Security Industry Rocked by Sony Rootkit Fiasco
The Sony BMG rootkit fiasco could be the worst retail marketing meltdown since the launch of New Coke. While Sony has been rightly villified for its irresponsible actions, the real question is, why did it take so long for security vendors to detect and remediate this serious threat?
Johannes Ullrich, chief technical officer of security training and monitoring body the SANS Institute, says the industry simply wasn’t looking. “It was legitimate software,” Ullrich says of Sony BMG’s CDs. “To use malware techniques to purposely hide their own software and such, that’s new.”
Traditionally, firms like Symantec, McAfee and F-Protect -- which was first to detect the threat but kept mum while it communicated with Sony -- use a number of methods to find malware. But in this case, security vendors were sluggish with a response once Sysinternals’ Mark Russinovich publicized the vulnerability on Oct. 31. It took Microsoft until Nov. 12 to announce that its Antispyware beta would uncloak the rootkit code, while Symantec issued a fix on Nov. 10. This, for a severe vulnerability that security researcher Dan Kaminsky estimated has infected more than half a million PCs.
“We used our normal process,” says Kelly Mackin, director of product management for research at Computer Associates. The delay, she says, came in crafting code to safely excise the deeply-rooted software. “We’ve had spyware that we could basically do a removal in about an hour, and we’ve had others that can take about three weeks. This one was moderate.”
The incident has security companies rethinking the nature of threats. Mackin says CA is sampling CDs and DVDs from the retail channel for malware threats. Alfred Huger, senior director of engineering for Symantec Security Response, says his firm hopes to refine dynamic detection, so malware can be flagged by its composition and behavior, rather than by matching it against a list of known threat signatures.
Ullrich says the nature of DRM, which seeks to limit user interaction with media, poses a conundrum. “It really comes down to a definition issue: What is malware, really? You get into the intent of the software, and that’s nothing that is written into the code.”
For security vendors, it’s a question that won’t go away soon says Mackin.
“I think the convergence of digital rights management and security is a significant problem,” she says. “We are trying to preserve the integrity of the environment, and digital rights management is trying to preserve the integrity of other property owners. There’s a demolition derby going on right now, and not all the cars are going to drive away.”
Michael Desmond is an editor and writer for 1105 Media's Enterprise Computing Group.