November 21, 2005 4:00 AM PST

What makes a rootkit?

Related Stories

Sony's rootkit fiasco

November 21, 2005

New Sony CD risk identified

November 18, 2005

Sony offers new CDs, MP3s for recalled discs

November 18, 2005

Attack targets Sony 'rootkit' fix

November 16, 2005

Sony recalls risky 'rootkit' CDs

November 15, 2005

FAQ: Sony's 'rootkit' CDs

November 11, 2005
The Sony BMG copy protection debacle has pulled "rootkit" out of the hacker underground and into the wider world of regular computer users.

But while those PC owners may now recognize the term, that doesn't necessarily mean they know what kind of threat it describes. And in the Sony case, not even the experts can agree on whether the record label's antipiracy technology meets the technical definition of a rootkit.

"I would say it is more a stealth technology than a rootkit," said Vincent Weafer, the senior director at Symantec Security Response. "A rootkit is used by people trying to maintain remote access to a system. Sony is an example of a much more limited technology. It was only designed to hide itself."

That argument over semantics is important to security providers, which have to define threats before they defend against them. But in general it matters little, since all the experts agree that the technology ultimately acts as a rootkit would, making it every bit as dangerous as if it were installed by hackers.

Sony's copy-protection software, created by U.K.-based First 4 Internet, is installed on a computer's hard drive when certain Sony BMG Music Entertainment CDs are played on a Windows PC and after the listener accepts a license agreement.

The software uses the programming tool at the center of the controversy, which buries itself deep in the internals of a Microsoft Windows PC. It blocks all but the most technically-savvy users from being able to detect its presence. It is also invisible to most security products, which typically don't look that deep into a computer's workings.

"Rootkits can hide on the machine because they operate at a very low level in the operating system," said Joe Telafici, the director of operations at McAfee's Avert labs.

Behind the code
The term "rootkit" originates from the Unix world. It refers to a set of tools that would hide any trace of an intruder yet maintain full, or "root," access on system running the operating system.

"A rootkit retains access to the system that has been previously compromised, and it hides itself from someone who is authorized to use the computer," said Jon Orbeton, a senior security analyst at security software maker Zone Labs.

Critics say that Sony's software left PCs vulnerable to attack because it provided a hiding place for other applications. Trojan horses that try to commandeer a system and take advantage of the cloak provided by the CD software have already appeared on the Internet. In addition, Sony initially didn't provide an uninstall tool (which exacerbated the situation).

All this adds up to a rootkit, experts such as Dan Kaminsky say. Kaminsky is the security researcher who has estimated that the Sony software is installed on at least 500,000 PCs.

"I had the same reaction that a number of security people had: Is Sony getting remote root on machines?" Kaminsky said. "Are they getting the capability to run code on a machine? That's what fundamentally makes it a rootkit: evasion of user knowledge."

Rootkits are available for sale online and some hackers even offer to create custom rootkits for payment, experts said. Often the software is used to hide a backdoor on a computer that lets hackers enter surreptitiously. Typically, it arrives in a Trojan horse or via malicious Web download. Some adware makers also use rootkits to cover up their software.

CONTINUED: Digging out rootkits…
Page 1 | 2


Join the conversation!
Add your comment
Sorry but...
this is nothing more than a failure of security companies to protect their paying customers.
I'll bet in this rookits heyday Symantec's NIS was instructed to ignore Sony's rookit when it connected to the net to send info on the music you listened to.
That's why I use an older version of IN_CDDA.cdb in Winamp, which allows me to use the CDDB of my choice, as AOL has sold it's soul to Gracenote.
It's the main reason I never update NIS as these corporate *****$ have sold themselves to every other paying corporation. Darn near every update was to allow ads and scripts from other corporate scum access to run code on my computer.
Posted by Muddleme (99 comments )
Reply Link Flag
What make an Kentucky Shitkicker?
The porpoise of a rootkit is to supplant the system as to allow access that would otherwise not be available while maintaining the aspect of an penetrated system. Provided the interface is secure the only way this is in anyway possible is if the user runs code, script or performs an action as to invoke his privilege and presumably without his awareness sets into motion an unintended penetration.

In this case (lets assume less than fully privileged user in all accounts) places a cd into a cd-rom disc drive and as a result executes a binary file that is read there in with elevated privileges as those of an authority which can make changes to filesystems level format or otherwise. I don't mean to split hairs with you on this but the fact that unprivileged user was able to act as a privilege one (or few, whatever the case may be) is symptomatic of something know in the industry as a "superrootkit". having been present prior to the insertion of the compact diskette, so please lets not put the cart before the horse if you will.

If I may play the devils advocate, and rise to the Sony Music Corporations defence the action of storing or writting to the systems physical storage, information which pertains to content used by an application internally is so common that if it were done in a prominent location in the storage tree it would be bothersome and worst case deleterious. Files pertaining to relationship between user and content, be it software or other usage delimited materials are often written to these files to in effect force the user to comply with what the software applications engineers stipulate is the governing agreement between user and provider. As a no treaspassing sign prompts the decision to be made by traveler to circumnavigate and fence forces circumnavigation. It is not status quo for the software application to indicate it is recording such information or where it is doing so and nor does it do it in an expected location in the tree and furthermore these files are not removed by the applications co-installed for removal of the installation. None of this can be associated with "rootkit" actions. The action involving writing files to the storage media, with the file formating in question implimented on it, outside the effective tree is a function of the specification of the this particular formating, albeit, an obscure one, the formating and filesystems functions and operations need not and were not and will not be altered by the software. I cannot speak to the nature of the information recorded. I might note that such a recording, as on a nonvolatile storage device lends itself to long term retention, the nature of which is not particularly conducive to rouge application.
Posted by (10 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.