One man's fight against rootkits

Sony rootkit discoverer says there's no such thing as a good rootkit.

When Mark Russinovich last October revealed how Sony BMG Music Entertainment was secretly using a rootkit aimed at copyright protection for its CDs, the public took Sony to task - and to court - and Russinovich gained some unexpected fame. The Sony case has been settled, but experts say the rootkit threat is growing. Network World Senior Editor Ellen Messmer recently spoke with Russinovich, co-founder of Winternals Software, about where the rootkit situation stands today.

Is there a common definition of a rootkit?

Not one formally agreed upon, but the one I came up with is that it is anything in the software realm that hides objects from standard security administration or management.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

When Mark Russinovich last October revealed how Sony BMG Music Entertainment was secretly using a rootkit aimed at copyright protection for its CDs, the public took Sony to task - and to court - and Russinovich gained some unexpected fame. The Sony case has been settled, but experts say the rootkit threat is growing. Network World Senior Editor Ellen Messmer recently spoke with Russinovich, co-founder of Winternals Software, about where the rootkit situation stands today.

Is there a common definition of a rootkit?

Not one formally agreed upon, but the one I came up with is that it is anything in the software realm that hides objects from standard security administration or management.

While rootkits used by malicious hackers are obviously bad, there are arguments as to whether rootkits could be used in commercial software for good purposes. What's your view?

There is no such thing as a good rootkit. They modify the way the operating system works, and that causes pain on the part of the person managing the system. Cloaked objects could introduce vulnerabilities in the system, as happened with the Sony rootkit.

How prevalent are rootkits with obvious malicious intent?

There's an accelerated use of rootkits. More and more, viruses are shipped with them. People are paying for this now in the context of spyware and botnets, because sophisticated people are treating rootkits like a business. By the way, the very first virus on the PC - 20 years ago this year - was called Brain, and it was a rootkit that has been coined a stealth virus.

What's the difference between a user-mode and a kernel-mode rootkit?

At the [administrative] level, a rootkit can install itself at the system level in kernel mode. A user-mode rootkit could be installed by a person without administrative privileges.

Is there a guaranteed way to find all rootkits?

There is no 100% remedy for rootkits.

Why is it so hard to do away with rootkits?

The problem fundamentally is there are so many ways to extend Windows and modify its behavior. It's not possible to tell evil and good extensions apart. All operating system software suffers from this. If you have a single instance of malicious code that executes in a machine, you have to assume you lost control of the machine.

So what was it like when you announced in your blog you had discovered a rootkit used by Sony BMG for its CDs?

Literally six hours after revealing it, it was on Slashdot, and in the mainstream media in the next few days. I ended up serving as an expert for the first class-action lawsuit that was filed, by supplying a statement.

Were you looking for a rootkit in this case?

I just happened to purchase a CD. I don't make it my job to go out and police software. But I make it a point to understand what is going on when there's any strangeness in Windows.

What happened in the case earlier this year when you accused Symantec of using rootkit techniques in its SystemsExpert product?

I didn't view that in the same light as the Sony [case]. Sony's was installed without the user's knowledge and was there to limit the user. In Symantec's case, they thought it would help the user, but that was flawed and they admitted it.