Secrecy itself is routine in the software industry, but this was different. First 4 Internet achieved secrecy using a rootkit, then Sony BMG neglected to tell its customers about the program’s presence or to provide a straightforward way to uninstall it. The term “rootkit” derives from computer networks using Unix-style operating systems, where the system administrator – the person with all rights and privileges to change the system – is said to have “root” access. The first “root kits,” written in the mid-1990s, were collections of software tools used by Unix hackers to acquire root access and deposit rogue code without leaving a trail. Windows rootkits emerged in 1999 and became so commonplace that they could be downloaded free from hacker collectives such as the one that produces the online magazine Rootkit (www.rootkit.com). More sophisticated versions could be purchased on the Internet for a few hundred dollars.
First 4 Internet executives, citing ongoing legal action, would not answer Technology Review’s questions.Therefore, we do not know whether or not the company’s developers knew that they were creating a rootkit, or whether they modeled XCP upon one of the open-source or commercial rootkits. However, outsiders who examined XCP’s code found that it contained some open-source components, including code from one program that encodes music in the MP3 format and another that encrypts and decrypts music downloaded from Apple’s iTunes. (The latter was apparently part of a never implemented plan to make XCP compatible with iTunes, according to Halderman.)
Another unknown is whether XCP’s developers were aware that a rootkit, once installed on a customer’s computer, could open a passage for other viruses and Trojan horse programs. But Princeton’s Halderman says programmers at First 4 Internet must have been aware that the cloaking method they were employing was well known to malware writers. “They had to learn about this technique from other sources,” Halderman says. “And in the course of researching how to use this technique, it’s almost inconceivable that they wouldn’t have discovered that [cloaking other malware] is something that rootkits do.”
In any case, the company’s hiding technique was highly effective – so much so that no security expert noticed the rootkit for at least six months after the release of the first copy-protected discs. But soon after Russinovich posted his report, malware authors discovered that they could use the rootkit to keep anything from viruses to spyware out of the operating system’s view. Indeed, less than two weeks after the Sony BMG rootkit came to light, the first malware program designed to exploit it had surfaced. It was a “backdoor Trojan” called Troj/Stinx-E designed to hide itself inside the rootkit and allow other programs to take over users’ computers via connections to an instant-messaging system called Internet Relay Chat.