- Related Stories
-
Sony's rootkit fiasco
November 21, 2005 -
New Sony CD risk identified
November 18, 2005 -
Sony offers new CDs, MP3s for recalled discs
November 18, 2005 -
Attack targets Sony 'rootkit' fix
November 16, 2005 -
Sony recalls risky 'rootkit' CDs
November 15, 2005 -
FAQ: Sony's 'rootkit' CDs
November 11, 2005
But while those PC owners may now recognize the term, that doesn't necessarily mean they know what kind of threat it describes. And in the Sony case, not even the experts can agree on whether the record label's antipiracy technology meets the technical definition of a rootkit.
"I would say it is more a stealth technology than a rootkit," said Vincent Weafer, the senior director at Symantec Security Response. "A rootkit is used by people trying to maintain remote access to a system. Sony is an example of a much more limited technology. It was only designed to hide itself."
That argument over semantics is important to security providers, which have to define threats before they defend against them. But in general it matters little, since all the experts agree that the technology ultimately acts as a rootkit would, making it every bit as dangerous as if it were installed by hackers.
Sony's copy-protection software, created by U.K.-based First 4 Internet, is installed on a computer's hard drive when certain Sony BMG Music Entertainment CDs are played on a Windows PC and after the listener accepts a license agreement.
The software uses the programming tool at the center of the controversy, which buries itself deep in the internals of a Microsoft Windows PC. It blocks all but the most technically-savvy users from being able to detect its presence. It is also invisible to most security products, which typically don't look that deep into a computer's workings.
"Rootkits can hide on the machine because they operate at a very low level in the operating system," said Joe Telafici, the director of operations at McAfee's Avert labs.
Behind the code
The term "rootkit" originates from the Unix world. It refers to a set of tools that would hide any trace of an intruder yet maintain full, or "root," access on system running the operating system.
"A rootkit retains access to the system that has been previously compromised, and it hides itself from someone who is authorized to use the computer," said Jon Orbeton, a senior security analyst at security software maker Zone Labs.
Critics say that Sony's software left PCs vulnerable to attack because it provided a hiding place for other applications. Trojan horses that try to commandeer a system and take advantage of the cloak provided by the CD software have already appeared on the Internet. In addition, Sony initially didn't provide an uninstall tool (which exacerbated the situation).
All this adds up to a rootkit, experts such as Dan Kaminsky say. Kaminsky is the security researcher who has estimated that the Sony software is installed on at least 500,000 PCs.
"I had the same reaction that a number of security people had: Is Sony getting remote root on machines?" Kaminsky said. "Are they getting the capability to run code on a machine? That's what fundamentally makes it a rootkit: evasion of user knowledge."
Rootkits are available for sale online and some hackers even offer to create custom rootkits for payment, experts said. Often the software is used to hide a backdoor on a computer that lets hackers enter surreptitiously. Typically, it arrives in a Trojan horse or via malicious Web download. Some adware makers also use rootkits to cover up their software.
See more CNET content tagged:
rootkit,
hacker,
copy protection,
McAfee Inc.,
Sony BMG Music Entertainment
I'll bet in this rookits heyday Symantec's NIS was instructed to ignore Sony's rookit when it connected to the net to send info on the music you listened to.
That's why I use an older version of IN_CDDA.cdb in Winamp, which allows me to use the CDDB of my choice, as AOL has sold it's soul to Gracenote.
It's the main reason I never update NIS as these corporate *****$ have sold themselves to every other paying corporation. Darn near every update was to allow ads and scripts from other corporate scum access to run code on my computer.
In this case (lets assume less than fully privileged user in all accounts) places a cd into a cd-rom disc drive and as a result executes a binary file that is read there in with elevated privileges as those of an authority which can make changes to filesystems level format or otherwise. I don't mean to split hairs with you on this but the fact that unprivileged user was able to act as a privilege one (or few, whatever the case may be) is symptomatic of something know in the industry as a "superrootkit". having been present prior to the insertion of the compact diskette, so please lets not put the cart before the horse if you will.
If I may play the devils advocate, and rise to the Sony Music Corporations defence the action of storing or writting to the systems physical storage, information which pertains to content used by an application internally is so common that if it were done in a prominent location in the storage tree it would be bothersome and worst case deleterious. Files pertaining to relationship between user and content, be it software or other usage delimited materials are often written to these files to in effect force the user to comply with what the software applications engineers stipulate is the governing agreement between user and provider. As a no treaspassing sign prompts the decision to be made by traveler to circumnavigate and fence forces circumnavigation. It is not status quo for the software application to indicate it is recording such information or where it is doing so and nor does it do it in an expected location in the tree and furthermore these files are not removed by the applications co-installed for removal of the installation. None of this can be associated with "rootkit" actions. The action involving writing files to the storage media, with the file formating in question implimented on it, outside the effective tree is a function of the specification of the this particular formating, albeit, an obscure one, the formating and filesystems functions and operations need not and were not and will not be altered by the software. I cannot speak to the nature of the information recorded. I might note that such a recording, as on a nonvolatile storage device lends itself to long term retention, the nature of which is not particularly conducive to rouge application.