Mr. & Mrs. Smith DVD Ships with Rootkit-like DRM

The German DVD release of the popular movie contains a copy protection scheme that uses cloaking techniques similar to those used by rootkits.

Sony BMG is not the only company to dabble in using copy-protection technology that resembles rootkits.

According to anti-virus vendor F-Secure, based in Helsinki, Finland, the German DVD release of "Mr. & Mrs. Smith"—a recent movie starring Brad Pitt and Angelina Jolie—contains a DRM (digital rights management) protection scheme that uses rootkit-like cloaking technology.

Rootkits are typically used to maintain a persistent and undetectable presence on a computer.

Because malicious hackers can piggyback on the technology to hide offensive files, the use of such cloaking technology is seen as a serious security risk.

In a blog post, F-Secure vice president Antti Vihavainen said the DVD ships in Germany with Settec Alpha-DISC copy protection.

"The system will hide its own process, but does not appear to hide any files or registry entries. This makes the feature a bit less dangerous, as anti-virus products will still be able to scan all files on the disk," Vihavainen said.

However, Vihavainen said its not uncommon for real malware to only hide processes.

/zimages/2/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

The discovery of the cloaking mechanism is credited to Heise Online, a German news outfit.

Although Settec provides an uninstaller for its DRM mechanism, Vihavainen said commercial software vendors should "always avoid hiding anything" from the user, and especially from the administrator responsible for managing the machine.

"It rarely serves the needs of the user, and in many cases, its very easy to create a security vulnerability this way," he warned.

The use of stealthy rootkit-type techniques by commercial software makers triggered widespread condemnation recently when Sony BMG admitted to using the technology to cloak its DRM scheme.

After hackers used the Sony DRM rootkit as a hiding place for Trojans, the music company suspended the use of the technology and recalled CDs with the offending copy protection mechanism.

Earlier this year, security vendor Symantec also admitted to using a rootkit-type feature in its Norton SystemWorks software that presented a perfect hiding place for attackers to place malicious files on computers. Symantec acknowledged that it was hiding a directory from Windows APIs as a feature intended to stop customers from accidentally deleting files, but, prompted by warnings from security experts, the company shipped a SystemWorks update to eliminate the risk.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.