than the original rootkit. Sony takes second stab at DRM patch: But a top executive's response to criticism over the company's use of rootkit technology has added fuel to the backlash. Trojans target Sony DRM and Windows: Security researchers track two new Trojan horses. One exploits the Sony DRM program. The other could possibly take aim at the Windows flaw Microsoft patched this week. Three ways phishers are hooking you Botnets more menacing than ever

Hypponen said the Sony rootkit was reported to F-Secure by someone who thought it was a virus. "We thought so too until we dug further," he said. "With these rootkits embedded in computers, it could become tougher to clean infected machines in the future."

While Sony is the focus of controversy right now, he said other companies may be making similar use of rootkits unbeknownst to the public, further muddying the waters for AV firms trying to tell the good from the bad.

This is especially troubling because attackers are increasingly using worms, Trojan horses and other malcode to install rootkits on infected machines, he said. The latest example is a worm that spreads through AOL Instant Messenger (AIM) and leaves rootkits in its wake.

W32.Sdbot-ADD downloads a "lockx.exe" rootkit that connects to an IRC server and waits for remote commands from an attacker, according to Chris Boyd, security research manager with Foster City, Calif.-based FaceTime Security Labs, a division of FaceTime Communications Inc. The worm could also change the viewer's search page to http://www.eza1netsearch.com/sp2.php and download applications from the likes of 180Solutions Inc., its subsidiary Zango, MaxSearch, Media Gateway and SearchMiracle. Security firms often classify such applications as spyware or adware.

"If I were an attacker and I was already planning to drop my own rootkit, I probably wouldn't use another existing one," Boyd said. But he agreed with Hypponen that rootkits like the one Sony uses could be altered by attackers for a variety of exploits. "There's always the possibility of them injecting something into an application and hijacking it for their own purposes," he said.

If a company finds it necessary to use rootkits, Hypponen said, it should make their intentions clearer to the user, through simply-worded user-license agreements or through other means.

Tags: Malware, Viruses, Trojans and Spyware,  Emerging Information Security Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Conficker analysis finds P2P coding limited, less sophisticated Emerging Information Security Threats Modern malware, stealthy botnets, adapt quickly, expert says New ransomware Trojan pushes victims to buy software Bruce Schneier on outsourcing, awareness training US-CERT warns of BlackBerry snooping software Marcus Ranum on cyberwarfare, infosec careers Researchers find thousands of flawed embedded devices Enterprise botnets contain thousands of malware variants Nuke and pave to eradicate botnets Rand study urges caution on cyberwarfare attacks Hathaway joins Harvard to contribute to DOD project

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary