Hunter Strategies LLC logo

Microsoft News Tracker

What's more interesting than observing Microsoft?

November 13, 2005

Microsoft Black Flags the Sony DRM Rootkit

Posted by David Hunter at 9:46 AM ET.

I haven’t mentioned the Sony DRM rootkit story which blew up in the last two weeks since it didn’t seem to have a direct Microsoft “hook” besides the general proposition that the design of Windows makes it easy for 3rd party chuckleheads to install stupid and annoying software on end user systems. This isn’t new news, but now Microsoft is getting involved (as will be explained later), so here’s the background.

Mark Russinovich, the well known Windows internals expert, discovered something distinctly odd on one of his machines and reported it on his weblog:

Last week when I was testing the latest version of RootkitRevealer (RKR) I ran a scan on one of my systems and was shocked to see evidence of a rootkit. Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, and they are usually employed by malware attempting to keep their implementation hidden (see my “Unearthing Rootkits” article from thre June issue of Windows IT Pro Magazine for more information on rootkits). The RKR results window reported a hidden directory, several hidden device drivers, and a hidden application…

After some detective work, Mark discovered that a Sony music CD had installed the rootkit on his system when it installed the player that was required to play the music. At this point, the story blew up:

My posting Monday on Sony’s use of a rootkit as part of their Digital Rights Management (DRM) generated an outcry that’s reached the mainstream media. As of this morning the story is being covered in newspapers and media sites around the world including USA Today and the BBC. This is the case of the blogosphere having an impact, at least for the moment. But, there’s more to the story, like how Sony’s patch can lead to a crashed system and data loss and how Sony is still making users jump through hoops to get an uninstaller.

After a variety of waffling and weaseling, Sony had been forced to provide an uninstaller which turned out to be just as wacky and then as things deteriorated further (including the appearance of Trojan Horses that exploited the Sony rootkit), they announced they were suspending the manufacture of the copy protected CDs while they re-examined their digital rights management strategy.

Throughout this, Microsoft had just issued a “statement of concern”, but now we learn via a post from Jason Garms on Microsoft’s Anti-Malware Engineering Team weblog that something stronger is in the works:

We use a set of objective criteria for both Windows Defender and the Malicious Software Removal Tool to determine what software will be classified for detection and removal by our anti-malware technology. We have analyzed this software, and have determined that in order to help protect our customers we will add a detection and removal signature for the rootkit component of the XCP software to the Windows AntiSpyware beta, which is currently used by millions of users. This signature will be available to current beta users through the normal Windows AntiSpyware beta signature update process, which has been providing weekly signature updates for almost a year now. Detection and removal of this rootkit component will also appear in Windows Defender when its first public beta is available. We also plan to include this signature in the December monthly update to the Malicious Software Removal Tool. It will also be included in the signature set for the online scanner on Windows Live Safety Center.

Ed Bott’s weblog has more information in numerous recent posts.

Update (11/14): Mark Russinovitch has more.

Filed under Coopetition, DRM, Defender, Digital Media, Online Services, Rootkits, Security, Sony, Technologies, Windows Live, Windows Live Safety Scanner

Related posts:


One Response to “Microsoft Black Flags the Sony DRM Rootkit”

  1. Microsoft acquires Winternals Software -- Microsoft News Tracker Says:

    [...] If you’re involved with the technical side of Microsoft Windows, you’ve certainly heard of the expertise of Mark Russinovich and Bryce Cogswell of Winternals Software (freeware is at Sysinternals) and more than likely have used some of their diagnostic tools. I’ve only had occasion to mention them once on this site, but always follow Russinovich’s blog where he announced the news: I’m very pleased to announce that Microsoft has acquired Winternals Software and Sysinternals. Bryce Cogswell and I founded both Winternals and Sysinternals (originally NTInternals) back in 1996 with the goal of developing advanced technologies for Windows. We’ve had an incredible amount of fun over the last ten years working on a wide range of diverse products such as Winternals Administrator’s Pak, Protection Manager, Defrag Manager, and Recovery Manager, and the dozens of Sysinternals tools, including Filemon, Regmon and Process Explorer, that millions of people use every day for systems troubleshooting and management. There’s nothing more satisfying for me than to see our ideas and their implementation have a positive impact. [...]

News Search:

Recent Posts:

Daily Digest Email:

Enter your Email

Powered by FeedBlitz


Full category list


Archive List

RSS Feed:

HunterStrat Links:


  • Powered by WordPress.