Sony DRM Installs a Rootkit?
An anonymous read writes “SysInternals.com guru Mark Russinovich has a detailed investigation of a rootkit from Sony Music. It’s installed with a DRM-encumbered music CD, Van Zant’s “Get Right with the Man”. (Mmmm, delicious irony!) The rootkit introduces several security holes into the system that could be exploited by others, such as hiding any executable file that starts with ‘$sys$’. Russinovich also identifies several programming bugs in the method it uses to hook system calls, and chronicles the painful steps he had to take to ‘exorcise the daemon’ from his system.” This house is clear.
via Slashdot
You don’t have to read the article, as its almost too long. And even if you understood what he was doing, you’d still want to just skip to the bottom line. Still, it’s good that someone did a comprehensive test.
Here’s my proposed summary of the article in 3 short paragraphs.
Rootkits are covered in Wikipedia, so I won’t waste time defining them. However it is to be mentioned that while rootkits in themselves are bad things by etymology, there are legitimate applications which use rootkit-like functions/behaviour. 1 This is a very important nuance, because function does not equal purpose. Which is the reason why you can’t simply don’t call just any kernel-mode program that is able to intercept, patch, or cloak files/processes as a rootkit. I’m really still torn wether or not Sony’s program, while intrusive, should still be called such. Kaspersky anti-virus is a perfect example… and for arguments sake, so should Sony’s DRM mechanism.
This is the reason why the guy went through all of those tests, to see if these rootkit-like functions the software had were legitimately needed for the software to work – and there weren’t other hidden files or consequences that could compromise a system 2 In that case it would REALLY be a rootkit by definition. to unauthorized access (in the hacker/cracker sense).
Bottom line is that the DRM software was proved to have an irritating (and arguably a malicious) side-effect – which is crippling users’ system components should you try to mess with it. The main point of the article was that DRM implementation is being taken too far – that end-users are being inconvenienced too much for the sake of defending a flawed copyright mechanism.
For Windows users, I highly suggest you download that application he used (Rootkit Revealer) It’s lightweight (a standalone app) and pretty accurate. However it isn’t very discerning – it will display ALL discrepancies wether they be legitimate or not. So you still have to decide your own whether what it detects are rootkits or not.
Notes
| ⇡1 | This is a very important nuance, because function does not equal purpose. Which is the reason why you can’t simply don’t call just any kernel-mode program that is able to intercept, patch, or cloak files/processes as a rootkit. I’m really still torn wether or not Sony’s program, while intrusive, should still be called such. |
|---|---|
| ⇡2 | In that case it would REALLY be a rootkit by definition. |