The data security world was rocked in November by the discovery of a rootkit detected in a large number of Sony BMG music CDs placed there by the company itself to enforce its copy control policies.
In the Sony case, the rootkit, which acts as a covert method for monitoring customer behavior through Digital Rights Management software, is installed when the user inserts the CD to a Windows-based PC, and accepts a license agreement. Unknown to the user, the rootkit is then installed. The system also opens a possible backdoor for viruses (or any other malicious program) to use the rootkit to hide themselves.
Since the case went public, Sony BMG has published an uninstaller. Nevertheless, the DRM still does not provide any means of unistallation. For that purpose, a computer user infected with the rootkit needs a stand-alone uninstaller from Sony.
The security aspect has naturally been the main topic in the Sony-scandal. But this incident has raised concerns about much more important issues as well. The DMCA (Digital Millennium Copyright Act) in the USA makes it illegal to circumvent systems that are designed to protect intellectual property. Many other countries also have similar legislation.
The record industry feels that this legislation justifies the use of intrusive software that protects their intellectual property. Sony BMG's XCP-system is perhaps the boldest example. The problem is that the legislation isn't in balance. It grants the right for the record industry to protect their rights, but does not set clear limits for what they can do to achieve their goals.
One of the darker aspects of the case is that the rootkits were originally planned for permanent installation to those computers accepting the terms of the software via Sony's music CDs. This would mean that in the absence of detection, a user's information would covertly be sent via the Internet directly to Sony for all the time that the computer was in use - potentially a decade's worth of information gathered without the user's knowledge or consent.
The good news is that F-Secure's BlackLight scanner introduced this year in March is able to detect both the Sony DRM rootkit system and any malware that hides using it. F-Secure Internet Security 2006 is the first product to implement this scanner. F-Secure BlackLight technology is behavior based, which means it is not based on the signatures of known rootkits. It detects cloaking and is therefore able to detect new rootkit variants immediately without updates.
Mika Ståhlberg, a researcher at the F-Secure Security Labs pointed out the dangers of using rootkit cloaking techniques: "Using rootkits prevents system administrators from knowing what is actually running on their systems. This is in many aspects already a clear indication that the use of this kind of technology in software is very ill advised - after all, the computer still belongs to the user even if they install the software.
Commercial grade rootkits - a dream come true for malware authors
Ståhlberg continued: "In some cases rootkits can even prevent anti-virus and other security software from protecting the system against cloaked malware. These qualities have made rootkit techniques very popular among malware and spyware authors this year. One of the problems with the Sony BMG rootkit is that it is not designed to only hide the DRM software itself. Instead it hides every process, file, directory, and registry key that starts with the string "$sys$". This makes it very easy for attackers to use the rootkit for their own purposes. As one can imagine, this kind of a widespread commercial grade rootkit is a dream come true for those malware authors who are not skilled enough to write their own rootkits.
Sony already plays the main role in several lawsuits, and the verdict may very well be in favour of the plaintiff in some of them. But the law is still not clear enough about systems that are installed without the user's consent. The upside in this affair is that we are one step closer to a DMSIA, a Digital Millennium System Integrity Act.
The need for clearer guidelines on the rights of producers, artists and consumers in the music business is obvious. With the industry in a state of transition from the CD format direct to digital download, users should retain the right to transfer their music digitally from a legally purchased CD to the MP3 player of their choice without incurring the threat of installing covert software to their computer. In the Sony case, that right was denied them.
Speaking about the Sony case, Risto Siilasmaa, CEO of F-Secure said: "The real story, and the very valuable lesson, here is that many companies are linking their products to ICT technology. This means that they need to educate themselves on data security issues, build processes to handle claims of vulnerabilities, train their PR people to deal with these kinds of situation and so on. Hundreds of consumer electronics companies will find themselves in the same boat with Sony.
Author: Corporate Communicator, Mark Woods
Begin | 
Back