I am increasingly troubled by the implications of the Sony rootkit DRM, uncovered on Halloween by renown Windows expert Mark Russinovich. Essentially, Sony used a cloaking mechanism, typically the tool of malicious hackers, to hide digital rights management software installed on PCs from copy-protected music CDs. Like malware, the rootkit occasionally sends out information (to Sony), is nearly impossible to remove and when removed usually damages Windows.
I’ll skip over all the ways that Sony has turned its copy-protection mechanism into the worst kind of public relations disaster. I couldn’t imagine how any company could create more negative perception about DRM, but I’ll skip that, too.
One of the perplexing problems about this rootkit: How widespread its spread. On Tuesday, researcher Dan Kaminsky found that “at least 568,200 nameservers” contain PCs infected with the rootkit. The potential number of PCs with the rootlet could easily be in the millions. I wondered how the Sony malware mechanism could quickly spread so far, because the source is a music CD people pay for. I now understand that the rootkit slowly spread, because Sony apparently has been using the mechanism for a long time.
Sony now provides a list of 52 CDs that used the ill-fated, copy-protection mechanism. Unless Sony started adding the rootkit DRM after initial CD release, based on initial release dates, the malware has been sold for sometime.
I took albums from the list and searched for them at the iTunes Music Store. Some results: The Dead 60’s (Self-titled), May 31, 2005; Dion, “The Essential Dion”, April 19, 2005; Faso Latido, “A Static Liberty”, April 5, 2005; Susie Suh (Self-titled), March 29, 2005. I didn’t have time to check the entire list, but these are some of the oldest CD releases that I found. So at least from March, or about seven months (and perhaps longer) Sony shipped rootkit DRM on music CDs.
So…why was it that Mark found this rootkit and not some security software vendor? See, the whole point of anti-spyware and antivirus software is to sniff out stuff just like this rootkit. Granted, rootkits are nasty and designed for stealth, but they still exhibit some traceable characteristics. For example, they typically phone home, so to speak, as this one did.
Don’t rootkits exhibit some type of characteristic behavior, whereby a combination of processes either on installation or ongoing presence would be enough to trip some heuristic security process? If the Sony rootkit DRM is example, the the answer is no. And that’s what I find most perplexing and disturbing of all: Millions of computer users are much less safe than anyone thinks. That maybe security software vendors are selling more insecurity, because of their products’ failure to detect Sony’s malware over the course of seven months and likely on millions of computers!
Be afraid, be very afraid.
Photo Credit: Elvert Barnes