Sony BMG Music Entertainment has been lambasted for shipping its spyware-like XCP software on music CDs over the past year, but an important question has gone largely unanswered throughout the controversy: Why didn't security vendors catch the problem sooner?
Though one security vendor, Finland's F-Secure, was aware of XCP's (extended copy protection's) problems before blogger Mark Russinovich went public with the issue, none of the major antispyware or antivirus vendors had any idea that something was amiss, according to representatives from Symantec, McAfee, and CA.
Sony has sold an estimated 2 million CDs containing the copy protection software, which used special "rootkit" techniques to hide itself on the PC. Rootkit software runs at a very low level of the operating system and is designed to be extremely difficult to detect. Ultimately XCP's cloaking ability was used by hackers to write malicious software, a development that prompted Sony to recall its XCP CDs.
Shortly after its discovery XCP was classified as dangerous software by most security vendors, but Princeton University computer science professor Edward Felten was disturbed it took so long for such a widespread problem to be exposed.
"This malware had been on the market for months and presumably had been installed on hundreds of thousands of computers, but still none of the anti-malware vendors had discovered it," Felten wrote in a blog posting (http://www.freedom-to-tinker.com/?p=937) earlier this week. "It’s not a good sign that all of the major anti-malware vendors missed it for so long."
There were two things about XCP that presented challenges for the big security vendors. The first was Sony's use of rootkit techniques to cloak XCP and make it harder to circumvent its copy protection capabilities. Most security vendors admit that because rootkits have only recently come into widespread usage, there is still much to be done to improve rootkit detection in their products.
A second problem is that the software was distributed by a trusted company: Sony.
While most security vendors prefer not to think of the XCP incident as a failure, at least one vendor, McAfee, admitted that there was some room for improvement. "I'd probably have to accept some culpability there," said Joe Telafici, director of operations for McAfee Avert. "It's not like we go to the record stores every week to see what's on the shelves. Maybe we should have been doing that."
Security companies like McAfee are moving away from signature-based threat prevention, where security software is told how to spot and disable certain known types of malware, to "behavior" based techniques, where the product is less concerned with identifying the software, as it is with preventing all software from doing bad things.
Improved behavior-based detection will help McAfee do a better job of identifying software like XCP, Telafici said.
Paying more attention to detecting and removing rootkits will also improve the situation, said Mikko Hypponen, chief research officer with F-Secure. F-Secure's products have rootkit-identifying capabilities that spotted the XCP software on a customer's system more than one month before the problem was publicly known, Hypponen said.
Rootkit software, like spyware, will eventually attract the attention of the larger vendors as it becomes a larger and larger problem, Hypponen said. "There will always be new kinds of attacks, and there will always be small vendors filling a niche for the new kind of problem before the big boys move in," he said. "McAfee and Symantec haven't made their move yet. They will."
Without going into specifics, both McAfee and Symantec said they will have new techniques to deal with rootkits in upcoming versions of their products, but Telafici noted that security enhancements in the upcoming Windows Vista operating system, due in late 2006, will also change things.
In particular, the Windows Vista model of giving users more restricted privileges on the PC may represent a major change in the fight against malicious software. Interestingly, Telafici was unable to predict whether Vista would give an advantage to the attackers or the security companies. "It may depend on how well (Vista) is implemented," he said.