Tuesday, November 01, 2005

Finding a rootkit

Mark Russinovich over on SysInternals.com posted a blog entry yesterday about how he located a rootkit that was installed after he purchased a CD.

One has to raise the "HUH??!?!" flag (those are the three letters I chose, but I'm sure that there are other blog posts out there on this subject that will be brought to you by the letters "W", "T", and "F"...) on this one.

The SANS Internet Storm Center picked it up, as well. So did F-Secure, and they have their own technical description here.

So...imagine if you will...not only are you looking over your shoulder with regards to the bad guys and malcode, but now you have to be careful of the legitimate guys, as well. Sony is legitimate, right? What happens if a worm comes out that doesn't have its own rootkit payload (there was a worm for AIM recently that did), but instead looks for the presence of a commercial DRM rootkit, and hides itself that way? What will that worm be called? "W32.SonyPiggyback"?

Face it folks...do a search on SARC for "rootkit" and see how many entries you find over last year. Ouch!

Addendum 3 Nov: I generally try to stay on-track in this space, my blog...keeping on topic with regards to forensic analysis of Windows systems. However, I have to say that Wired really has it wrong. Specifically, "But in our view, the hacker and virus threat is something of a red herring...". Red herring? How so? The article goes on to say, "Sony may even have committed a crime under the U.S. Computer Fraud and Abuse Act...".

Wow. The EULA doesn't specifically state that its installing a rootkit, but given the knee-jerk reactions of most folks, is anyone really surprised? After all, it was just last February that Microsoft hit the stage of the RSA Conference, full of sound and fury over rootkits, but signifying nothing. So they bring something that's been around for a while to the forefront of attention...and because Microsoft said it, the media jumps all over it. And guess what? There are even courses you can take in writing rootkits. So...someone in Sony is trying to figure out how to protect their "property", and look what they stumble across.

Should Sony be faulted for what they did...perhaps. Should they be faulted more so than other companies (a company is a business, remember...a real-world construct designed to make money) who've taken "extreme" measures that end up making self-righteous folks indignant?

I'm not making a call on that. What I am concerned about is the number of folks out there who've installed this stuff, and suddenly there are a whole bunch of other files on the system with the same prefix (in this case, "$sys$"). I'm concerned about the first worm that does a check for the Sony stuff...why download your own stealth technology when there's already a perfectly good one on the system.

Okay, enough of that. Brian Krebs picked up on this and blogged...if you have a few minutes, scroll through some of the responses. Maybe you'll feel moved to leave a comment...