The Root of the Problem

Sony BMG's disastrous use of rootkit software has taught us a valuable lesson: we're too trusting of commercial software.

Sony BMG Music Entertainment's decision to include covert and potentially dangerous software on millions of its compact discs taught us two painfully important lessons: that people have placed too much faith in the safety of commercially distributed software and that the tools for protecting computers from malicious "rootkit" applications have been inadequate.

As the music and movie industries continue to put legal pressure on file-trading networks such as Kazaa and individual violaters, Sony BMG Music Entertainment made the decision to try to thwart file-sharing at the head of the problem: on the CD. To do that, the company included a software program called the Extended Copy Protection (XCP), a digital rights management (DRM) application developed by First4Internet. Among other problems, it caused a security hole to open that enabled other virus writers to covertly install malicious applications. Unlike a virus that propagates exponentially from system to system, and quickly draws attention, such "rootkit" applications often fly under the radar.

Making matters worse, consumers are understandably much less wary of commercial software than files they download or that are included as e-mail attachments. So it's not surprising that the discovery of Sony's placement of software containing a security vulnerability was inadvertent.

Windows expert Mark Russinovich was one of millions of music fans who purchased a CD from a SonyBMG artist and listened to it on his computer -- never imagining he was opening up a gaping security hole on his PC. It was only months after Russinovich first listened to a Van Zant brothers CD that he realized the CD had damaged his computer.

"The problem is that software coming from an established company like Sony will always be trusted by the consumer," says Russinovich, "even if they had software that popped up a warning that a driver was being installed, most [people] would likely allow it."

Russinovich posted his discovery of the unwanted "rootkit" software on his blog, along with the explanation of how it outsmarted the existing antivirus and spyware software. Since then, Russinovich has completed a free utility that identifies rootkits. But he acknowledges on his website that there will never be a universal rootkit scanner.

Even computer security companies have been naïve, though, in not closely scrutinizing commercial software for code that opens security holes. "We had not looked at this particular technology before," says Vincent Weafer, senior director of Symantec Security Response. The XCP software is not a virus itself, he says, but rather opens security holes that can be exploited.

"[There is a] difference between malicious code, as opposed to technology that can be used for malicious purposes," Weafer says. But hackers were quick to jump on the security risk. Weafer says a virus that exploits the XCP vulnerability called "Backdoor.Ryknos" was identified by Symantec on November 10, and the company posted a removal tool.

And within two weeks, Symantec will be updating its antivirus products to identify rootkits.

However, the cat-and-mouse game played by security companies and virus writers had a twist this time: antivirus companies were slow to create utilities to remove the Sony software -- out of fear of violating the Digital Millennium Copyright Act, according to security expert Dan Kaminsky. He says creating new software to remove DRM software is a violation of the DMCA, forcing antivirus companies to create patches that eliminate the software's dangerous behavior, but do not remove it.