Friday, 18. November 2005
PermaLink Sony's Rootkit - Cockup or Conspiracy?
OK, so there's this Wired article, already mentioned by John Walkenbach, Richard Schwartz and doubtless many others, which concludes:

What happens when the creators of malware collude with the very companies we hire to protect us from that malware?

We users lose, that's what happens. A dangerous and damaging rootkit gets introduced into the wild, and half a million computers get infected before anyone does anything.

Who are the security companies really working for? It's unlikely that this Sony rootkit is the only example of a media company using this technology. Which security company has engineers looking for the others who might be doing it? And what will they do if they find one? What will they do the next time some multinational company decides that owning your computers is a good idea?

Excellent! A good, old-fashioned conspiracy theory.

It may be just me, but I'll ask - Am I the only one who sees more cockup than conspiracy here?

It isn't just the one cockup either. It is failure on an impressive scale but I have difficulty believing that collusion could have been organised on an equal scale without being noticed. Some elements of the cockup:

  • The rootkit itself doesn't just hide Sony's DRM, but any file named $SYS$*

    An obvious opportunity for other people to exploit rootkit cloaking for other purposes. But deliberate? No. Cockup.

  • The removal tool opens a barn door sized backdoor.

    I did enjoy this part actually but it would a brave individual who, hand on heart, described this as anything other than cockup.

  • The big one - AV firms fail to see a rootkit

    They aren't, by and large, looking for a rootkit - any rootkit. Why? The rootkit alone isn't active malware. It is just a cloaking feature. AV firms like to find, analyse and make portentous announcements about malware. Big hitting malware that lays low entire infrastructures. You know the type. We haven't seen too many of those this year for some reason.

    Conspiracy? No. Cockup

I've said this before - many times actually - but indulge me.

There's no collusion here. This is business as usual in the AV industry. AV vendors want to sell users their software. The need for this software is driven by fear. Fear can be helped along by good PR people who use the media well, particularly when we do see a major virus outbreak, and by the software itself once installed. It has very little to do with real security. I'll illustrate.

I just recently installed (still regretting this and may uninstall soon) a popular Internet security suite on the family PC at home. There are some features which I do value, greatly outnumbered as it happens by those I do not. This software has added value to my Internet security * experience so far by:

  • Announcing triumphantly that it had detected and defeated an attempted break in by a computer at 192.168.174.1. That IP, which can only be somewhere in the local intranet anyway, is assigned to one of the VMware virtual NICs on that PC and, as no VMware guest was running at the time, it is hard to see how it might have attempted (all by itself) to break into the host OS. The IP assigned to the other VMware virtual NIC on the same machine has yet to attempt to break in. Or maybe my shiny new AV software failed to spot it when it did.

  • Warning in the strongest terms that an unrecognised application was trying to communicate using a particular protocol and port and offering to deny such communication permanently (default answer - yes, please!). The unrecognised application was our beloved Sam Spade and the protocol/port was UDP/53. Yes, I was using Sam Spade to execute a DNS query.

  • Announcing that it had recognised and permitted Microsoft Internet Explorer ** to gain access to t'Internet (all by itself - no user intervention required except to click OK on this announcement)

What is a non-technical user to make of dire warnings like this? Well, he/she will be delighted to know that the £30-40 he/she spent on this lovely AV software is earning its keep, and he/she may be more likely to renew the subscription to the update service as a result.

The real security afforded by these things is largely, if not wholly illusory. If there is a conspiracy here it is between the AV industry and tech thought leaders like us who often fail to point out that this particular emperor is stark naked.

Sony, Microsoft (except as a competitive threat) et al never enter this equation and are certainly not involved in any conspiracy.


* Home network is behind a stateful firewall and inbound traffic is locked down there (default deny), so this "software firewall" is about as much use to me as a chocolate teapot - I just can't turn it off without also turning off all other features including the only one I need - parental control.

** I was running Windows Update at the time - can't use Firefox for that.

Category: Viruses and Worms
Technorati:

Comments :

1. Richard Schwartz18/11/2005 12:43:12
Homepage: http://www.rhs.com/poweroftheschwartz


You're neglecting one thing: the AV companies are in competition with each other, and one of the ways that they try to out-do each other is by promoting the capabilities of their research departments, by being the first to announce any new threat -- or better yet any new category of threats! You say that they're not looking for rootkits? What on earth do those researchers do then, other than examine PCs looking for signs of certain activiites -- like cloaking -- that are indicative of malware. I find it almost impossible to believe that none of the major AV labs ever noticed the Sony rootkit and recognized the risks that it posed, and therefore I have to believe that at least one -- maybe all -- of them noticed it and made a conscious decision not to put out a press release about a new vulnerability vector.

-rich



2. Chris Linfoot18/11/2005 12:53:08


Sorry Rich - I just don't buy that. They didn't do anything because they weren't looking for it. Period. And they never found it until that nice man over at SysInternals found it for them * using a tool specifically and separately developed to reveal rootkits.

Actually no AV software that I know of includes any functionality that attempts to detect rootkits. This may be because they are not traditionally virus components and the market has been artificially segmented into products that spot malware **, others that spot adware and yet others that spot spyware. Wintel rootkits are rare anyway and typically adware/spyware features.

I believe AdAware will identify a rootkit when it sees one.

* and he found it accidentally
** malware traditionally means mass mailing worms and trojans



3. Richard Schwartz18/11/2005 13:50:26
Homepage: http://www.rhs.com/poweroftheschwartz


I'm not faulting them for not having software that detects rootkits. I'm faulting them for not having researchers who detect rootkits. I really don't think I'm out of line for expecting that at least one of the major security companies' research department should have found this sooner. I'm left with two choices: they're either not as smart as they generally want us to believe, or they are that smart but there's something they're not telling us. (Come to think of it, that's not all that different from the incompetent vs. liars choice that comes up with respect to quite a few politicians these days.)



4. Chris Linfoot18/11/2005 14:01:31


And that is my point exactly - "cockup or conspiracy" can be rephrased as "incompetence or lying".

I choose incompetence.

You might want to read that original post at the SysInternals blog linked in my comment above and in particular to read the post linked from there that describes Rootkit Revealer.

Revealing rootkits is a) very tricky and potentially error prone and b) not often necessary when detecting malware (though some reputable AV software does itself use rootkit techniques to hide data stored in NTFS alternate data streams).



5. Richard Schwartz18/11/2005 14:25:18
Homepage: http://www.rhs.com/poweroftheschwartz


I did read the article, and what it says to me is that it takes a lot of skill and dedication, but nothing more than what I would expect that of the researchers at any of the leading security vendors. It also takes serendipity in that one has to actually fine oneself in a position to be applying those skills and dedication to an infected machine. I suppose I may be laboring under a mistaken expectation here, but I would think that all the major security companies should be doing extensive scans on large numbers of machines with unknown problems that are brought to their attention by customers -- and with the large number of machines infected by the Sony rootkit the odds seem pretty good that at least one customer would have experienced some problem (related or un-related to the Sony stuff) that would have brought that machine under an AV vendor's microscope. Perhaps the number of cases that each AV vendor does a serious investigation on is far lower than I would hope, or that the number of machines infected by the Sony rootkit is just too small a proportion to have made it probable that an AV vendor noticed it sooner. I dunno, but I'm dieappointed... and a good conspiracy theory makes life more interesting



6. Nathan T. Freeman21/11/2005 08:55:42


Gentlemen, I used to work for Sony Music. I have spoken with a significant number of their senior managers. As a Domino administrator, I had access to and interaction with projects that would make you wince in pain.

I assure you, they have neither the intelligence nor the imagination for this kind of conspiracy. They DO hire outside firms to tell them how to "stop piracy" and pay them ridiculous amounts of money. These firms then themselves engage in dubious business practices, but from the exchanges I have read on the matter from the inside, more out of ignorance than malice. (Remember your Mencken here.)

Let me put it another way... Sony Music is run by demons. They screw people over for a living. But they screw over THEIR ARTISTS, not the people buying the CDs. They don't even pay attention to the people buying the CDs. Their marketing deals are focused on channels and affiliates, not the actual end-listener. Some channel partner pitched this idea to them, and senior management got wood at the idea of "piracy-proof CDs." But a conspiracy? They're too busy plotting how to dupe the next Nirvana out of $10 million in album sales to worry about releasing rootkits into the wild.



7. Chris Linfoot21/11/2005 09:15:25


And for the benefit of any land sharks listening in here, those are Nathan's views - not mine. Though he does seem to lend some weight to my assertion that there is no rootkit conspiracy.



8. Ben Rose21/11/2005 14:15:23
Homepage: http://www.jaffacake.net


By co-incidence, I have The Maltese Falcom coming on DVD.

Puzzle out the link there?



9. Chris Linfoot21/11/2005 14:33:50




10. Ben Rose21/11/2005 14:46:18
Homepage: http://www.jaffacake.net


Read the description:

http://play.com/play247.asp?page=title&r=R2&title=5900&p=57&g=72&pa=sr



11. Nathan T. Freeman22/11/2005 07:10:39


Heh. I guess I was being a bit acerbic there. But I don't have any attention of working with them again.



Unable to post a comment? Please read this for a possible explanation...
Add Manual Trackback
Please enter the details of the trackback post. Your trackback will not appear on the site until it has been verified. This won't be immediate, as trackbacks are validated on a scheduled basis. Be patient.











Search
Hot Categories
Domains
IPv6
Internet
Malware
Monthly Archive
2009
2008
2008
2008
2008
2008
Full Archive
Links
CircleID
Anti-Spam Tools
Misc Links
Land banking information
Contact Me
email - Chris Linfoot
Subscribe
Subscribe to articlesArticles

Subscribe to commentsComments