Mtnjim
02-21-2006, 12:11 PM
'Mr. & Mrs.
Smith' DVD Ships with Rootkit-like DRM
By Ryan Naraine
Sony BMG is not the only company to dabble in using
copy-protection technology that resembles rootkits.
According to anti-virus vendor F-Secure, based in Helsinki,
Finland, the German DVD release of "Mr. & Mrs. Smith"—a recent movie starring Brad Pitt and Angelina Jolie—contains
a DRM (digital rights management) protection scheme that uses rootkit-like cloaking technology.
Rootkits are
typically used to maintain a persistent and undetectable presence on a computer.
Because malicious hackers can
piggyback on the technology to hide offensive files, the use of such cloaking technology is seen as a serious
security risk.
In a blog post, F-Secure vice president Antti Vihavainen said the DVD ships in Germany with Settec
Alpha-DISC copy protection.
"The system will hide its own process, but does not appear to hide any files or
registry entries. This makes the feature a bit less dangerous, as anti-virus products will still be able to scan all
files on the disk," Vihavainen said.
However, Vihavainen said it's not uncommon for real malware to only hide
processes.
The discovery of the cloaking mechanism is credited to Heise Online, a German news
outfit.
Although Settec provides an uninstaller for its DRM mechanism, Vihavainen said commercial software
vendors should "always avoid hiding anything" from the user, and especially from the administrator responsible for
managing the machine.
"It rarely serves the needs of the user, and in many cases, it's very easy to create a
security vulnerability this way," he warned.
The use of stealthy rootkit-type techniques by commercial software
makers triggered widespread condemnation recently when Sony BMG admitted to using the technology to cloak its DRM
scheme.
After hackers used the Sony DRM rootkit as a hiding place for Trojans, the music company suspended the
use of the technology and recalled CDs with the offending copy protection mechanism.
Earlier this year, security
vendor Symantec also admitted to using a rootkit-type feature in its Norton SystemWorks software that presented a
perfect hiding place for attackers to place malicious files on computers. Symantec acknowledged that it was hiding a
directory from Windows APIs as a feature intended to stop customers from accidentally deleting files, but, prompted
by warnings from security experts, the company shipped a SystemWorks update to eliminate the risk.
Smith' DVD Ships with Rootkit-like DRM
By Ryan Naraine
Sony BMG is not the only company to dabble in using
copy-protection technology that resembles rootkits.
According to anti-virus vendor F-Secure, based in Helsinki,
Finland, the German DVD release of "Mr. & Mrs. Smith"—a recent movie starring Brad Pitt and Angelina Jolie—contains
a DRM (digital rights management) protection scheme that uses rootkit-like cloaking technology.
Rootkits are
typically used to maintain a persistent and undetectable presence on a computer.
Because malicious hackers can
piggyback on the technology to hide offensive files, the use of such cloaking technology is seen as a serious
security risk.
In a blog post, F-Secure vice president Antti Vihavainen said the DVD ships in Germany with Settec
Alpha-DISC copy protection.
"The system will hide its own process, but does not appear to hide any files or
registry entries. This makes the feature a bit less dangerous, as anti-virus products will still be able to scan all
files on the disk," Vihavainen said.
However, Vihavainen said it's not uncommon for real malware to only hide
processes.
The discovery of the cloaking mechanism is credited to Heise Online, a German news
outfit.
Although Settec provides an uninstaller for its DRM mechanism, Vihavainen said commercial software
vendors should "always avoid hiding anything" from the user, and especially from the administrator responsible for
managing the machine.
"It rarely serves the needs of the user, and in many cases, it's very easy to create a
security vulnerability this way," he warned.
The use of stealthy rootkit-type techniques by commercial software
makers triggered widespread condemnation recently when Sony BMG admitted to using the technology to cloak its DRM
scheme.
After hackers used the Sony DRM rootkit as a hiding place for Trojans, the music company suspended the
use of the technology and recalled CDs with the offending copy protection mechanism.
Earlier this year, security
vendor Symantec also admitted to using a rootkit-type feature in its Norton SystemWorks software that presented a
perfect hiding place for attackers to place malicious files on computers. Symantec acknowledged that it was hiding a
directory from Windows APIs as a feature intended to stop customers from accidentally deleting files, but, prompted
by warnings from security experts, the company shipped a SystemWorks update to eliminate the risk.