In 2005, Sony added "rootkit" to the vocabulary of computer users across the world when it added hidden copy protection software to its music CDs. Two years later, history seems to be repeating itself.
What's a rootkit? In case you slept through the Sony music CD debacle, a rootkit is a program that hides its presence from normal operating system interfaces. A Windows rootkit, for example, will not show up in Windows Explorer. Depending upon its design, a rootkit can hide files and folders, registry keys, or other system components.
Rootkits can be used in a variety of ways: Sony used two different rootkits to prevent copying of music CDs by computer users in 2005, while other rootkits have been used to run security programs, run malware to attack systems, and so forth. While some users will object to any rootkit, no matter its purpose, others will be more concerned if the rootkit makes it easy for others to attack your PC.
What's Wrong with Rootkits
Sony's 2005 rootkits provided a vivid demonstration of everything a company that uses rootkit technology can do wrong:
Users weren't notified of the presence of the rootkit by the end-user license agreement
The copy-protection programs Sony installed as rootkits didn't prevent malware such as Backdoor.Ryknos.B (also known as Breplibot.C and others) from hiding themselves in the rootkits' own folders
The programs hiding in the rootkit degraded system performance
The programs could not be removed with normal uninstall routines
Monday, anti-malware vendorF-Secure announced that Sony's MicroVault USM-F line of USB flash drives with onboard fingerprint readers create a folder invisible to Windows that is used for the fingerprint reader's software and data files. While this method helps protect the reader from tampering, F-Secure points out that the hidden folder can also be accessed from the command prompt, can be used to store additional files, and could be exploited by hackers as a location for storing malware. In other words, whether Sony intended it or not, the MicroVault fingerprint readers install a rootkit on your PC that can be exploited as a security risk.
Sony - Slightly Smarter...
However, in a follow-up analysis two days later, F-Secure also points out that Sony has learned a few things from its 2005 fiasco:
The fingerprint driver software can be uninstalled easily
The program does not hide software or registry keys
Right now, the way that some rootkits are designed and used by legitimate companies makes it easy for the bad guys to abuse a rootkit by using it to attack users' computers - and users who don't know about a particular rootkit (and don't use anti-rootkit programs) are sitting ducks. Here's my modest proposal to set up a "Bill of Rootkit Rights" for PC users:
Vendors should use rootkits only if other methods for protecting files and programs are not feasible
Users need to be notified that a rootkit will be installed when a program or device containing a rootkit is being installed or connected
Users should be given the option to opt-out of installing a program that uses a rootkit
Vendors should provide an alternative to a program that provides a rootkit whenever possible, and explain the potential security risks of not using the rootkit-enabled version
Vendors should provide effective uninstallers for rootkits they distribute
Vendors should clearly explain what the rootkit does and why they believe it's necessary to the operation of the program or device
Vendors should use rootkits only if the rootkits cannot be used in ways other than what the vendor intended
Sony's Micro Vault driver quite clearly fails to meet most of these proposed rules - especially the last one.
Some may argue that this level of disclosure would harm the effectiveness of a rootkit designed to perform legitimate tasks. I disagree: right now, the bad guys know about what rootkits can do - and all I'm advocating is the same level of knowledge for legitimate users. Nobody wants to install a program that can be turned into a weapon against their system or their information.