I haven’t mentioned the Sony DRM rootkit story which blew up in the last two weeks since it didn’t seem to have a direct Microsoft “hook” besides the general proposition that the design of Windows makes it easy for 3rd party chuckleheads to install stupid and annoying software on end user systems. This isn’t new news, but now Microsoft is getting involved (as will be explained later), so here’s the background.
Mark Russinovich, the well known Windows internals expert, discovered something distinctly odd on one of his machines and reported it on his weblog:
Last week when I was testing the latest version of RootkitRevealer (RKR) I ran a scan on one of my systems and was shocked to see evidence of a rootkit. Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, and they are usually employed by malware attempting to keep their implementation hidden (see my “Unearthing Rootkits” article from thre June issue of Windows IT Pro Magazine for more information on rootkits). The RKR results window reported a hidden directory, several hidden device drivers, and a hidden application…
After some detective work, Mark discovered that a Sony music CD had installed the rootkit on his system when it installed the player that was required to play the music. At this point, the story blew up:
My posting Monday on Sony’s use of a rootkit as part of their Digital Rights Management (DRM) generated an outcry that’s reached the mainstream media. As of this morning the story is being covered in newspapers and media sites around the world including USA Today and the BBC. This is the case of the blogosphere having an impact, at least for the moment. But, there’s more to the story, like how Sony’s patch can lead to a crashed system and data loss and how Sony is still making users jump through hoops to get an uninstaller.
After a variety of waffling and weaseling, Sony had been forced to provide an uninstaller which turned out to be just as wacky and then as things deteriorated further (including the appearance of Trojan Horses that exploited the Sony rootkit), they announced they were suspending the manufacture of the copy protected CDs while they re-examined their digital rights management strategy.
Throughout this, Microsoft had just issued a “statement of concern”, but now we learn via a post from Jason Garms on Microsoft’s Anti-Malware Engineering Team weblog that something stronger is in the works:
We use a set of objective criteria for both Windows Defender and the Malicious Software Removal Tool to determine what software will be classified for detection and removal by our anti-malware technology. We have analyzed this software, and have determined that in order to help protect our customers we will add a detection and removal signature for the rootkit component of the XCP software to the Windows AntiSpyware beta, which is currently used by millions of users. This signature will be available to current beta users through the normal Windows AntiSpyware beta signature update process, which has been providing weekly signature updates for almost a year now. Detection and removal of this rootkit component will also appear in Windows Defender when its first public beta is available. We also plan to include this signature in the December monthly update to the Malicious Software Removal Tool. It will also be included in the signature set for the online scanner on Windows Live Safety Center.
Ed Bott’s weblog has more information in numerous recent posts.
Update (11/14): Mark Russinovitch has more.