return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

ICG Risk Blog - [ White hats and black hats will produce interacting swarms of rootkits, trojans, worms, adware and spyware ]

White hats and black hats will produce interacting swarms of rootkits, trojans, worms, adware and spyware


While Sony's recent botched DRM rootkit implementation (timeline coverage in parts I, II, and III) brought the term rootkit into the public domain and drew a remarkably quick retraction, it is only the harbinger of a group of interacting themes that I believe will make Richard Clarke's cybersecurity admonitions seem meek:

1.DRM content silos in audio, video and the workhorse print sector

2. Ostensibly "white hat" commercial construction of flawed, exploitable DRM implementations

3. Black hat criminal penetration efforts for cracking commercial gain

4. Symbiotic and parasitic interaction between white and black hat implementations

5. Black hat exploits combining unrelated white hat DRM audio, video and text implementations in concert with other secondary weak points.

6. Post-discovery recovery of white hat implementations open a cyclic growth of new holes

7. Antiviral protection providers will face heuristic hurdles in identifying a threat from a feature

8. Additive (and continuing) social engineering attacks in which individuals will violate personal and corporate security for pleasure or convenience

9. Long Tail legacy interaction of all the above

Suzi Turner's Rootkits galore: part I is recommended as a introductory piece and all of its links are useful. Then move to the bookends of Bruce Schneier's Sony's DRM Rootkit: The Real Story which points out the foot-dragging of security firms in flagging, developing and distributing fixes, and Larry Seltzer's overlooked Tough Decisions: Heuristics and Threats which points out the difficulty for security firms in trying to "acquire every version of every major commercial program to test it for malware" and yet insure that they do not "start falsely detecting legitimate software as malicious."

The lessons learned for content producers are not as sound as one might think. While bloggers had much to do with calling attention to Sony's XCP DRM suite, it was more likely the potential liability that Sony would face by malicious exploitation of the holes of that suite that saw it pulled from the market. Sony still has a second DRM suite called MediaMax in use since 2003, "the first copy restricting technology that installed software in an attempt to block ripping and copying." MediaMax is not as dangerous as XCP but still acts as spyware.

Worse, Sony's revenues have not suffered from the revelations of its digital rights excesses nor have many record stores reported significant backlash against Sony titles. (While Sony has reported a loss for the quarter, it is due to a sales slide in TV and Walkman purchases compounded by a lack of hit cinemas from its film unit.) It appears that many purchasers are unaware of the fault embedded in the CD that they purchased and so the holes in their personal PCs remain in place.

As one cannot see content providers relenting from attempts at DRM, I would expect that a swarm of unannounced, even obscured, DRM tools to proliferate. Even if they are speedily found, their numbers will rise, further complicating the virus update process, while nimble crackers will rush zero-day exploits into service to exploit a transient vulnerability. The impact on commercial firms whose employees continue to bring in CDs to mount on the office PCs and who cannot quickly mount new releases across their networks cannot be overestimated.

For now, it is recommended to disable autoload (or auto-play) on your personal PCs to prevent auto-inhalation of unannounced DRM tools. Then examine the directories on the volume, e.g., CD, with care before you proceed. Corporate users should edit their enterprise Group Policy to "disable auto-play from every single computer in the Enterprise globally."


SANS: Cybercriminals targeted popular applications, network systems in 2005
BY Michael Arnone
Published on Nov. 22, 2005

The Twenty Most Critical Internet Security Vulnerabilities (Updated) ~ The Experts Consensus
Version 6.0 November 22, 2005
SANS Institute

Tough Decisions: Heuristics and Threats
By Larry Seltzer
November 21, 2005

Sony sailing past rootkit controversy
By John Borland, CNET
Published on ZDNet News
November 21, 2005, 12:42 PM PT

Rootkits galore: part I
Posted by Suzi Turner @ 9:52 pm
November 18, 2005

Sony's DRM Rootkit: The Real Story
Bruce Schneier
Schneier on Security
November 17, 2005

Sony rootkit: The untold story
Posted by David Berlind @ 11:16 am
November 18, 2005

TRUSTe to legitimize adware
Posted by Suzi Turner @ 10:34 pm
November 16, 2005

Sony's Uninstaller Is Worse than Its DRM
By Larry Loeb
Security IT HUB
November 15, 2005

Sony Secretly Installs Rootkit on Computers
Bruce Schneier
Schneier on Security
November 01, 2005

Sony, Rootkits and Digital Rights Management Gone Too Far
Mark Russinovich
Mark's Sysinternals Blog
Monday, October 31, 2005

Gordon Housworth

Cybersecurity Public  InfoT Public  Strategic Risk Public  Terrorism Public  


  discuss this article

<<  |  September 2019  |  >>
view our rss feed