>> Dotted Line Rooting out

Of all the different work done by trans- Homeland Security may attempt to ban actional lawyers, licensing may be rootkits in all commercial software. the most entertaining. It provides a unique opportunity to use terms like “Trojan Horse,” “trap door,” “,” “worm” and Key points to remember “bomb” with a straight Mike Pedone face. Just when those 1. Be aware that rootkits may be bundled in terms were starting to commercial software from seemingly safe, big- lose their novelty, we’ve got a new one: name companies. The XCP is not a rootkit. virus written by a teenage hacker. It was com- A rootkit is a collection of software tools mercially developed, and it illustrates that that function like a secret trap door. Once software from a big-name player like Sony- installed, a rootkit permits an intruder to BMG can be unsafe, too. In evaluating off-the- remotely access and control a computer. shelf software, identifying rootkits will admit- Rootkits are different from other malicious tedly be difficult. In major commercial soft- software because they’re installed more ware transactions, however, the customer’s deeply and more covertly in the “kernel” of due diligence should include inquiries about a computer’s operating system (OS). hidden software like rootkits. Appropriate The kernel, the lowest level of an OS consideration should also be given to the where basic functions like memory alloca- Photo File scope of representations and warranties in the license agreement for the transaction. tion are controlled, is never seen by most computer users. Rootkits are typically hid- anti-copying protections from being 2. If commercial software is found to have a den so well that even programmers who are bypassed. hidden, malicious component, “fixes” provided familiar with the kernel may not detect Many members of the technical commu- by the provider of the software should be them, and very little evidence is left when nity alleged in blogs and internet discussion viewed with skepticism. Presumably, a compa- an intruder uses a rootkit. groups that the rootkit also created security ny that distributes rootkit-laden software Public awareness of rootkits spiked in weaknesses in Windows. Sony-BMG denied believes its actions are justified. The fact that October 2005 when a well-known program- those claims, but nonetheless made software Sony-BMG’s first removal utility exposed, but mer found potentially malicious software available that was supposed to remove the didn’t actually remove, the XCP rootkit suggests buried in his computer’s operating system, rootkit from affected systems. Techies then they felt the rootkit was a justifiable means of and described the discovery on an internet claimed that the removal utility didn’t actu- enforcing DRM protection for copyrighted blog. The software was a rootkit, and it had ally remove the rootkit, but instead just “un- music. Because a software provider’s interests been installed from a music CD with hid” it and left it installed. Sony-BMG has may not be in line with their customer’s inter- Extended (XCP). since released a new removal utility that ests, customers should be wary of providers XCP is a digital rights management does, in fact, remove the rootkit. who offer to help mitigate their own rootkits. (DRM) technology that restricts copying After the XCP rootkit was discovered, US- Such a situation warrants obtaining advice music from Sony-BMG CDs. To listen to an CERT (a part of the Department of Homeland from an independent security consultant. XCP-protected CD on a computer, customers Security) issued an alert about it. The alert were required to install a special media play- not only warned of potential security risks Good luck, everyone. Don’t let the Trojan er from the CD to the computer. Little did posed by the rootkit itself, but also that Horses, worms, bombs and rootkits get you. they know that installing the media player Sony-BMG’s removal utility created addition- also caused a rootkit to be installed (the al security vulnerabilities. Civil class action Mike Pedone, an associate in the Business media player’s end-user license agreement litigation and investigations by several state Transactions group at the law firm of did not mention the rootkit). The rootkit attorney generals soon followed. Now, some Venable LLP, can be reached at was apparently intended to prevent XCP’s are speculating that the Department of [email protected].

04|06 TECHLINK 11