Sponsored By

Even When Uninstalled, Sony's Rootkit Still Poses A Threat

A number of Web sites have been found that are capable of attacking PCs left vulnerable after users tried to uninstall a rootkit embedded in Sony's copy-protection software. While the sites could have wreaked havoc, the security firm that discovered them said the intent of the person behind these particular sites seems to be more about making a point than doing harm.

Gregg Keizer

November 17, 2005

3 Min Read

The impact of Sony BMG's now-withdrawn copy-protection scheme spread even farther Wednesday. A security company said it had spotted malicious Web sites ready to attack PCs left vulnerable after users tried to uninstall a rootkit Sony used to hide its digital rights management (DRM) software.

San Diego-based Websense said that it had found "a few" Web sites designed to attack computers by exploiting a leftover piece of Sony's ActiveX rootkit uninstaller.

"It's very minimal, and not widespread," acknowledged Dan Hubbard, senior director of security and research at Websense, of the exploit. But the sites, few as they were, could have wreaked havoc on PCs which once had the Sony DRM technology on their drives.

"The person behind this did it just to make a point. He could have had total access to the computer, and done whatever he wanted," said Hubbard. "Instead, he just made the machine reboot. He even inserted comments in the HTML code that said something like 'Sony DRM Christmas Gift.'"

Sony came under fire earlier this month when researchers, including Mark Russinovich of Wininternals, discovered that the copy-protection Sony BMG Music Entertainment applied to some of its music CDs contained a rootkit. Rootkits are typically used by hackers to cloak their malicious code so that security software can't sniff it out.

Under pressure, Sony first released a patch that uncloaked the rootkit, then an ActiveX-based uninstaller which was to completely remove the rootkit. It's that ActiveX uninstaller that gave the new attack an opening.

"ActiveX controls used to uninstall or disable a program are temporarily installed, and then when they're finished, the pieces are taken out again. Sony's uninstaller, though, left some components behind, and allowed those pieces to be trusted," said Hubbard. "The programmers definitely didn't clean up after themselves," he said.

That jibes with Russinovich's take on the copy-protection scheme, which was created by a U.K.-based company, First4Internet. In the blogs Russinovich has posted about his investigation into Sony's DRM, the rootkit, and its uninstaller, he's called the First4Internet software "underhanded and sloppily written" and characterized the company's programming skills as "inept."

"Any user who has downloaded and run the Sony uninstaller is susceptible to this attack," said Hubbard.

That could mean more than half a million potential victims, according to some estimates. Earlier this week, security researcher Dan Kaminsky claimed that he had found more than half a million name servers which had stored DNS queries related to the Sony rootkit, indicating that the number of PCs with the Sony copy-protection installed was much larger than earlier thought.

To put Kaminsky's numbers in context, the August attack of the Zotob bot worm affected approximately 10,000 PCs.

But there may be a silver lining to the whole Sony cloud.

"What's positive here is the exposure of a scenario when someone uses technology that they believe is protecting intellectual property, but they haven't taken into account that security comes into play as well," said Hubbard.

"Developers must be aware that there are [security] repercussions in almost any program," he said. "Too often, security gets bypassed in the development cycle."

About the Author(s)

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights