The Finnish Connection
F-Secure is headquartered in a boxy glass-and-aluminum building on Helsinki’s outskirts, just a block from the factory where Nokia – long before it became a cell-phone company – made thousands of kilometers of steel cable as part of Finland’s massive war reparations to the Soviet Union.
Dominating F-Secure’s second-floor command center are three big video screens. One depicts the architecture of a well-known computer virus as if it were a giant, spinning space station. Another shows a real-time map of malware activity worldwide. Mika Stahlberg, a research manager at F-Secure, is using the third screen to illustrate XCP’s stealth features.
“I can demonstrate using the Van Zant album,” Stahlberg says. He inserts Get Right with the Man, a country album by veteran rockers Johnny and Donnie Van Zant, into a computer under the command center’s triangular conference table. “We ordered this from Amazon last October. Okay, I put this in and it starts by default. Here’s the EULA. Of course, I want to listen to the music, so I click ‘Agree.’”
The player installs itself and launches automatically. Now Stahlberg chooses a guinea pig for the cloaking demonstration: the Windows calculator accessory. He starts the calculator, then opens the Windows Task Manager and selects the “Processes” tab, where a user can see a list of all of the programs currently running on the machine. “Okay, we can see it’s there in the process list – it’s called ‘calc.exe.’ Now let’s rename it.”
Stahlberg closes the calculator, finds the actual program file on the hard drive, and gives it a very specific name: “$sys$calc.exe.” He restarts the calculator. “Now look at the process list again. The calculator has disappeared.”
Stahlberg has just laid bare the main function of the Sony BMG rootkit: to make any file starting with the prefix “$sys$” undetectable. Among the files XCP keeps hidden in this way: aries, the ringleader program that waylays messages between applications and the operating system; crater, the filter driver that keeps other programs from reading the CD-ROM; and $sys$parking, which counts how many times the burning application has been used.
“What almost all rootkits do…is filter the output that applications get from certain operating-system functions,” Stahlberg explains. XCP filters out any output marked with the $sys$ prefix, so in Stahlberg’s demonstration, when the Task Manager asked Windows for a list of running programs, it got back everything except the calculator. A program with the $sys$ prefix in its name may be running – indeed, it may be taking up a large fraction of the system’s memory and CPU time – but to the Processes list and other applications such as Windows Explorer, it does not exist.
Of course, Stahlberg and his colleagues at F-Secure didn’t understand any of this the first time they examined a copy-protected Sony BMG disc, Switchfoot’s Nothing Is Sound. Immediately after receiving John Guarino’s log file, they ordered the CD and installed it on a quarantined PC, then used F-Secure’s own rootkit detection program, called Blacklight, to see how the disc’s software had altered the machine’s operating system. Blacklight found that there were more files in the system than Windows Explorer indicated – an unmistakable sign of a rootkit.
At first, the F-Secure researchers were reluctant to label the Sony BMG rootkit a security threat, since it was obviously being used for copy protection, not to spread viruses or spawn pop-up ads. “DRM as such is not bad,” says -Santeri Kangas, F-Secure’s director of research. “But when we analyzed what this could do as a vehicle for malware, we took a stand and said, ‘Well, this is dangerous.’”