Even When Uninstalled, Sony's Rootkit Still Vexes PCs

San Diego-based Websense said that it had found "a few" Web sites designed to attack computers by exploiting a leftover piece of Sony's ActiveX rootkit uninstaller.

"It's very minimal, and not widespread," acknowledged Dan Hubbard, senior director of security and research at Websense, of the exploit. But the sites, few as they were, could have wreaked havoc on PCs which once had the Sony DRM technology on their drives.

"The person behind this did it just to make a point. He could have had total access to the computer, and done whatever he wanted," said Hubbard. "Instead, he just made the machine reboot. He even inserted comments in the HTML code that said something like 'Sony DRM Christmas Gift.'"

Sony came under fire earlier this month when researchers, including Mark Russinovich of Wininternals, discovered that the copy-protection Sony BMG Music Entertainment applied to some of its music CDs contained a rootkit. Rootkits are typically used by hackers to cloak their malicious code so that security software can't sniff it out.

id
unit-1659132512259
type
Sponsored post

Under pressure, Sony first released a patch that uncloaked the rootkit, then an ActiveX-based uninstaller which was to completely remove the rootkit. It's that ActiveX uninstaller that gave the new attack an opening.

"ActiveX controls used to uninstall or disable a program are temporarily installed, and then when they're finished, the pieces are taken out again. Sony's uninstaller, though, left some components behind, and allowed those pieces to be trusted," said Hubbard. "The programmers definitely didn't clean up after themselves," he said.

That jibes with Russinovich's take on the copy-protection scheme, which was created by a U.K.-based company, First4Internet. In the blogs Russinovich has posted about his investigation into Sony's DRM, the rootkit, and its uninstaller, he's called the First4Internet software "underhanded and sloppily written" and characterized the company's programming skills as "inept."

"Any user who has downloaded and run the Sony uninstaller is susceptible to this attack," said Hubbard.

That could mean more than half a million potential victims, according to some estimates. Earlier this week, security researcher Dan Kaminsky claimed that he had found more than half a million name servers which had stored DNS queries related to the Sony rootkit, indicating that the number of PCs with the Sony copy-protection installed was much larger than earlier thought.

To put Kaminsky's numbers in context, the August attack of the Zotob bot worm affected approximately 10,000 PCs.

But there may be a silver lining to the whole Sony cloud.

"What's positive here is the exposure of a scenario when someone uses technology that they believe is protecting intellectual property, but they haven't taken into account that security comes into play as well," said Hubbard.

"Developers must be aware that there are [security] repercussions in almost any program," he said. "Too often, security gets bypassed in the development cycle."