The Big Lesson From Sony's Rootkit Experience

In what could be viewed as a suicidal business move by Sony, once the litigation engines are up and running, the company may have done us all a huge favor with its rootkit episode in reminding us how dangerous certain kinds of exploits can be to users.

Most of us have not been looking at rootkits, one of the most dangerous of spyware types, but thanks to Sony's recent experience we have been slapped upside the head with a reminder. What Sony’s BMG division did was put a rootkit in a number of CDs and IT shops are reporting PCs that are being“flatlined” at an increasing rate.

Sony’s "who cares" response is about to be answered with a vengeance now that legal actions have been filed as judges typically don’t take kindly to companies who behave badly and don’t feel any remorse.

In Italy ALCEI is active on this and we have independent attorneys putting together class action cases in other parts of the US as I write this column.

There is currently one Trojan (with two names) and a broken bot floating around in the wild trying to make use of this rootkit and many more are expected before the month is out.This has all of the earmarks of a problem that will make Intel’s famous quality issue with the Pentium last decade seem like a walk in the park.

Yet Sony's rootkit isn’t the only one floating around, another has been maliciously introduced to attack AIM customers and given how hard these are to catch there is every likelihood there are more out there we aren’t yet tracking.

What is a Rootkit?

A rootkit is a nasty piece of business and there is a good overview book available on Amazon called, coincidently, “Rootkits” that goes into far more detail then I will here.

Rootkits exist for a variety of platforms including Linux, Mac OS, and Solaris along with Windows--which was attacked in the Sony episode. They are a set of tools used by third parties generally to gain illegitimate access computer systems (not just PCs). The most dangerous apparently operate at the OS kernel layer and are invisible to virus checking and anti-spam products.The rootkits can open backdoors that help an attacker get easy access to otherwise secure systems. Once the attacker has access they can download sensitive information or turn the machine into a zombie to create denial of service attacks on other systems. Other exploits have included key loggers and sniffers to capture passwords and financial information.

While the Sony rootkit is the first known by a branded major vendor there is no assurance that other branded companies have not done similar things. Why Detection is Nearly Impossible

While Sony did not disclose their rootkit, it was discovered and not very easily as detection is incredibly difficult.

Basically because the rootkit modifies the OS itself the OS can no longer be trusted and tools that look for viruses and spyware typically assume the OS can be trusted. The best way to detect a rootkit is to shut down the suspect computer and to boot it from trusted media; typically a rootkit can not hide from most good anti-virus tools if it isn’t running as part of the OS.

These programs look for alterations to standard OS calls (which are common in infected systems) and can generally identify an infected system. If they are running rootkits can detect the scan and suspend operations until the scan concludes which is why you have to insure that the suspect OS is not running.Recommended applications to detect rootkits include chkrootkit and rkhunter for UNIX, and Blacklight from F-Secure and Rootkit Revealer from Sysinternals for Windows. It is likely that the UNIX tools will also work on the MacOS.

Getting Rid of the Rootkit

Generally you need to rebuild the system from scratch. Rootkits embed themselves so effectively in the OS that being sure you got rid of it is almost impossible and there is a good chance that the effort, even if successful, would destabilize the operating system.

This remains the best practice and even though Sony is providing an incredibly convoluted process to remove their rootkit, my recommendation is to do a clean OS installation on the infected systems to avoid what will probably be a very unhappy user that would otherwise result.

Last Words
Rootkits are nasty business because they are virtually impossible to detect, they open up even the most secure platforms to attack, and their removal costs as much as an OS upgrade in time and labor.

Making sure people are trained to look for them, that email filters are blocking all executable files, and users are reminded of the risks of installing untrusted applications on a regular basis are all good practices to fight rootkits.

In any case, anyone responsible for IT security that isn’t coming up to speed on rootkits is likely to get a really rude awakening. A good overview can be found on Wikipedia.

Good luck, and, in the meantime, you may want to follow Dan Gillmor’s advice and not buy anything from Sony this holiday season as a special thank you for putting all of your employees at risk.