Rootkits. Be worried - very worried

  • Article

Its been a busy week for me, so it's only now that I'm getting a chance to catch up with what's going on the world of IT, or even watch or listen to the news. Hence apologies if you've already seen this.

For me, RSS is a great way of catching up, and one feed I always read is that of Mark Russinovich. I am utterly shocked and stunned read some of his findings about DRM protected CD Audio employed by a certain large "giant". Normally, I wouldn't comment on news like this except on anything except my personal blog, but I'm am so outraged and stunned by what I've discovered having spent the past hour or so researching and reading about the techniques and implications of the "RootKit" approach and the legalities, the fact that a half-baked patch has been issued, and the follow up entry from yesterday on Marks blog about the way that the software "calls" home.

Yes, there is a huge amount of publicity out there about this, but what worries me most now is that even with that publicity, how many home users are really going to take action on it? There is a probable chain reaction:

  • Home users generally won't read or hear about this, are highly unlikely to run a root kit revealer to discover the "rootkit", blame XP for potentially crashing or certainly being slower due to the "rootkit" performance overhead.
  • By not knowing about it means the majority of infected users will not visit the appropriate site to patch/remove the DRM software (which it appears is not flawless either).
  • Many people will purchased CDs with this DRM "rootkit" software.
  • Given a significant percentage of purchasers will play those CDs on home machines, there will be many home machines installed with an unpatched rootkit
  • Joe Hacker now has it on a plate with an easy way to cloak their worms/viruses on "infected" machines through the sys$ file prefix.

Crikey! Maybe I'm over-reacting. Lets hope so!