• United States



by Robin Bloor

The Rootkit Problem

Dec 08, 20054 mins
CSO and CISOData and Information Security

Nowadays, even the technophobic PC users have a reasonable understanding of the common varieties of malware. Its a virus if it tries to infect other PCs. Its a worm if it tries to propagate itself over a network. Its spyware if it tries to record your PC activities. Its a Trojan if it sits on your computer keeping open a backdoor to let hackers in. In truth, an item of malware can be any combination of these things or even all of them. The different labels simply refer to different behaviors.

Last month, courtesy of Sony, a relatively new malware term, rootkit, was given a healthy amount of publicity when it was reported that Sony had planted a rootkit on its audio CDs in order to implement digital rights management (DRM) – or copy control as most of us think of it. The reaction of IT industry watchdogs was swift and, for Sony, devastating. It quickly removed its rootkit from its music CDs and issued apologies. It now faces legal cases for the damage that was done.

So whats a rootkit? Its a piece of software that directly changes the way that the operating system works. From a hackers perspective, a well designed rootkit hides itself effectively by messing with the computer operating system. It alters the system so that the rootkit file becomes undetectable. List the files and the rootkit file wont appear and if a rootkit process is running, it wont show when you list the processes. Normal anti-virus software will not see it.

If a computer has been infected with a rootkit, it cannot be detected easily. One way to detect it is to load a clean version of the Operating System from a different disk drive and then use some kind of scanning capability to detect the rootkit on disk. Also, there is software that has been specially written to detect rootkits: Blacklight from F-Secure is currently available at no cost, there are several downloadable programs available from and Microsoft has some anti-rootkit technology for Windows, which is likely to be added to Windows AntiSpyware at some point. Technology that fingerprints executable files and such as that from Bit9 and Securewave will also stop rootkits.

The rootkit that Sony added to its music CDs was not intended to be malicious. It was intended to prevent music and video theft by preventing the PC user from copying files illegally. To do that you have to interfere with the file copying routine on a PC so that, for example, when it recognizes a digital watermark it will refuse to copy the file. However, once a rootkit is installed, it creates a weakness. Other malware can attach to it and use it as a place to hide. Sonys particular rootkit also offended many people because it reported what music the PC user was playing back to Sony over the Internet. Most people rightly viewed that as a violation of privacy.

Sony clearly had the wrong DRM solution and should not have implemented it unilaterally. Nevertheless the need for DRM is clear, not just for music but for a wide variety of digital information. The problem is that computers are so versatile and there is a small army of hackers that work at circumventing any DRM scheme that anyone tries to implement.

A DRM scheme from a single source is unlikely to work as a comprehensive solution. What may be needed to solve the problem is a common DRM standard that does not depend on the operating system. Technically, it is achievable it can be done in several ways, using encryption schemes, but it requires a high level of co-operation across the IT industry and the buy-in of the consumer. Right now I dont think theres a consensus for any solution that can be applied generally there are only solutions that can be applied in niche areas, between closed groups of businesses.