Home' Technology Review : May June 2006 Contents 54 FEATURE STORY
TECHNOLOGY REVIEW /
Kangas and his team readied a public report on the root-
kit but were waiting for First 4 Internet s uninstaller before
releasing it, as courtesy in the Internet security business
demands. That s when they were beaten to the punch by a
Texan named Mark Russinovich.
Russinovich and colleague Bryce Cogswell are the authors
of Sysinternals.com, one of the leading U.S. blogs on com-
puter security. Russinovich is also the chief software archi-
tect at Austin-based Winternals Software and, by chance, the
inventor of some of the very cloaking techniques used by XCP.
He and Cogswell had spent part of 2005 working on Rootkit
Revealer, a detection program similar to F-Secure s Black-
light. One day in late October, Russinovich was r unning Root-
kit Revealer on his own PC as part of a test to make sure the
program wasn t generating false positives. Russinovich says
he purposely avoids the seedier areas of the Internet in order
to keep his machine clear of malware---so he was astonished
when Rootkit Revealer found actual rootkit les.
Just as Guarino had, Russinovich discovered that delet-
ing the les disabled his CD-ROM drive. "Even a sophis-
ticated home user, if they attempted to uninstall the rootkit
by deleting the les, would end up crippling their machine,"
Russinovich says. But since he had himself come up with
most of the tricks Windows rootkits use to deceive the oper-
ating system and other applications, he wasn t stymied.
Russinovich was able to bypass the rootkit s cloaking func-
tion and---after remembering that he d recently played the
copy-protected Sony BMG disc Get Right with the Man on
his computer---trace the les it had been hiding to First 4
Internet and Sony BMG.
"It was disturbing to me, the fact that this thing had
installed rootkit software on my PC," Russinovich says. "It
had installed itself without telling me. There didn t appear
to be any uninstaller. But what was most surprising of all
was to r un into a rootkit that was part of a well-known
company s DRM."
Russinovich did not contact Sony BMG about his discov-
ery; rather, he poured his ndings into an angry blog entry
published on Halloween. Within hours, Russinovich s post
was picked up by Slashdot, the famous home of "News for
Nerds." And from there the rootkit story raged across the
blogosphere and even into mainstream newspapers. F-
Secure---though it had been scooped by Russinovich---quickly
got back into the game, publishing its own analysis of the
rootkit on November 1.
Among music fans and technology watchers, reaction to the
rootkit news was explosive. Within days, anti-DRM activists
launched several boycotts against Sony BMG. "Sony aims at
pirates---and hits users," blared a November 9 headline in the
Christian Science Monitor. Antivir us and security companies
issued warnings advising consumers to avoid or return the
Sony BMG discs. Bloggers fanned the ames; the word "root-
kit" appeared in blogs 150 to 750 times every day throughout
November, according to blog search engine Technorati.
Tempers ared further after November 4, when Russino-
vich announced in his blog that other software accompany-
ing XCP on the Sony BMG discs "phoned home," contacting
Sony BMG over the Internet every time a user played a pro-
tected CD. Acting on a tip from a Finnish hacker and com-
puter science student named Matti Nikki, Russinovich used
a "network tracing" program to analyze tra c owing into
and out of his computer. He found that during startup, the
protected CDs would check with a ser ver at Sony BMG for
fresh material for a rotating banner advertisement displayed
with the player. This exchange was innocuous enough; but
to Russinovich and readers of his blog, the a ront was that
Sony BMG had not disclosed in the CDs EULAs that the
software would send data to the company or spelled out
how that data would be used. "I doubt Sony is doing any-
thing with the data," Russinovich wrote, "but with this type
of connection, their ser vers could record each time a copy-
protected CD is played and the IP address [the location on
the Internet] of the computer playing it."
Security professionals, bloggers, and music fans weren t
the only ones who were dismayed. The U.S. Department
of Homeland Security criticized Sony BMG for releasing
products that under mined antivir us software and exposed
both government-owned and privately owned computers to
hackers. At a November 10 trade conference on piracy, Stew-
art Baker, the department s assistant secretary for policy,
chastised big media for its obsession with DRM. "It s very
important to remember that it s your intellectual property,
[but] it s not your computer," Baker said.
Over and over again, people who encountered the rootkit
expressed a sense of violation. John Guarino, the computer
consultant, o ers this analogy: "Say you want to install cable
TV in your apartment. You call the cable company. They
say someone is going to come and install it. The cable guy
makes you sign something before he comes into the apart-
ment. Then you nd out he didn t actually leave the apart-
ment when he was done. He is still hiding. And you call
the company and say, This guy is still here, and they say,
But you signed the document. And you say, Yeah, but he
still shouldn t be here. Where is he? and they say, We re
not going to tell you that.
"And not only is this guy hiding inside your apartment---
he s actually eating from your refrigerator, drinking your
water, using the bathroom, and you can t stop him. He could
be inviting other friends over and letting them in. And if
you try to nd him and take him out yourself, he s going to
throw bombs, and you ll have to call the constr uction guys
to rebuild your whole apartment.
"That s what Sony is doing. The rootkit uses your pro-
cessor, it uses your memory, your hard disk. You can t take
Links Archive March April 2006 September October 2006 Navigation Previous Page Next Page