Putting the r00t in Rootkit
First Published: X-Force Monthly Magazine

The last quarter of 2005 was an interesting period for malcode. We saw the first Web-only worms propagate through popular forums and portals using cross-site scripting; we saw a zero-day vulnerability in Internet Explorer that was quickly adapted to install spyware and backdoors on vulnerable hosts browsing hundreds of porn and warez sites; and we saw public use of a rootkit by a global organization in an effort to bolster its DRM solution.  

The corporate sanction of distributing a rootkit hidden within customer products was quite a surprise to many.  While the battle to protect an artist’s content through various copy-protection solutions has been a hard one, Sony managed to take it to a new level when the company added rootkit functionality to several of its most popular artists’ CDs.  

Sony’s error was to use rootkit cloaking functions to hide its latest copy-protection software from the customer when they placed the CD into their computer.  Technically the surreptitious installation of the protection element would meet the classical definition of spyware – complete with “phone-home” functionality.  

While the inclusion of a rootkit and spyware package are certainly enough to upset the customers that brought the CDs, I’m sure that many organizations also started to rapidly rethink their internal security policies – after all, not even a shrink-wrapped music CD from a reputable international company is safe enough to play through a corporate desktop’s or laptop’s speaker system anymore.  

Inevitably Sony was found out, and the heat was on to mend the company’s ways.  Unfortunately for Sony and its rootkit, a lot of techies and geeks got in on the act and the malcode problems escalated.  

Some people found that they too could utilize Sony’s rootkit cloaking functions.  A few months earlier, the developers of a popular massively multiplayer role-playing game (MMRPG) had devised a method of recognizing players trying to use common cheating tools to affect their scores and gameplay.  Using the rootkit cloaking, people were able to hide their cheating tools and once again outwit the MMRPG.  

Once Sony took steps to remove the rootkit and spyware, things really started to go horribly wrong.  Security researchers found a number of vulnerabilities within the spyware that could be leveraged for local escalation attacks to gain “root” access, and they were quickly incorporated into the latest worms.  Meanwhile the uninstall package made the host unstable and vulnerable to additional attack vectors, and still didn’t remove everything.  

Eventually Sony issued a recall of the CDs and employed a reputable security company to provide advice on how to clear up the mess and assess the integrity of it’s new uninstall software.  Unfortunately, sometime between getting the software assessed and posting it to its website for customer access, minor code changes were implemented that resulted in yet another exploitable security flaw.  I bet that the security company they employed wasn’t particularly happy with the press they received for that slip-up.  

With any luck, other organizations are perhaps rethinking their use of malcode technologies.  While Sony certainly received a tremendous amount of negative press for its sanctioned use of a rootkit, there are still an increasing number of organizations and entities seeking to distribute next generation rootkits and spyware to further their businesses or protect their investments.  

Some people may have noticed that I use the term malcode rather than malware.  While malware is a useful grouping for the discussion of malicious content such as Trojans, worms, spyware, rootkits, keyloggers, bots, etc., it doesn’t really cover the broad range of infection vectors now in common usage.  Malicious agents are now making better use of scriptable content and related vectors and are blurring the classical definitions of the malware sub-types they evolved from.   

The attackers are using each and every dirty trick in the book – borrowing the best infection vectors and techniques from one another and turning their malcode from what was once more of an art form into an exacting science; a science that international corporations are also seeking to leverage.
    Copyright 2001-2007 © Gunter Ollmann