Mark's Sysinternals Blog
Sony: No More Rootkit - For Now
There have been several significant developments
in the Sony DRM story since my last post. The first is that, despite Sony’s and
First 4 Internet’s claims that their rootkit poses no security risk, several
viruses have been identified in the wild that exploit the cloaking functionality
provided by the rootkit. Besides F-Secure and Computer Associates, most
antivirus companies were slow to label the Sony rootkit as a risk. But the discovery of
viruses that use the rootkit to hide files has caused many to identify and
disable the rootkit in their latest scanning signatures. My guess is that they
were waiting for an actual security threat to shield them from a potential
problem with Sony. For example, Microsoft initially responded cautiously when
questioned about its position on Sony’s use of rootkits, but Jason Garms, a
member of the Microsoft Windows Defender team (formerly Microsoft Antispyware),
announced in the Windows
Defender blog this weekend that Microsoft is also releasing signatures and a
cleaner for the rootkit.
While I’m glad that the viruses have resulted in continuing media coverage of the story, the viruses being discussed in the media are not really the primary security issue. The viruses simply take advantage of the Sony rootkit if it’s present, but could just as easily install their own rootkit to hide their presence on the system. If a user activating the virus, which is transmitted as an email attachment, is running with administrator privileges, the virus can install a kernel-mode rootkit just as powerful as Sony’s. But even if the virus is activated from a non-administrator account it can install a less powerful, though still effective, user-mode rootkit. The bottom line is that it’s not rootkits themselves that are the problem; it’s the inability to manage the objects that they hide that creates security, reliability and manageability problems.
I’m not the only one that realizes the dangers of rootkits, especially those bundled with commercial software. On Friday, the US Chamber of Commerce co-sponsored a conference in Washington, D.C. on combating intellectual property theft. The conference concluded with a panel that included major representatives of the entertainment and technology industries such as the chairman and chief executive officer of the Recording Industry Association of America (RIAA) and Stewart Baker, the assistant secretary for policy in the Department of Homeland Security. Baker concluded with a comment aimed squarely at Sony: “It's very important to remember that it's your intellectual property -- it's not your computer. And in the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days.”
Unfortunately, there has been some confusion with regard to the level of cleaning that antivirus (AV) companies are providing for the rootkit. Some articles imply that AV companies remove all of the Sony DRM software in the cleaning process, but they are in fact only disabling and removing the Aries.sys driver that implements the rootkit cloaking functionality. Unfortunately, all of the AV cleaners I’ve looked at disable it improperly by unloading it from memory - the same way Sony’s patch behaves - which as I noted previously, introduces the risk of a system crash. While they post disclaimers on their web sites to that effect, they should use the safe alternative that I described a couple of posts ago, which is to delete the rootkit’s registration from Windows so that it won’t activate when Windows boots:
Perhaps the biggest news in the story last week is Sony’s first public response since one of their executives stated in a National Public Radio interview, “users don't know what a rootkit is, and therefore, don't care." Mid-day Friday Sony announced, with the hope that press coverage wouldn’t last through the weekend, that it would temporarily cease production of CD’s containing First 4 Internet’s XCP technology, the software that utilizes the rootkit. They have also finally added a link on the Sony BMG web site, under the News section, to the decloaking patch and uninstall link:
It’s a small first step on Sony’s part. Sony still makes no admission of guilt, though by this time I’m sure that legal exposure prevents them from doing so. In addition, the use of the word “temporarily” disturbs me. Are they just waiting for the media attention to fade before starting up again?
More importantly, Sony is making no effort to withdraw existing CDs that are already on the market and the uninstall process is still spyware-like with its use of an ActiveX control during the request for uninstall and actual uninstall. ActiveX controls are a commonly-used attack vector for malicious web sites and one of the blog comments from the last posting by Matti Nikki points out that the First 4 Internet control contains scriptable methods that can be activated without the user’s knowledge or consent. His site demonstrates how he can reboot your system using one of the methods. The control exports 22 scriptable interfaces, as seen here in a screenshot of Type Library Explorer from iTripoli, and the shoddy nature of First 4 Internet’s other code gives me little confidence that there aren’t vulnerabilities that could be used by malicious site to gain control of systems on which the control is installed.
I’ve said it before, but obviously need to say it again: Sony needs to make the uninstaller freely available as a standalone executable download so that users can choose to safely and easily discontinue use of this nefarious software.
While I’m glad that the viruses have resulted in continuing media coverage of the story, the viruses being discussed in the media are not really the primary security issue. The viruses simply take advantage of the Sony rootkit if it’s present, but could just as easily install their own rootkit to hide their presence on the system. If a user activating the virus, which is transmitted as an email attachment, is running with administrator privileges, the virus can install a kernel-mode rootkit just as powerful as Sony’s. But even if the virus is activated from a non-administrator account it can install a less powerful, though still effective, user-mode rootkit. The bottom line is that it’s not rootkits themselves that are the problem; it’s the inability to manage the objects that they hide that creates security, reliability and manageability problems.
I’m not the only one that realizes the dangers of rootkits, especially those bundled with commercial software. On Friday, the US Chamber of Commerce co-sponsored a conference in Washington, D.C. on combating intellectual property theft. The conference concluded with a panel that included major representatives of the entertainment and technology industries such as the chairman and chief executive officer of the Recording Industry Association of America (RIAA) and Stewart Baker, the assistant secretary for policy in the Department of Homeland Security. Baker concluded with a comment aimed squarely at Sony: “It's very important to remember that it's your intellectual property -- it's not your computer. And in the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days.”
Unfortunately, there has been some confusion with regard to the level of cleaning that antivirus (AV) companies are providing for the rootkit. Some articles imply that AV companies remove all of the Sony DRM software in the cleaning process, but they are in fact only disabling and removing the Aries.sys driver that implements the rootkit cloaking functionality. Unfortunately, all of the AV cleaners I’ve looked at disable it improperly by unloading it from memory - the same way Sony’s patch behaves - which as I noted previously, introduces the risk of a system crash. While they post disclaimers on their web sites to that effect, they should use the safe alternative that I described a couple of posts ago, which is to delete the rootkit’s registration from Windows so that it won’t activate when Windows boots:
- Open the Run dialog from the Start menu
- Enter “cmd /k sc delete $sys$aries”
- Reboot
Perhaps the biggest news in the story last week is Sony’s first public response since one of their executives stated in a National Public Radio interview, “users don't know what a rootkit is, and therefore, don't care." Mid-day Friday Sony announced, with the hope that press coverage wouldn’t last through the weekend, that it would temporarily cease production of CD’s containing First 4 Internet’s XCP technology, the software that utilizes the rootkit. They have also finally added a link on the Sony BMG web site, under the News section, to the decloaking patch and uninstall link:
It’s a small first step on Sony’s part. Sony still makes no admission of guilt, though by this time I’m sure that legal exposure prevents them from doing so. In addition, the use of the word “temporarily” disturbs me. Are they just waiting for the media attention to fade before starting up again?
More importantly, Sony is making no effort to withdraw existing CDs that are already on the market and the uninstall process is still spyware-like with its use of an ActiveX control during the request for uninstall and actual uninstall. ActiveX controls are a commonly-used attack vector for malicious web sites and one of the blog comments from the last posting by Matti Nikki points out that the First 4 Internet control contains scriptable methods that can be activated without the user’s knowledge or consent. His site demonstrates how he can reboot your system using one of the methods. The control exports 22 scriptable interfaces, as seen here in a screenshot of Type Library Explorer from iTripoli, and the shoddy nature of First 4 Internet’s other code gives me little confidence that there aren’t vulnerabilities that could be used by malicious site to gain control of systems on which the control is installed.
I’ve said it before, but obviously need to say it again: Sony needs to make the uninstaller freely available as a standalone executable download so that users can choose to safely and easily discontinue use of this nefarious software.
posted by Mark Russinovich @ 4:49 AM