Was anyone surprised when new malware suddenly hit the streets to take advantage of the anti-piracy rootkit malware Sony BMG music CDs install on computers? In fact, Sony BMG may have violated various laws with this onerous program.
I've been pondering the rootkit phenomenon over the past week, and the problem ends up boiling itself down to an old assertion: 24/7 connectivity is a bad thing.
We need an On-Demand Internet. On top of that, we need to be armed to the teeth with antispyware and antivirus software.
This all began when some boneheads at Sony BMG (did I say boneheads? I meant idiots) decided that it would be a great idea to sneak in a rootkit digital-rights management system onto some music CDs the company sells.
Rootkits are the trendiest form of malware because they hide within the operating system itself, so you never know they're there. They're used mostly by bad people trying to compromise your computer.
The Sony BMG version seems to have come from a company called First4Internet, and Sony BMG probably had no clue as to how it works or the controversy it would cause.
Within no time, evil Trojan horse programs such as Rykonos.A took advantage of the user-installed rootkit, thanks to Sony!
The idea behind the scheme seems to have been to hide the fact that any content management systems were being used at all. The point was, I suppose, to keep people from uninstalling the protection. All this will do is encourage users to avoid Sony products.
Wikipedia offers a good explanation of the basic rootkit types:
Rootkits come in two different flavors, kernel- and application-level kits. Kernel-level rootkits add additional code and/or replace a portion of kernel code with modified code to help hide a backdoor on a computer system. This is often accomplished by adding new code to the kernel via a device driver or loadable module, such as Loadable Kernel Modules in Linux or device drivers in Microsoft Windows. Kernel rootkits commonly patch, hook, or replace system calls with versions that hide information about the attacker. Application-level rootkits may replace regular application binaries with trojanized fakes, or they may modify the behavior of existing applications using hooks, patches, injected code, or other means. Kernel rootkits can be especially dangerous because they can be difficult to detect.
This sort of malware actually stems from the Unix environment, and for all we know, version of that OS are more vulnerable to this sort of invasion than Windows.
I do recall a sysop friend of mine who ran Linux servers casually commenting in the late nineties that once someone gets inside a Linux box, it's almost impossible to get rid of the invader without a system wipe.
One has to assume that this sort of infection optimizes the stealth nature of a rootkit, and as long as you're online, you simply must assume that you are being spied on. Even antispyware and antivirus programs can be defeated by a smart rootkit.
To ferret out rootkits, you might have to do a clean boot off of a CD or USB drive and scan from it. A complete OS reinstall or loading a ROM-based OS might be the best bet, though.
Of course, applications themselves could still be infected. This situation is totally out of control with today's architecture, and it's about time we scrap the whole structure.
Another solution is to get offline. Why are we online 24/7? What's the point?
While you sleep, software is checking to see if it's legally loaded. Adware is pinging the mother ship telling someone that you like L.L. Bean as a place to shop. Pop-ups are being fed to you. It's like rats at night doing all their work.
One night I failed to turn off my machine and accidentally left CUTEftp running after sending some files to the Dvorak Uncensored blog. The machine was running wild in the morning, and I assume I was a spam bot for the night. Or maybe the FBI was looking into my surfing habits. Who knows? I disconnected the ftp program, ran three antispyware products, and cleaned up the mess.
The situation would sure be better if we were not connected 24/7 and instead connected on an as-needed basis, then shut off. But this idea will never fly because all the big companies such as Microsoft feel the need to check up on customers all day long.
All I can tell you is that the situation with all these compromised computers is getting worse by the minute, with no end in sight.
Copyright © 2005 Ziff Davis Media Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Media Inc. is prohibited.