November 11, 2005

Malware writers, what took you so long?

The threat of someone taking advantage of Sony’s Rootkit was never a doubt in everyone’s mind except Sony and the supplier of that piece of Malware, First 4 Internet. As such, the confirmation that virus writers take advantage of it to hide their viruses is itself not surprising. The only question is: What took them so long? Isn’t the game about zero-day exploits (exploiting security and other loopholes in less than 24 hours from its announcement)?

The are two possible reasons. First, the rootkit does compromise security by being capable of hiding malware, but luckily, this publicized vulnerability can only do that, thus reducing its attractiveness to virus writers. Second but most importantly, this attractiveness where greatly reduced by the fact that not a lot of computers were infected by Sony’s rootkit. Sony/First 4 Internet must count their blessing that the Rootkit is discovered early.

Of course Sony and First 4 Internet will see it differently. They will argue that if Mr Russinovich did not publicize his finding that everyone will be fine. This argument is flawed because if a malicious person discover this further down the road, the two companies will have a bigger debacle to deal with.

The saga is still evolving and Mr Russinovich blog is a must read if you are following this case. To date, Sony’s handling of the affair fail miserably in damage control. In particular,

  1. They deny that the rootkit is a security vulnerability (and still do) despite evidence to the contrary, a good week before this virus appear.
  2. (I particularly like this one)Have a top level officer going on the record saying, in his own voice, that users do not know what a rootkit is and therefore do not care.
  3. Putting so many barriers for users to go through to get an uninstaller, and limit the uninstaller to one-time use whether you successfully uninstall or not, is a rather unnecessary step. This makes it looks like Sony is being dragged kicking and screaming into providing such a facility.

