In an attempt to enforce copyright protection, Sony BMG developed a rootkit that surreptitiously installed XCP (Extended Copy Protection) or MediaMax CD-3 software when music CDs were played on a PC. Poorly designed, the software opened holes in the Windows OS, facilitating infection by viruses and causing other system problems. Mark Russinovich, now a technical fellow at Microsoft, discovered the rootkit's behavior, which he then announced on his blog. The resulting furor and further illustrations of the fallout of the rootkit led Sony BMG to recall the CDs and issue a removal program. Unfortunately, the removal program was equally poorly designed, leading to additional privacy and security concerns, as documented by Russinovich.
This incident awoke two groups to the potency of Windows rootkits: crackers and professional criminals who break into computers on the one side, and the companies who create software to protect systems on the other. Already entrenched in a high-stakes battle over malware, the two camps now had a new, potentially more damaging front on which to contend. The Computer Economics 2005 Malware Report, the organization's latest, put the cost of malware in 2005 at $14.2 billion. The ability of malware authors to hide their scripts from anti-virus software's capability of automatically detecting, protecting, and eradicating most malware would only serve to escalate the stakes, especially as malware authors' motivation "continued to shift from a general desire to inflict damage to an intent to gain financially, through theft of personal information such as credit card data or by gaining access to financial accounts," according to the survey.
The greater emphasis on mobility in the enterprise has certainly contributed to the increasing likelihood of infection with cloaked malware. So too are the various unpatched security holes in Microsoft Windows and related products, which provide access for automated rootkit installation. The proliferation of rootkits -- which are used to cloak files on disks, system hooks, and processes running on systems -- is alarming, as spyware developers and malware authors are creating bot networks that use rootkits to evade detection, hiding not only the malware but also what information is being obtained. Some of the more sophisticated rootkits even modify and corrupt Windows APIs. (For more detailed information on rootkits, visit rootkit.com or read Greg Hoglund and Jamie Butler's Rootkits: Subverting the Windows Kernel.)
Part of what's fueling the proliferation of rootkits is the ease with which they can be implemented.
"It has definitely ramped up over the last year and a half to two years," says Butler, principal software engineer at MANDIANT. "It has gotten very easy for malware authors to cut and paste these technologies into their code set to maintain a presence on the machine."