Harbouring a Criminal

Several companies have used rootkits for allegedly bona fide purposes. The most notable was when a certain well-known electronics and media company, a personyfication (sic) of reliability some might say, used a third-party driver as part of their Digital Rights Management (DRM) software.

The premise was, and to many still is, that rootkits are not malicious in themselves and can be used quite legally to hide certain files, ports, registry entries, etc. However such points of view are rather naive and leave the door open for abuse.

Let us briefly investigate the DRM fiasco from some time ago as a case study. A media company does not want the contents of its music CDs to be … er … “ripped off” so installs a device driver (ie the rootkit itself) onto the computer. This rootkit stealths (ie hides) another file which monitors how the CD is accessed and prevents unauthorised copying. However the rootkit stealths any file with a filename of the form, say, “*iamclean*”, where the asterisks are wildcards. This means that any malicious file can simply ensure that it contains “iamclean” in its filename to go about its nefarious business in a manner potentially invisible to standard Anti-Virus software. Evidently this is not a good scenario.

Given the unintended but injurious side-effects of “legitimate” rootkits SophosLabs is compelled to detect them. There is no such thing as a “legitimate” rootkit. There are better ways to protect media from piracy than resorting to the use of highly dubious pieces of software which leave the computer vulnerable to attack.