Sony opens Pandora’s box

The last quarter of 2005 was an interesting period for malcode. The first web-only worms used cross-site scripting to propagate through popular forums and portals. We saw a zero-day vulnerability in IE that was quickly adapted to install spyware and backdoors on vulnerable hosts browsing hundreds of porn and warez sites. And we saw the public use of a rootkit by a global organisation in an effort to bolster its DRM solution.

Sony's corporate sanction of distributing a rootkit hidden within customer products to protect artistic copyright surprised many.

The company's error was to use rootkit cloaking functions to hide its copy-protection software from the customer when they placed the CD into their computer. Technically, the surreptitious installation of the protection element meets the classical definition of spyware – complete with "phone-home" functionality.

While the inclusion of a rootkit and spyware package is certainly enough to upset the customers who brought the CDs, I'm sure that many organisations also started to rapidly rethink their internal security policies. After all, even a shrink-wrapped music CD from a reputable international supplier is no longer safe enough to play through the speaker system of a corporate desktop or laptop.

Inevitably, Sony was found out, and the heat was on to mend its ways. Unfortunately for Sony and its rootkit, a lot of techies and geeks got in on the act and the malcode problems escalated.

Some people found that they could also use Sony's rootkit cloaking functions. A few months earlier, the developers of a massively popular multi-player role-playing game (MMRPG) had come up with a method of recognising players trying to use common cheating tools to affect their scores and gameplay. Using the rootkit cloaking, people were able to hide their cheating tools and, once again, outwit the MMRPG.

Once Sony took steps to remove the rootkit and spyware, things started to go horribly wrong. Security researchers found a number of vulnerabilities within the spyware that could be leveraged for local escalation attacks to gain "root" access, and they were quickly incorporated into the latest worms. Meanwhile, the uninstall package made the host unstable and vulnerable to additional attack vectors, and still didn't remove everything.

Eventually Sony issued a recall of the CDs and employed a reputable security company to provide advice on how to clear up the mess and assess the integrity of its new uninstall software.

Unfortunately, sometime between getting the software assessed and posting it on its website for customer access, minor code changes were implemented that resulted in yet another exploitable security flaw. I bet that the security company they employed wasn't particularly happy with the press they received for that slip-up.

With any luck, other organisations are rethinking their use of malcode technologies. While Sony certainly received a huge amount of negative press for its sanctioned use of a rootkit, an increasing number of organisations are still seeking to distribute next generation rootkits and spyware to further their businesses or protect their investments.

Some people might have noticed that I use the term malcode rather than malware. While malware is a useful grouping for the discussion of malicious content such as trojans, worms, spyware, rootkits, keyloggers, bots, and so on, it doesn't really cover the broad range of infection vectors now in common use.

Malicious agents are now making better use of scriptable content and related vectors and are blurring the classical definitions of the malware sub-types they evolved from.

The attackers are using each and every dirty trick in the book – borrowing the best infection vectors and techniques from one another and turning their malcode from what was once closer to an art form into an exacting science; a science that international corporations are also seeking to leverage.

Gunter Ollmann is director of X-Force, Internet Security Systems