Rootkits and the Sony XCP
A later variation on the
virus theme is the rootkit. A rootkit
is a piece of malicious code that goes to great lengths not to be discovered
or, if discovered and removed, to reestablish itself whenever possible. The
name rootkit refers to the code's attempt to operate as root, the
superprivileged user of a Unix system.
A typical rootkit will
interfere with the normal interaction between a user and the operating system
as follows. Whenever the user executes a command that would show the rootkit's
presence, for example, by listing files or processes in memory, the rootkit intercepts
the call and filters the result returned to the user so that the rootkit does
not appear. For example, if a directory contains six files, one of which is the
rootkit, the rootkit will pass the directory command to the operating system,
intercept the result, delete the listing for itself, and display to the user
only the five other files. The rootkit will also adjust such things as file
size totals to conceal itself. Notice that the rootkit needs to intercept this
data between the result and the presentation interface (the program that
formats results for the user to see).
Ah, two can play that game.
Suppose you suspect code is interfering with your file display program. Then
you write a program that displays files, then examines the disk and file system
directly to enumerate files, and compares these two results. A rootkit revealer is just such a
program.
A computer security expert
named Mark Russinovich developed a rootkit revealer, which he ran on one of his
systems. He was surprised to find a rootkit [RUS05].
On further investigation he determined the rootkit had been installed when he
loaded and played a music CD on his computer. Felten and Halderman [FEL06] extensively examined this rootkit, named
XCP (short for extended copy protection).
What XCP Does
The XCP rootkit prevents a
user from copying a music CD, while allowing the CD to be played as music. To
do this, it includes its own special music player that is allowed to play the
CD. But XCP interferes with any other access to the protected music CD by
garbling the result any other process would obtain in trying to read from the
CD.
The rootkit has to install
itself when the CD is first inserted in the PC's drive. To do this, XCP depends
on a "helpful" feature of Windows: With "autorun" Windows
looks for a file with a specific name, and if it finds that, it opens and
executes the file without the user's involvement. (The file name can be
configured in Windows, although it is autorun.exe by default.) You can disable
the autorun feature; see [FEL06] for details.
XCP has to hide from the user
so that the user cannot just remove it. So the rootkit does as we just
described: It blocks display of any program whose name begins with $sys$ (which
is how it is named). Unfortunately for Sony, this feature concealed not just
XCP but any program beginning with $sys$ from any source, malicious or not. So
any virus writer could conceal a virus just by naming it $sys$virus-1, for
example.
Sony did two things wrong:
First, as we just observed, it distributed code that inadvertently opens an
unsuspecting user's system to possible infection by other writers of malicious
code. Second, Sony installs that code without the user's knowledge, much less
consent, and it employs strategies to prevent the code's removal.
Patching the Penetration
The story of XCP became very
public in November 2005 when Russinovich described what he found and several
news services picked up the story. Faced with serious negative publicity, Sony
decided to release an uninstaller for the XCP rootkit. Remember, however, from
the start of this chapter why "penetrate and patch" was abandoned as
a security strategy? The pressure for a quick repair sometimes led to
shortsighted solutions that addressed the immediate situation and not the
underlying cause: Fixing one problem often caused a failure somewhere else.
Sony's uninstaller itself
opened serious security holes. It was presented as a web page that downloaded
and executed the uninstaller. But the programmers did not check what code they
were executing, so the web page would run any code from any source, not just
the intended uninstaller. And worse, the downloading code remained even after
uninstalling XCP, meaning that the vulnerability persisted. (In fact, Sony used
two different rootkits from two different sources and, remarkably, the
uninstallers for both rootkits had this same vulnerability.)
How many computers were
infected by this rootkit? Nobody knows for sure. Kaminsky [KAM06] found 500,000 references in DNS tables to
the site the rootkit contacts, but some of those DNS entries could support
accesses by hundreds or thousands of computers. How many users of computers on
which the rootkit was installed are aware of it? Again nobody knows, nor does
anybody know how many of those installations might not yet have been removed.
Felten and Halderman [FEL06] present an interesting analysis of this
situation, examining how digital rights management (copy protection for digital
media such as music CDs) leads to requirements very similar to those for a
malicious code developer. Levine et al. [LEV06]
consider the full potential range of rootkit behavior as a way of determining
how to defend against them.
Schneier [SCH06b] considers everyone who, maliciously or
not, wants to control a PC: Automatic software updates, antivirus tools,
spyware, even applications all do many things without the user's express
permission or even knowledge. They also conspire against the user: Sony worked
with major antivirus vendors so its rootkit would not be detected, because
keeping the user uninformed was better for all of them.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.