2 min read

Even When Uninstalled, Sony's Rootkit Still Poses A Threat

A number of Web sites have been found that are capable of attacking PCs left vulnerable after users tried to uninstall a rootkit embedded in Sony's copy-protection software. While the sites could have wreaked havoc, the security firm that discovered them said the intent of the person behind these particular sites seems to be more about making a point than doing harm.
"The programmers definitely didn't clean up after themselves," he said.

That jibes with Russinovich's take on the copy-protection scheme, which was created by a U.K.-based company, First4Internet. In the blogs Russinovich has posted about his investigation into Sony's DRM, the rootkit, and its uninstaller, he's called the First4Internet software "underhanded and sloppily written" and characterized the company's programming skills as "inept."

"Any user who has downloaded and run the Sony uninstaller is susceptible to this attack," said Hubbard.

That could mean more than half a million potential victims, according to some estimates. Earlier this week, security researcher Dan Kaminsky claimed that he had found more than half a million name servers which had stored DNS queries related to the Sony rootkit, indicating that the number of PCs with the Sony copy-protection installed was much larger than earlier thought.

To put Kaminsky's numbers in context, the August attack of the Zotob bot worm affected approximately 10,000 PCs.

But there may be a silver lining to the whole Sony cloud.

"What's positive here is the exposure of a scenario when someone uses technology that they believe is protecting intellectual property, but they haven't taken into account that security comes into play as well," said Hubbard.

"Developers must be aware that there are [security] repercussions in almost any program," he said. "Too often, security gets bypassed in the development cycle."