Gigs & Bytes: Getting To The Root Of The Rootkit
A rootkit is a cloaking technology designed to hide the existence of other programs, usually spyware or viruses, from being detected by computer users.
What Russinovich detailed on his posting was how he found a rootkit on his computer while testing a software program designed to detect such programs.
As Russinovich discovered, this particular rootkit was designed to hide the existence of digital rights management software called XCP that was created by United Kingdom-based company First4Internet and used on selected CDs by Sony BMG.
There are several reasons Sony BMG’s rootkit fiasco has raised such a fuss among security experts as well as music consumers.
That a major corporation would secretly embed such a program within its products is scary enough, but this particular rootkit made computers vulnerable to virus attacks. What’s more, removing the rootkit could cause other problems within a computer system, such as disabling computer CD players.
In short, Sony BMG distributed a security risk with every CD it sold that contained First4Internet’s rootkit and DRM software.
It’s been said that the five stages of grief are denial, anger, bargaining, depression and acceptance. While no one can accurately say the infamous rootkit caused Sony BMG to experience all stages, it appears that the label did have its own episode of denial.
Business Week Online reports that Sony BMG knew about the potential problems posed by the rootkit’s existence on October 4th, almost one month before Russinovich’s Halloween posting.
Now it appears the first person to discover the rootkit wasn’t Russinovich, but John Guarino, the owner of a Manhattan-based, two-person PC repair shop called TecAngels.com. Evidently, Guarino had been removing the rootkit from his customers’ computers for months without knowing exactly where it came from or how it was finding its way onto computers.
Guarino eventually discovered the Sony BMG link September 30th when he inserted a CD by Amerie into his tray and realized the disc was loading the rootkit onto his own computer.
Guarino e-mailed Finnish computer security company F-Secure. Because F-Secure markets a program designed to find such security breaches, the company was very interested in what Guarino had discovered. After conducting its own investigation, F-Secure contacted the company that manufactures Sony BMG discs, Sony DADC, which forwarded the e-mail to the label on October 7th.
According to Business Week Online, Sony BMG’s President of Digital Global Business Thomas Hesse said at that time the F-Secure e-mail seemed to be about a “routine matter,” which didn’t indicate that the software was anything but “benign.”
But Sony BMG did ask First4Internet to look into the matter. Meanwhile, F-Secure described the problem in a report sent to both the label and First4Internet October 17th, warning the rootkit in the XCP DRM software could enable virus writers to not only place viruses on computers infected with the software, but hide those viruses from anti-virus programs. It was in that report that F-Secure referred to the XCP rootkit as a “major security risk.”
What happened after that depends on whom you talk to. F-Secure and First4Internet held a conference call on October 20th and, according to F-Secure, the folks at First4Internet claimed the rootkit wasn’t that big of a concern because few people knew about it, and that an update planned for next year would fix the problem.
Then F-Secure conferenced with Sony BMG. But F-Secure came away from that phone call feeling that Sony BMG wasn’t planning on doing anything about the CDs already in circulation.
According to Business Week Online, F-Secure director of research Santeri Kangas said, “We told them it was a major security risk. They thought we were silly. They wanted to keep the problem quiet.”
However, Sony BMG disputes that account, and claims the label planned on fixing the problem as soon as possible by distributing a patch.
But then came October 31st when Russinovich posted the first public word on his blog. That’s when the kit really hit the fan.