May/June 2006
Total Page:16
File Type:pdf, Size:1020Kb
48 FEATURE STORY TECHNOLOGY REVIEW may/june 2006 MMAY-RootkitAY-Rootkit 4488 44/21/06/21/06 55:02:57:02:57 PPMM By Wade Roush Inside the Spyware Scandal Last year, Sony BMG put antipiracy software on their CDs. In so doing, they spied on their own customers and gave hackers the power to access people’s computers. What were they thinking? ohn Guarino is the owner of TecAngels, a two-man After six or seven of these encounters, Guarino was computer consultancy in Manhattan. Give Guarino growing weary. Then, on September 30, he discovered the your ailing Windows PC, and in two or three hours mysterious fi les on his own PC. “That’s what really pissed Jhe’ll return it to you in perfect health. Often, he can me off ,” Guarino says. “I was like, ‘I can’t believe it. I have solve his customers’ problems over the phone. the latest fi rewall, the latest antivirus software, three or four But last summer, Guarino came across a problem he antispyware programs. How did this get here?’” couldn’t fi x. In the process of fl ushing out the spyware and Like any good investigator, Guarino backtracked. He viruses infecting his customers’ computers, he began to fi nd knew that the fi les hadn’t been there the last time he had the same mysterious intruders in machine after machine. scanned his computer. He tried to reconstruct everything he They were strangely named fi les lurking deep inside the had done with his machine over the previous few days—what “registry” where Windows stores settings and instructions programs he had installed, what e-mails he had received, that control all of a computer’s hardware and software. what websites he had visited. To Guarino, the fi les looked like a rootkit—software that Then he remembered that he had purchased a music CD tricks an operating system into overlooking worms, viruses, the day before and had played it on the computer. It was a and any other fi les a hacker might want to conceal inside a Sony BMG Music Entertainment album called Touch, by the user’s computer. The fi les didn’t seem to be causing dam- rhythm-and-blues singer Amerie. Unlike most CDs, this disc age, and Guarino’s antivirus software didn’t identify them couldn’t be played using common media-player software such as threats. But they had appeared on people’s hard drives as iTunes, RealPlayer, or Windows Media Player. To hear uninvited—the conventional defi nition of “malware”—so the CD, purchasers had to install the customized Sony BMG Guarino removed them. player included on the disc. Guarino had done this. But the fi les didn’t go quietly. After Guarino deleted them, Now he took a closer look at the CD’s jewel box. One the CD drives on his customers’ computers would stop work- phrase popped out at him: “Content Enhanced and Pro- ing. The usual solution—reinstalling the software that drives tected.” Evidently, the disc carried some form of digital the disc players—didn’t correct the problem. Guarino couldn’t rights management (DRM) software—a program designed explain this odd eff ect, and his customers weren’t paying him to control copying and thus discourage piracy. to spend hours researching it; they just wanted their comput- Finally, the pieces came together. The mystery fi les resem- ers back. So he would usually resort to the nuclear option: bled a rootkit; the usual purpose of a rootkit is to hide some- MATT CARR MATT reinstall the operating system from scratch. thing; a copy protection program was the kind of thing its MMAY-RootkitAY-Rootkit 4499 44/21/06/21/06 55:03:03:03:03 PPMM creators might wish to hide from users; and removing this The story of the Sony BMG rootkit fi asco is about more particular rootkit disabled the CD drive. Guarino could only than bad corporate judgment or the ongoing struggle over the conclude that the malware’s source was Sony BMG itself. rights of consumers to do what they want with the things they “That’s when I gave up,” Guarino says. He could fi ght own. It is also about fear and the excesses it can arouse. When malware one machine at a time. But if the world’s second- media companies apply such powerful, secret tools to content largest record company wanted to install secret software on protection, it suggests that their nervousness over piracy has its customers’ computers, he would never win. turned to panic. Although Sony BMG insists that the rootkit Before putting the problem aside, Guarino did one very was deployed unintentionally, the episode persuaded many important thing. He e-mailed his logs to F-Secure, a com- observers that the music industry had come to see deception as puter security fi rm in Helsinki, Finland, whose software he an indispensable component of digital rights management. It had used to detect the fi les. Though F-Secure’s malware should be no surprise when customers who feel they are being watchers had not previously encountered the rootkit, they treated like thieves stop buying things. If there is one message were quickly able to confi rm Guarino’s suspicions. Over in Sony BMG’s experience for other companies entering the the next two weeks, they came to another, much more trou- digital world, it is that distrust engenders distrust. bling realization: the rootkit could hide other fi les as easily as it hid Sony BMG’s copy protection software. Every com- Schoolyard Piracy puter that had ever been used to play a copy-protected Sony Demand for digital “content” (a feeble but convenient jar- BMG disc was now, in eff ect, an open receptacle for worms, gon word for everything from poetry to podcasts) is greater viruses, and other malware. than ever. Sales of downloadable music worldwide nearly On October 17, F-Secure contacted Sony. Two weeks tripled between 2004 and 2005, from $380 million to $1.1 later, respected security expert Mark Russinovich found billion, and now represent about 6 percent of all music sales. the rootkit on his own computer and publicized his fi nd- As of March 2004, Apple’s iTunes music store was selling ings on his widely read blog. He also discovered that other software installed along with the copy protection program Sony BMG’s rootkit became secretly contacted Sony BMG via the Internet every time a PC user played a copy-protected disc. And over the next the most public symbol to several months, what had begun as a curiosity in Guarino’s date of the perceived ex- little shop escalated into a full-blown scandal, complete with backroom negotiations, public exposés, heated denials, cesses of digital rights man- angry boycotts, vengeful lawsuits, and rueful apologies. agement—and the growing Though its original purpose was to hide software that suspicion media companies prevented listeners from making more than three copies of their music, Sony BMG’s rootkit became the most public seem to harbor toward their symbol to date of the perceived excesses of DRM tech- own customers. nology—and of the growing suspicion media companies seem to harbor toward their own customers. The scandal songs at a pace of about 2.5 million per week. According to is still having repercussions. It has reignited a dispute in the U.K. version of Macworld magazine, it now sells three the public sphere over the ways consumers should be million songs every day. allowed to use copyrighted digital information and, con- One might expect content producers and distributors to versely, just how far copyright holders can go to secure their be thrilled by digital’s takeoff . But in reality, they are often intellectual property against piracy. (See “Who Will Own preoccupied with the ever present threat of rampant copying. Ideas?”, a TR special package published in June 2005.) And for good reason: in a one-month period in 2005, 3.8 Taken to extremes, experts say, digital rights manage- million U.S. households downloaded music using the free ment not only curtails people’s right to make “fair use” of peer-to-peer fi le-sharing services WinMX and Limewire, copyrighted material, which is guaranteed by U.S. copy- while only 1.7 million households purchased fi les from right law, but can even create new technological hazards. iTunes, according to market research fi rm NPD Group. “When you build computer systems where you’re not pro- The Recording Industry Association of America puts the tecting the user, but something from the user, you have very lost retail revenues from digital music piracy at $4.2 billion bad security,” says Bruce Schneier, a luminary in the fi eld per year, and it has fought illegal downloads aggressively: in of computer security and chief technical offi cer of Counter- February, it announced that it had launched 750 new law- pane Internet Security in Mountain View, CA. “That’s my suits against users of peer-to-peer fi le-sharing networks, biggest fear—this notion that the user is the enemy.” bringing the total since 2003 to more than 18,000. 50 FEATURE STORY TECHNOLOGY REVIEW may/june 2006 MMAY-RootkitAY-Rootkit 5500 44/21/06/21/06 55:03:05:03:05 PPMM Preceding almost every illegal download, however, is a anticopying software; Arista Records, a Sony BMG subsidi- much more innocent act: ripping compressed computer fi les, ary, marketed a disc carrying MediaMax in late 2003, and such as MP3s, from a legitimately purchased CD.