November 4, 2005 11:03 AM PST
Sony's antipiracy may end up on antivirus hit lists
Explaining its decision, Kaspersky said it used the definition of spyware provided by the Anti-Spyware Coalition. Sophos, another security company, is similarly scathing of Sony and is calling the software "ineptware."
The issue reaches much further than the individual PCs of those users who buy particular Sony CDs, the antivirus companies say. The DRM software uses what is known as a "rootkit," which means that it is invisible to the operating system, to most antivirus and security software and to IT departments trying to cope with security on desktop and notebook computers.
Furthermore, say the antivirus companies, the rootkit software can be exploited by hackers and viruses and used to cloak any file from the operating system. A rootkit takes partial control of a computer's operating system at a very deep level in order to hide the presence of files or ongoing processes.
"The Sony rootkit can be used to hide any files from the operating system, so we think the way that Sony has implemented this is somewhat flawed," said Graham Cluley, the senior technology consultant at Sophos. "The danger is that other malware (malicious hardware) may come along which exploits the Sony rootkit."
Due to what Cluley said is a lack of malicious intent on Sony's part, Sophos is not defining the rootkit itself as malicious software, preferring instead to refer to it as "ineptware."
"We don't really believe this is malware, and so we don't currently detect it," Cluley said. However, he said detection for rootkits like that used by Sony will be built into Sophos Antivirus version 6, due out in 2006.
"This is potentially unwanted software, and we will add the capability to detect the bad stuff and give the enterprise more control over what is on their PCs," he said. "This software is the sort of thing we will consider adding."
David Emm, a senior technology consultant at Kaspersky Lab, said he was also dismayed to see Sony using rootkits. "We don't have an issue with Sony taking steps to protect its legal rights and licensing," he said. "But given that over the past 12 to 18 months we have seen an increasing use of rootkits (by criminals), to see similar technology being implemented from someone supposedly on the good side is particularly worrying."
Use of techniques that are usually the preserve of criminals by companies such as Sony are causing problems to antivirus and security companies. "Previously it has been possible to say a rootkit equals a bad thing, but now we're having to deal with things that are not so clear cut," he said.
Kaspersky uses the term "riskware" to define programs that behave like malicious software but may not have malicious intent behind them. Although it attempts to detect riskware, so that users can be asked what they would like to do with it and so that policies can be created, it does not currently detect the rootkit used by Sony's DRM. "At the moment this is still under discussion and no final decision has been made," Emm added.
Sony's use of techniques usually employed by hackers and virus writers makes it much more difficult to differentiate between malicious and benign software, said Kaspersky on its viruslist.com blog. "Rootkits are rapidly becoming one of the biggest issues in cybersecurity. Vendors are making more and more of an effort to detect this kind of threat. So why is Sony opting to use this dubious technology?" the Kaspersky posting said.
"Naturally, we're strongly against this development," it continued. "We can only hope that this message comes across loud and clear to the people who have a say in this at Sony and elsewhere. We'd hate to see the use of rootkits becoming a habit among mainstream software manufacturers when there are so many security and ethical arguments against such use."
6 commentsJoin the conversation! Add your comment