News Stay informed about the latest enterprise technology news and product updates.

Sony rootkit could lead to dangerous exploits

Some claim a fix for Sony BMG's controversial DRM rootkit doesn't do what it should, while others fear a potential wave of well-intentioned rootkits could lead to other kinds of dangerous exploits.

Security experts say Sony BMG Music Entertainment Inc. is playing with fire by using a rootkit-based digital rights management (DRM) system to prevent CD copying.

Rootkits, tools or programs used to mask software or network intrusions, are typically used only by malicious hackers. Sony and First 4 Internet Ltd., its British technology partner, have responded to the criticism with an update that claims to remove the technology from users' PCs, but some fear Sony's move may trigger a variety of dangerous exploits.

"This service pack removes the cloaking technology component that has been recently discussed in a number of articles...," Sony said on its Web site. "This component is not malicious and does not compromise security. However, to alleviate any concerns that users may have… this update has been released to enable users to remove this component from their computers."

But some already claim the patch offers more than users may bargain for. One blogger notes that the 3.5 MB update almost certainly adds components to the DRM system, which Sony doesn't disclose. Plus, Mark Russinovich, the researcher who discovered the rootkit, said in his blog that the patch may crash users' computers.

Regardless, experts worry that if more companies use the technology the way Sony has, hackers could hijack such rootkits and cause all kinds of trouble.

"This creates opportunities for virus writers," said Mikko Hypponen, director of AV research for Finnish firm F-Secure Corp. "These rootkits can be exploited by any malware, and when it's used this way, it's harder for firms like ours to distinguish the malicious from the legitimate."

Kaspersky Lab of Russia voiced similar concern on its Web site. "Using rootkit technology is an extremely dubious technique, and the poor coding of this particular example also raised our eyebrows," the firm said. "Not only will this software slow down your computer, it can also lead to system instability. We'd hate to see the use of rootkits becoming a habit among mainstream software manufacturers, when there are so many security and ethical arguments against such use."

Denfending against rootkits:

Sony rootkit uninstaller causes bigger threat: Princeton researchers say a security hole that appears when users try to remove Sony's copy protection software presents an even greater risk than the original rootkit.

Sony takes second stab at DRM patch: But a top executive's response to criticism over the company's use of rootkit technology has added fuel to the backlash.

Trojans target Sony DRM and Windows: Security researchers track two new Trojan horses. One exploits the Sony DRM program. The other could possibly take aim at the Windows flaw Microsoft patched this week.

Three ways phishers are hooking you

Botnets more menacing than ever

Hypponen said the Sony rootkit was reported to F-Secure by someone who thought it was a virus. "We thought so too until we dug further," he said. "With these rootkits embedded in computers, it could become tougher to clean infected machines in the future."

While Sony is the focus of controversy right now, he said other companies may be making similar use of rootkits unbeknownst to the public, further muddying the waters for AV firms trying to tell the good from the bad.

This is especially troubling because attackers are increasingly using worms, Trojan horses and other malcode to install rootkits on infected machines, he said. The latest example is a worm that spreads through AOL Instant Messenger (AIM) and leaves rootkits in its wake.

W32.Sdbot-ADD downloads a "lockx.exe" rootkit that connects to an IRC server and waits for remote commands from an attacker, according to Chris Boyd, security research manager with Foster City, Calif.-based FaceTime Security Labs, a division of FaceTime Communications Inc. The worm could also change the viewer's search page to and download applications from the likes of 180Solutions Inc., its subsidiary Zango, MaxSearch, Media Gateway and SearchMiracle. Security firms often classify such applications as spyware or adware.

"If I were an attacker and I was already planning to drop my own rootkit, I probably wouldn't use another existing one," Boyd said. But he agreed with Hypponen that rootkits like the one Sony uses could be altered by attackers for a variety of exploits. "There's always the possibility of them injecting something into an application and hijacking it for their own purposes," he said.

If a company finds it necessary to use rootkits, Hypponen said, it should make their intentions clearer to the user, through simply-worded user-license agreements or through other means.

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.