Seldom do I write about current news items, but the recent firestorm about Sony BMG and the extended copy protection scheme they used is interesting on many fronts. While people are rightfully concerned about Sony's actions, we should be grateful for the incident. The incident highlights our need to monitor for rootkits and carefully review end user license agreements (EULA).

The story started when Mark Russinovich, Chief Software Architect and co-founder of Winternals Software, spotted some code that was tracked back to a Sony CD played on his PC. Although our readers may not recognize Mark's name, he's well regarded in the computer sciences world. He has written many useful diagnostic programs and articles. It was a program he and Bryce Cogswell wrote called RootKitRevealer that spotted the problem.

Rootkits had their origin in the UNIX world where the most powerful account is called root. If someone gained access to this account, he or she would install his or her kit of tools. Although rootkits still rely on administrator account privileges, the definition has expanded and taken on a more sinister tone. Today, a rootkit is defined as a technique that hides a process or application. Alone, rootkits may not be dangerous. The main problem occurs when rootkits are bundled with code that has devious purposes.

On a Windows machine, if you were to open Task Manager and look at the running processes, you see many entries. Some entries are descriptive enough that you can map them back to a program. For example, I know nod32krn.exe maps to my anti-virus program. Other entries are more cryptic, but you can use Google or sites like ProcessLibrary.com to find more information. The point is you may not know what all these processes do, but there's a degree of disclosure.

In contrast, rootkits are designed to hide code so you won't see their entries in Windows Task Manager. The code has embedded hooks in the operating system that allows it take on a stealth quality. This stealth behavior is what makes them attractive to virus and spyware writers. They know typical users can't easily spot or end the process.

What many people didn't expect was a company such as Sony to use rootkit behavior to protect their CDs. This piece of cloaking technology was installed when a user played an enhanced copy protected CD on their Windows machine. Their main intent was to restrict people copying the CD's content. Although there was probably a deliberate attempt to hide the code, I doubt Sony knew the full ramifications of their actions. I suspect Sony either didn't define their problem correctly or ask the right questions about the DRM solution. I don't see them taking this course of action if they knew of the apparent risks and pending community backlash.

As often happens when security matters of this kind are revealed, people have started taking advantage of the Sony BMG rootkit. Some people are playing these Sony BMG CDs and installing the rootkit, as they know how to hide files with it. In this case, the Sony BMG rootkit hides files with a specific prefix. The hackers then rename any file they wish to hide with the same prefix. While this behavior seems to be used by people trying to beat a certain online game, the possibility exists for actions that are more devious.

Although this episode has turned into a public relations nightmare for Sony, it should remind us that we should be cautious of all software we install and thoroughly read the EULAs. If something looks questionable, then stop. This is particularly true when installing browser plug-ins. If you don't need to run as an administrator on your PC, then create another user account with limited privileges.

If you've played a Sony BMG CD on your computer that uses the extended copy protection (XCP), the company has an upgrade that removes the cloaking technology. This may be your best option for removing the software. If you try manually removing the offending driver, you may run into situations where you lose the icon for your CD or DVD player.

While Sony has addressed its complaints, don't expect other rootkit authors to respond to pressure. We can expect to see more rootkits appear as malware authors try to out maneuver anti-virus programs and anti-spyware programs. There is no perfect rootkit detector, but there are three tools that might spot these items.

Programs to Help Detect Rootkits

Before jumping to these programs, you should use extreme care in deleting identified items. There may be circumstances where an item is identified, but poses no danger. You should make an effort to see if another rootkit detector shows the same results. I would also be inclined to review the vendor forum or support pages for these products. Search engines are also a good resource to find information on specific file names.

Microsoft Malicious Software Removal Tool If you've done a recent update for your Windows XP machine, you should have this program. It's part of the monthly security update and automatically runs when updated. The program scans for well-known rootkits and malware. You can also go to the website to run an online scan. The program is probably the easiest to use and understand since it is looking for known entries. However, it only updates monthly.

F-Secure Blacklight - The company released a beta version of their program that will run through Oct 1, 2007. The program is easy to use and involves a two-step process. The first step identifies programs or processes that are hidden. If items are found, the program renames them.

Sysinternal's RootkitRevealer This is the program that spotted the Sony BMG rootkit. The program is more involved than the other two and takes longer to run. The program does a thorough scan and compares the results at the Windows API level with those at the registry hive. APIs, or application programming interfaces, are ways in which programmers can communicate with the Windows operating system. The hive is the grouping of registry keys, sub keys and values created each time a user logs onto your PC. If you've ever used Regedit, you've been dealing with the hive. You might think of this as a database that stores all the settings for your programs.

The program will list any discrepancies from its comparison and offer one of 10 descriptions. Unlike the Microsoft or F-Secure tools, RootkitRevealer will not remove or rename items. The tool is for identification purposes.

While I dislike the measures Sony took with their copy protection, I do think there are lessons for us. Fortunately, we really haven't been hit by kernel level rootkits, but they are bound to come. As anti-virus and anti-spyware scanners have become more effective, it makes sense that malware authors will employ this technology more. We're at a point where the threat is real, but the frequency is low. Until such time that the anti-virus and anti-spyware companies can incorporate more rootkit detection means in their products, you should be on guard. You never know when someone will slip one by you with their software or their licensing agreements.

Update: Microsoft acquired SysInternals in July 2006

Resources Mentioned:

• F-Secure Blacklist
• Microsoft Malicious Software Removal Tool
• SysInternals RootkitRevealer

Related Articles and References:

• EULAlyzer Jump Starts the Review Process
• US CERT Advisory - Understanding Hidden Threats: Rootkits and Botnets