Friday, November 18, 2005

Sony rootkit issue deepens

In my November 4 post, titled "Sony distributes malicious software; cheaters rejoice", I described how Sony was distributing a "rootkit" program as part of a copy protection scheme, and how this program could be used by hackers to get into your system.

The issue has intensified in the last two weeks.

For the full story, see the Schneier on Security blog rootkit posting. See my earlier blog entry for information on what this "rootkit" is. I'll assume you've read it. If not, go read it. I'll wait...

...Back? Cool. Summarized, here's what's happened:
  • Mark Russinovich discovered the rootkit on October 31, 2005.
  • Soon after, Sony gave instructions on how to remove the cloaking that hid the rootkit. They did not give instructions on how to remove the rootkit. Removing it could potentially crash your machine and make it unbootable (without reformatting and reinstalling everything).
  • Sony claimed that the rootkit did not "phone home" (i.e. that it did not access the internet and send information about your system to a home base). It was soon discovered that it did just that.
  • On November 4, Thomas Hesse, Sony BMG's president of global digital business said, "Most people don't even know what a rootkit is, so why should they care about it?"
  • On November 9, McAffee — the computer anti-virus people — released code to detect the rootkit. Their products do not remove the rootkit, just the cloaking portion.
  • On November 11, blog outrage and mainstream media coverage resulted in Sony "temporarily halting the production of the copy protection scheme".
  • Also on November 11, Symantec — another computer anti-virus company — released a tool for removing the cloaking. Their products do not remove the rootkit, just the cloaking portion.
  • In spite of the fact that trying to remove the rootkit can cause Windows to crash in a horrible manner, Microsoft didn't mention the rootkit until November 13. It announced that it would update its security tools to remove the cloaking, but not the rootkit itself.
  • On November 14, Sony announced it was pulling infected discs from store shelves, and replacing infected discs with uninfected discs for free.
An an initial estimate said that half a million computers were infected. According to a post on DoxPara Research's site there are actually half a million nameservers infected. A nameserver is a computer that turns internet domain names (i.e. into IP addresses, and vice versa. Each nameserver is attached to at least one computer, and usually hundreds, thousands, and more computers. Half a million is the lowest possible estimate for infected computers.

If a criminal organization had distributed rootkit in this manner, the police would be all over them. It' s unlikely that Sony will have much trouble, even though they've broken cyberlaw. They've also broken copyright law, as part of their copy protection scheme seems to include an MP3 encoder in violation of its user agreement.

The Department of Homeland Security is none too happy with Sony, as the rootkit was found on Department of Defense computers. It's left up to the student to decide how this could hurt national security.

What burns me is how the anti-malware companies have utterly failed to protect against this infection. Sony has been distributing these discs for some eight months. None of the major malware programs caught it. Even though it was distributed by CD, it should still have been caught. An article on states that Symantec and other anti-virus companies already knew about the rootkit, and that First 4 Internet — the British company that created the rootkit for Sony — contacted them to make sure it would not turn up in their anti-virus programs!

This results in some unhappy questions for Microsoft. Was Microsoft told ahead of time by First 4 Internet about the rootkit? If it was, why did Microsoft allow the inclusion of malware on Windows platforms without some way to remove it without crashing the operating system? And if Microsoft was not informed, are Microsoft's security programs as good as the anti-virus companies? After all, shouldn't Microsoft's own programs caught the rootkit if they didn't know Sony was distributing it? What does this mean for Windows Vista, the next Microsoft operating system, which will come with "digital rights management" (i.e. copy protection) bundled with it?

Lots of questions and few answers. The only people laughing right now are those who own Apples, and those who don't buy Sony CDs. There's a call to boycott Sony music. Like Sony needed another reason for people to pirate their songs.

No comments: