Friday, November 04, 2005

Windows Connections - Postcript: Rootkits & Blogs


One thing I promised myself to do as a follow up to the Windows Connections conference 2005 in San Diego was to investigate rootkits more fully. If there is a form of malware that will keep me holding my breath and praying to the IT gods, it’s rootkits.

Coincidentally, one of the questions in the final Q&A for the expert panel was how to get into technical writing and publishing. Mark Minasi asked a very pointed question in return: “What are your motivations – to get rich or to get famous?” Well, as it turns out, you’re not likely to get rich, but you can get famous. A case is point is Mark Russinovich. If you’ve been paying any attention to IT blogs and you’re interested in becoming a technical writer who achieves world-wide notoriety, look no further than Mark’s blogs over the past week.

Mark, who probably knows as much about Windows internals as anyone, was the victim of a rootkit. That in itself scares me. He’s one of the authors of RootkitRevealer (RKR), a tool for IT Pros to use to sniff out and remove rootkits from systems they suspect might be infected. As it turns out, RKR revealed a hidden directory, hidden device drivers, and a hidden application on one of his systems. His ProcessExplorer application didn’t help him diagnose the problem any further, but another of his tools called LiveKD did. What he discovered was that a company called First 4 Internet had provided Sony with Digital Rights Management (DRM) software for CDs. You can read more in Mark’s blog about the details of his discovery process (itself an incredible lesson in how complex this kind of detective work can be), but the bottom line is that Mark had purchased a CD from Sony BMG called Get Right With the Man by the Van Zant brothers which was protected with DRM software which required the user to install a proprietary CD player on his/her computer in order to play the CD at all.

The real kicker was that not only did the DRM software do things to Mark’s system that were beyond the acceptable scope of CD-player software and even the end user licence agreement (EULA) he signed with Sony, he couldn’t uninstall the software! Why? Because deleting the drivers completely disabled the CD itself! The DRM Sony chose used the same techniques as malware writers; namely, a class of rootkit.

Since writing his blog post which exposed the problem on Monday, October 31st, Mark has become an overnight sensation (OK, he was a sensation already with IT Pros long before Monday) with media coverage across the world, including the BBC and USA Today (the IT Press, as well as conference attendees, got in on the action as well). Sony has responded in something less than admirable fashion (see the nonsense they expect of the end user in Mark’s follow up blog post from todayMore on Sony). But the lesson for aspiring IT technical writers and Windows Connections conference attendees who were present at the final Q&A is too obvious. Keep blogging, man! Who knows what will happen?

No comments: