Sony BMG copy protection rootkit scandal

The Sony BMG CD copy protection rootkit scandal concerns the copy protection measures included by Sony BMG on Compact Discs in 2005. It was Sony DRM software but it was technically a rootkit that was automatically installed on Windows desktop computers when customers tried to play the CDs.

The software interferes with the normal way in which the Microsoft Windows operating system plays CDs by installing a rootkit which unintentionally created vulnerabilities for other malware to exploit. This was discovered and publicly revealed by Mark Russinovich on the Sysinternals blog. Other operating systems were not affected.(FactForge. 2009-2012)

As a result, a number of parties have filed lawsuits against Sony BMG; the company ended up recalling all the affected CDs; and greater public attention was drawn to the issue of commercially backed spyware and rootkits. Additionally, further investigation revealed that Sony had created its copyright protection software, in part, using LAME code, violating the GNU Lesser General Public License, and VLC code written by Jon Lech Johansen and Sam Hocevar, violating the GNU General Public License.(FactForge. 2009-2012)

This is also why Sony appears to be a target for a lot of cyber attacks from hackers as their stance on DRM rights and there persistence to try to keep control over their products by using unethical means and bullying techniques

Greek wire-tapping case 2004–2005

More than 100 mobile phone numbers belonging mostly to members of the Greek government and top-ranking civil servants were found to have been illegally tapped for a period of at least one year.

The phones tapped included those of the Prime Minister Kostas Karamanlis and members of his family, the Mayor of Athens, Dora Bakoyannis, most phones of the top officers at the Ministry of Defense, the Ministry of Foreign Affairs, and a lot of other high ranking officials and he phones of Athens-based Arab businessmen were also tapped.(Ducky Paredes. 2007)

To successfully wiretap phone numbers without detection, as the intruders did, a special set of circumstances had to be present. The remote-control equipment subsystem (RES) had to be active on the exchange, but the Integrated Messaging Service (IMS) had to be unused. At the time of the illegal wiretaps, Vodafone had not yet purchased the lawful intercept options, meaning the IMS was not present on their systems.

However, an earlier exchange software upgrade had included the RES. In addition, the intruders needed to continue to have access to the exchange software to change tapped numbers, without alerting system administrators that the exchange had been modified. Normally, all changes to exchange software would be logged.

To get around this, the intruders installed a rootkit on the exchange, a piece of software that would modify the exchange software on the fly to hide all changes and, in case of an audit, to make the exchange appear as though it had been untouched.(Ducky Paredes. 2007)

So by installing a rootkit onto the exchange they were able to monito phonecalls with out the others of the telephones being any wiser.

To help guard against rootkits, experts advise that security software be kept current, including anti-virus and anti-spyware. Install hotfixes (operating system security patches that are used on a live system not a testing or beta software) as they become available, and delete spam without opening it.

When surfing the Internet only allow trusted sites to install software, and avoid clicking on unknown banners or popups. Even a “no thanks” button can be a ploy to download a rootkit. (Kayne R.2008) This is why software manufactures of operating systems constantly are updating security systems and making sure that software is set to update automatically.

It is also good poilicy to use one or more anti-rootkit software programs to scan for rootkits weekly, then back up the system. Though some rootkits can purportedly be removed safely, the general recommendation is to reformat the drive and rebuild the system to be sure the entire rootkit and all of its processes are gone. Should it come to this, a recent, clean backup will make the job much easier.

In modern society hackers who create tootkits have become more advanced in the hiding technique of rookits and viruses which make the cleaning of a system nearly impossible to 100% certain that the virus will not return so a complete operating reinstall may be the only safe way.

Rootkit prevention is difficult, but not impossible. Since the bulk of rootkit attacks come from the internet, the most effective form of prevention is a firewall. Many rootkit attacks begin with a payload from a virus or worm; a payload that will open a back door to continue the rootkit download. A firewall will monitor all incoming traffic including scan attempts that might be made by a worm. If the firewall is set up properly, it should not allow unauthorized traffic to pass through.

Every type of malware has its weakness, and the weakness of the rootkit is the fact that it requires administrative privileges to execute its initial setup. On a Windows based home system this is usually not a problem since rights management is virtually non-existent. On a Windows Corporate system, or a Mac or Unix system, administrative privileges are much more secure, requiring an administrator to be fooled into executing the rootkit installation.

With that said, the biggest prevention weapon for admins is simply to not install any software, drivers, or scripts that do not come from trusted and verified sources. Unix users should keep kernels up to date,and all admins, regardless of operating system, should keep machines current with security updates.

Rootkit removal, like prevention, is difficult but not impossible. Often times these programs go undetected by anti-virus software; there have even been reported cases of a rootkit rewriting portions of an anti-virus program, rendering it completely impotent.

Due to the stealth nature of rootkits, detection and removal is heavily dependent on recognizing symptoms. Unusually high network traffic, failing device drivers, odd command-line behaviour, increased system crashes and freezes, increasingly slow performance, and identity theft issues are all symptoms of a possible root kit attack. How these symptoms manifest themselves will give clues to the particular rootkit at work.

If you have identified a rootkit on your machine, consult the website of your anti-virus vendor or a security professional for removal instructions. Removal is often tedious and extensive, and rarely can a machine be completely cleaned without causing damage to the operating system.

Registry entries will need deletion or repair, communications channels will have to be closed, system files might need regeneration, and so on. If a rootkit goes undetected for a long period of time, it is common for the damage to be so severe as to require a clean installation of the operating system. (Zsecurity. 2009)

Since rookits have been known, it's still recognised that rootkits have three functions to perform when installed on a system. First, they must compromise the target computer to gain and maintain control for their owner. This is thought to be the origin of the term 'to own' a computer(PC Plus), my own opinion is that is only a coincidence as owning is to gain ownership and possibly taking control of an operating system may owning it for there purposes but people owned computers before rookits were around.

In order for a hacker to gain remote access, the rootkit first needs to establish a secure communications channel. To stop the computer's firewall preventing this, it may hijack a port over which legitimate traffic already flows rather than opening its own. It's not unusual for a rootkit to take advantage of port 80, which is usually open to allow the user to surf the web.

The list of techniques for establishing a foothold and the number of communications channels available grows as the sophistication of rootkits develops. It's this ease with which access can be gained, maintained and hidden that has researchers very worried about the rise of this particular form of malware.

The second function of a rootkit is to attack the local system (or others on the local network) to create an environment for the hacker that's safe from detection. One approach is modifying the system's kernel or libraries to replace system calls with its own.

This is important because the rootkit needs to make calls that return information about the state of the running system while leaving out anything to do with the rootkit itself. Because they rely on standard kernel system calls, it's almost impossible for most antivirus software to detect rootkits without using special techniques that check the integrity of the data the system provides.

The attack functionality in some rootkits can be impressive and done by a highly skilled programmer who knows the vulnerabilities of a system and some actively launch denial of service attacks against other systems on the local network if they suspect them of harbouring intrusion detection systems, for example.

They can do this by interrogating the network cards on other computers to see which are in 'promiscuous' mode*(see notes regarding promiscuous modes at end of section). That means that they're set to read all data that goes past. This is a good indication that software is running that reads and analyses such network traffic for signs of intrusion.

Rootkits sometimes also sample data on the local network to find usernames and passwords that they can collect for the hacker to download later.

The third crucial element to a rootkit's functionality, and the part that makes them particularly stealthy, is the way they cover their tracks. This is where the programs have become incredibly ingenious in a very short space of time.

Part of this rapid growth in functionality is down to how modern kernels work. Operating systems contain a central kernel that sits between the running applications and the computer's hardware. It's the job of this kernel to govern access to peripherals and allocate system resources, such as time on the CPU and memory space. If the kernel consisted of a single monolithic lump of code, it would be very inflexible.

If you were to add a new peripheral, for example, you'd have to install a new kernel with support for that peripheral. In the early days of Linux, this meant that you had to recompile the kernel to contain the modules you required to run all your hardware.

Modern operating systems (including current versions of Linux and Microsoft Windows) use a system of loadable kernel modules (LKMs). If a certain type of hardware is detected when the operating system boots up, the kernel loads the specific module required to run it. This keeps the size of the running kernel as small as possible, saving RAM, and it means that individual modules can be upgraded without having to recompile the whole kernel.

Because of the advantages offered by LKMs, even central but potentially optional kernel functionality has become modular. However, this has arguably made the job of the rootkit writer easier. If he can replace an LKM with his own version of the kernel module, then he can make it do whatever he wants.

A Windows kernel module subroutine designed to return a list of running processes, for example, might be made to return all but those connected with the running rootkit. Detection methods that rely on spotting unusual system processes to identify malware will fall for this.

Another method of detecting rootkit activity is to spot system files whose permissions have changed unexpectedly. Subvert the module that returns these permissions and a rootkit can fool anti-malware packages.

There's now a shift in focus for rootkit developers from Linux and Unix to Microsoft Windows. Windows rootkits are gradually morphing into stealthy versions of other forms of malware. Today they may contain keyloggers that collect information for selling to identity thieves or botnet clients. Because kernel modules and other code can be made to return incorrect results by a rootkit, any detection utilities must be careful to only use their own subroutines and to check their integrity before use.

One method of doing this is calculating checksums from the running detection routines that only come out right if just the original code is present. Change one byte and the checksum is wrong. Despite these difficulties, easy-to-use antirootkit software for Windows is becoming available – and much of it is free.

*Promiscuous mode

1) In a network, promiscuous mode allows a network device to intercept and read each network packet that arrives in its entirety. This mode of operation is sometimes given to a network snoop server that captures and saves all packets for analysis (for example, for monitoring network usage).

2) In an Ethernet local area network (LAN), promiscuous mode is a mode of operation in which every data packet transmitted can be received and read by a network adapter. Promiscuous mode must be supported by each network adapter as well as by the input/output driver in the host operating system. Promiscuous mode is often used to monitor network activity.

Promiscuous mode is the opposite of non-promiscuous mode. When a data packet is transmitted in non-promiscuous mode, all the LAN devices "listen to" the data to determine if the network address included in the data packet is theirs. If it isn't, the data packet is passed onto the next LAN device until the device with the correct network address is reached. That device then receives and reads the data.(Margaret Rouse. June 2007)

A common scenario is where a person receives what looks like a perfectly legitimate e-mail or computer update, often from a trusted source and from what looks like a reputable website like Facebook. But when the user tries to open the file, it appears that nothing happens. In fact, they may have installed a Trojan horse/rookit on their hard drive.

A malicious hacker can get a rootkit on to a computer through various means. Rootkits can be delivered in a Trojan* or even tucked away in a seemingly benign file*. (Fabio Assolini 2008) An interesting and unknown feature used by sysadmins around the world in some large corporate networks is the use of proxy-auto config (pac) files. This benign feature is accepted by all modern browsers. It contains a function to redirect your connection to a specific proxy server.

Unfortunately this simple and smart proxy technique are being largely used by malware writers to redirect infected users to malicious hosts serving phishing pages of financial institutions. A .pac script URL is configured in the browser, in the field “Use automatic configuration script” This could be a graphic or a silly program distributed through email. Victims have no way of knowing that a rootkit will be installed by clicking on the graphic or program and can also be installed by surfing the Web. A popup window might state, for example, that a program is necessary to view the site correctly, disguising a rootkit as a legitimate plugin.

After being infected by a Trojan like the one above that was being used to gain banking details, if a user tries to access some of the websites listed in the script, they will be redirected to a phishing domain hosted at the malicious proxy server.

A lot of malware is using this trick nowadays. Not only Internet Explorer users are affected, but also users of Firefox and Chrome. The malware changes the file prefs.js, inserting the malicious proxy in it:

Once a rootkit is installed the hacker can secretly communicate with the targeted computer whenever it is online. The rootkit is typically used to install more hidden programs and create “back doors” to the system. If the hacker wants information, a keylogger program can be installed. This program will secretly record everything the victim types, online and off, delivering the results to the hacker at the next opportunity. Keylogger programs can reveal usernames, passwords, credit card numbers, bank account numbers, and other sensitive data setting up the victim for potential fraud or identity theft. (Kayne R.2008)

Other malicious uses for rootkits include compromising several hundred or even hundreds of thousands of computers to form a remote ‘rootkit network’ called a botnet. Botnets are used to send Distributed Denial of Service (DDoS) attacks, spam, viruses and trojans to other computers. This activity, if traced back to the senders, can potentially result in legal seizure of computers from innocent owners that had no idea their computers were being used for illegal purposes. (Kayne R.2008). Many computer unknow to themselves may be harbouring not one but many rootkits on there machine and may only notice this when there machine becomes sluggish, but as new computers have increased there processing power over the years this maeans a Ddos attack now has become more powerful.

*A trojan virus, also known as a trojan horse virus, is malware that appears to be useful or legitimate but can compromise computer security and cause much damage. (Kaspersky Labs. 2007-2013).

*A Benign virus (when referring to computers) is a virus that causes no damage. It can display a random message or make a sound on some specific occasion. (Answers.com 2009).

Rootkits have been around since the early 1990’s But the history of the idea behind rootkits stretches back to the late 1980s, when the first log cleaners began to emerge. (PC Plus. 2010) After gaining root access by hand to Unix computers, hackers would upload a log cleaner program to manually delete entries in the operating system's event log, and in some cases to reset the timestamp on the log file to before the intrusion.

In the early 1990s, Sun Microsystems' SunOS (a type of Unix) became the focus of attempts to create the first true rootkits. In 1990, hackers Lane Davis and Steven Dake produced a proof-of-concept rootkit that effectively set the mould for future rootkit functionality.(PC Plus. 2010).

Unlike viruses, rootkits have had a low profile for the past 20 years, but that's changing as their methods merge with those of mainstream malware to produce a threat that requires dedicated software to deal with it.

The types of rootkits that attack Windows™ machines embed themselves in the kernel of the OS. From here the rootkit can modify the operating system itself and intercept calls to the system (system requests for information), providing false answers to disguise the presence of the rootkit. Since the rootkit hides its processes from the operating system and system logs, it is difficult to detect. (Kayne R.2008)

This is when the root access of a computer has been comprised by an external source, its a set of software tools that, when installed on a computer, provides remote access to resources, files and system information without the owner’s knowledge or permission. Although generally categorised as being malicious they have been used by various government agencies in the United States to utilise some Rookits to secretly monitor activity on computers for surveillance purposes, but malicious hackers and cyber criminals can also install Rootkits on the computers of unsuspecting victims.

A rootkit is a program that allows a hacker to come and go as he pleases, unhindered by your computer's defences. No firewall will stop him and no antivirus program will detect his activities. Rootkits subvert the way the operating system works to make it lie about the processes, files, Registry entries and kernel modules that might give away the rootkit's presence to humans and anti virus software.(PC Plus 2010)

(The word “Rootkit” comes from the UNIX™ operating system (OS) that was prevalent prior to Microsoft™ Windows™. Linux and Berkeley Software Distribution (BSD) are derivatives of UNIX. The “root” or “/” level of a UNIX system also called the super user is akin to Windows’ administrator privileges. Kayne R.2008). The remote-control software bundle was referred to as a “kit,” giving us “Rootkit” sometimes written as “root kit.”

For a hacker, simply gaining access to the root account isn't enough. He must also keep his tracks hidden from alert system administrators. Because of this, rootkits modify system files to remove evidence of the hacker's presence and make it look as if nothing is out of place.