Are all rootkits evil?

Settlement in Sony CD case resurrects old debate.

When a security researcher late last year discovered Sony was using hidden software-cloaking and monitoring techniques to protect copyrights on its music CDs, public backlash prompted lawsuits against the company, and a debate ensued about using "rootkits" in commercial software.

The lawsuits wound down last week with a court-ordered settlement that has Sony BMG Music Entertainment offering $7.50 and a free album download to those who bought any of the 15 million rootkit-infested CDs it sold. But the broader rootkit debate seems far from over.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

When a security researcher late last year discovered Sony was using hidden software-cloaking and monitoring techniques to protect copyrights on its music CDs, public backlash prompted lawsuits against the company, and a debate ensued about using "rootkits" in commercial software.

The lawsuits wound down last week with a court-ordered settlement that has Sony BMG Music Entertainment offering $7.50 and a free album download to those who bought any of the 15 million rootkit-infested CDs it sold. But the broader rootkit debate seems far from over.

Opponents say rootkits should never be used, because they introduce potential vulnerabilities and are deceptive, while others contend there can be legitimate use for deep-stealth technology in both the enterprise and home.

The Electronic Frontier Foundation (EFF), which declared it was satisfied with the Sony settlement, is not among those envisioning a positive role for rootkits.

"I have yet to see a rootkit which did not raise security concerns and am skeptical that there can be legitimate use of technologies that hide files from the user in an effort to thwart user control of their own computer," says Kurt Opsahl, staff attorney at EFF.

Security expert Bruce Schneier, founder of managed security services firm Counterpane, is equally adamant.

"Can there be benevolent rootkits? That's similar to the question of benevolent worms. The answer is 'no'," he says. "Rootkits use stealth to hide payloads, and that can cause problems. A user loses control with what's going on in their machines."

Antivirus vendors CA, Trend Micro and McAfee say they reject use of rootkits as a way to protect security software. "We call it stealth technology rather than rootkit technology, and by and large it's a negative thing," says Stuart McClure, senior vice president of global threat at McAfee.

But some say stealth technologies can be ethical and shouldn't be dismissed as absolutely evil.

"Rootkits are inherently deceptive, of course," says Christine Olson, project manager with StopBadware.org, the Cambridge, Mass., group formed by Harvard University and Oxford University to provide the public with a detailed list of software programs deemed to be unethical, deceptive or dangerous. "But there are instances where the owner of the machine might want to deceive others using the machine" and would have the right to do so, she says.

James Butler, CTO at Komoku, a start-up funded by the Defense Advanced Research Projects Agency to develop ways to detect rootkits, says the debate that started after security researcher Mark Russinovich discovered the Sony rootkit remains murky.