The Sony DRM rootkit drama lives on and a new question is being asked. "Why didn't security vendors catch the problem sooner?" An interesting question, indeed. According to the PCWorld article, F-Secure, security vendor in Finland, was aware of the problem before Mark Russinovich blogged his findings. There were two very big challenges, the first being the DRM software was hidden, or cloaked, by a rootkit. By definition, from wikipedia, a rootkit is "intended to conceal running processes, files or system data, which helps an intruder maintain access to a system without the user's knowledge". The key word is conceal. From Webopedia:
A rootkit is a type of malicious software that is activated each time your system boots up. Rootkits are difficult to detect because they are activated before your system's Operating System has completely booted up. A rootkit often allows the installation of hidden files, processes, hidden user accounts, and more in the systems.
The second challenge -- "the software was distributed by a trusted company: Sony". Security vendors admit they have a lot of work ahead in improving rootkit detection.
So, back to our question, what does a rootkit look like? Wayne Porter of security vendor Facetime graciously provided an online painting of a rootkit for us in his ReveNews blog. If you can't see the rootkit on the blog, Wayne provided a direct link to the painting at the bottom of the post. A couple of days after the post, Wayne told me he had many emails from frustrated people saying they couldn't see the rootkit. Obviously, a lot of education is needed about rootkits. HijackThis logs with rootkits can be seen here, here and here. Note the rootkit files lock1.exe and lockx.exe were visible to HijackThis in the registry entries.
See here for a picture of files from the HackerDefender rootkit, from Microsoft's research site about the Strider GhostBuster Rootkit Detection kit. In the next installment. I'll review some known rootkits and rootkit detection tools.