Rootkits Arent Necessarily Malicious

By Paul F. Roberts  |  Posted 2005-11-01 Print this article Print

Rootkit technology is well established and not, in itself, malicious, said Mathew Gilliat-Smith, CEO of First 4 Internet. "Rootkit detection programs have made rootkits more high-profile in the media, but this technology has been around for a long time and is used widely by anti-virus and other information security companies," he said.
That said, First 4s technology isnt a rootkit, but part of a copy protection system designed to balance security and ease of use for the CD buyer, he said.
Sony BMG began using a version of First 4 technology called XCP in March 2005, he said. However, the Sony rootkit files developed by First 4 Internet are unsophisticated and could introduce other problems on systems that install the Sony DRM technology, Russinovich said. For example, the rootkit features are designed to hide any file on a Windows system with a file name that begins with the characters $sys$, not just the files used by the Sony sterile burn technology. That feature could be used by malicious hackers to hide their own attack programs on computers that have installed the Sony DRM technology, simply by following the $sys$ naming convention, he said. The rootkit files also interact with Windows at a very low level, and fail to account for certain conditions that could cause the files to overwrite areas of memory, crashing applications that use that memory, or even crashing Windows altogether, Russinovich said. Finally, removing the Sony DRM software is extremely difficult. Because it is hidden from Windows, there is no entry for it in the Windows Control Panel and no easy way to determine where or how it is installed on Windows. Users like Russinovich who are sophisticated enough to find the files and try to delete them will find that Windows can no longer detect the CD drive attached to their systems, Russinovich found, and it requires other subtle manipulations of Windows to restore. "The average user would not be able to remove [the Sony DRM] without losing … the CD. Even a sophisticated user would have trouble," he said. First 4 has developed a new version of the stealth features that respond to many of the questions Russinovich raised in his analysis, including the $sys$ and the stability issues. Those features will be available in new Sony BMG CDs, Gilliat-Smith said. It is not clear whether users with the existing DRM technology will be able to upgrade to the new features. However, Sony BMG offers a removal program for the copy protection software, which can be downloaded from the companys Web site, according to a spokesperson. Rootkit features are becoming more common in malicious software. Just last week, researchers warned of a rootkit that was being distributed by an IM worm on America Online Inc.s Instant Messenger network. Click here to read more about the worm attack on AOLs Instant Messenger. However, this is the first known use of rootkit functionality with DRM, Russinovich said, adding that it was unexpected. However, media companies have good reason to leverage rootkit techniques, as they try to put up barriers to the illegal copying of copyrighted material and make it harder for users to disable DRM technology on their computers, he said. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel