Analysis: Sony rootkit problem raises questions for security vendors

Why didn't they spot the rootkits sooner?

Sony BMG Music Entertainment has been lambasted for shipping its spywarelike XCP software on music CDs over the past year, but an important question has gone largely unanswered: Why didn't security vendors catch the problem sooner?

Though one security vendor, Finland's F-Secure Corp., was aware of the problems surrounding Extended Copy Protection (XCP) before blogger Mark Russinovich went public with the issue, none of the major antispyware or antivirus vendors had any idea that something was amiss, according to representatives from Symantec Corp., McAfee Inc. and Computer Associates International Inc.

Sony has sold an estimated 2 million CDs containing the copy-protection software, which used special rootkit techniques to hide itself on PCs. Rootkit software runs at a very low level of the operating system and is designed to be extremely difficult to detect. Ultimately, XCP's cloaking ability was used by hackers to write malicious software, a development that prompted Sony to recall its XCP CDs.

Shortly after its discovery, XCP was classified as dangerous software by most security vendors, but Princeton University computer science professor Edward Felten was disturbed that it took so long for such a widespread problem to be exposed.

"This malware had been on the market for months and presumably had been installed on hundreds of thousands of computers, but still none of the antimalware vendors had discovered it," Felten wrote in a blog posting last week. "It's not a good sign that all of the major antimalware vendors missed it for so long."

There were two things about XCP that presented challenges for the big security vendors. The first was Sony's use of rootkit techniques to cloak XCP and make it harder to circumvent its copy-protection capabilities. Most security vendors acknowledge that because rootkits have only recently come into widespread usage, there is still much to be done to improve rootkit detection in their products.

A second problem is that the software was distributed by a trusted company: Sony.

While most security vendors prefer not to think of the XCP incident as a failure, at least one vendor, McAfee Inc., acknowledged that there was some room for improvement. "I'd probably have to accept some culpability there," said Joe Telafici, director of operations for McAfee Avert. "It's not like we go to the record stores every week to see what's on the shelves. Maybe we should have been doing that."

Security companies like McAfee are moving away from signature-based threat prevention, where security software is told how to spot and disable certain known types of malware, to "behavior-based" techniques, where the product is less concerned with identifying the software, as it is with preventing all software from doing bad things.

Improved behavior-based detection will help McAfee do a better job of identifying software like XCP, Telafici said.

Paying more attention to detecting and removing rootkits will also improve the situation, said Mikko Hypponen, chief research officer at F-Secure. F-Secure's products have rootkit-identifying capabilities that spotted the XCP software on a customer's system more than a month before the problem was publicly known, Hypponen said.

Rootkit software, like spyware, will eventually attract the attention of the larger vendors as it becomes a larger problem, Hypponen said. "There will always be new kinds of attacks, and there will always be small vendors filling a niche for the new kind of problem before the big boys move in," he said. "McAfee and Symantec haven't made their move yet. They will."

Without going into specifics, both McAfee and Symantec said they will have new techniques to deal with rootkits in upcoming versions of their products, but Telafici noted that security enhancements in the upcoming Windows Vista operating system, due in late 2006, will also change things.

In particular, the Windows Vista model of giving users more restricted privileges on the PC may represent a major change in the fight against malicious software. Interestingly, Telafici was unable to predict whether Vista would give an advantage to the attackers or the security companies. "It may depend on how well [Vista] is implemented," he said.

Copyright © 2005 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon