Security Industry Rocked by Sony Rootkit Fiasco -- Redmondmag.com

Security Industry Rocked by Sony Rootkit Fiasco

By Michael Desmond
01/01/2006

The Sony BMG rootkit fiasco could be the worst retail marketing meltdown since the launch of New Coke. While Sony has been rightly villified for its irresponsible actions, the real question is, why did it take so long for security vendors to detect and remediate this serious threat?

Johannes Ullrich, chief technical officer of security training and monitoring body the SANS Institute, says the industry simply wasn’t looking. “It was legitimate software,” Ullrich says of Sony BMG’s CDs. “To use malware techniques to purposely hide their own software and such, that’s new.”

Traditionally, firms like Symantec, McAfee and F-Protect -- which was first to detect the threat but kept mum while it communicated with Sony -- use a number of methods to find malware. But in this case, security vendors were sluggish with a response once Sysinternals’ Mark Russinovich publicized the vulnerability on Oct. 31. It took Microsoft until Nov. 12 to announce that its Antispyware beta would uncloak the rootkit code, while Symantec issued a fix on Nov. 10. This, for a severe vulnerability that security researcher Dan Kaminsky estimated has infected more than half a million PCs.

“We used our normal process,” says Kelly Mackin, director of product management for research at Computer Associates. The delay, she says, came in crafting code to safely excise the deeply-rooted software. “We’ve had spyware that we could basically do a removal in about an hour, and we’ve had others that can take about three weeks. This one was moderate.”

The incident has security companies rethinking the nature of threats. Mackin says CA is sampling CDs and DVDs from the retail channel for malware threats. Alfred Huger, senior director of engineering for Symantec Security Response, says his firm hopes to refine dynamic detection, so malware can be flagged by its composition and behavior, rather than by matching it against a list of known threat signatures.

Ullrich says the nature of DRM, which seeks to limit user interaction with media, poses a conundrum. “It really comes down to a definition issue: What is malware, really? You get into the intent of the software, and that’s nothing that is written into the code.”

For security vendors, it’s a question that won’t go away soon says Mackin.

“I think the convergence of digital rights management and security is a significant problem,” she says. “We are trying to preserve the integrity of the environment, and digital rights management is trying to preserve the integrity of other property owners. There’s a demolition derby going on right now, and not all the cars are going to drive away.”

About the Author

Michael Desmond is an editor and writer for 1105 Media's Enterprise Computing Group.

Featured

What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.