[Dshield] Sony, Rootkits and Digital Rights Management Gone Too Far

Stephane Grobety security at admin.fulgan.com
Tue Nov 1 18:18:15 GMT 2005


bad exemple. Alternate data stream have many legitimate uses. Features
like EFS, the "internet file" verification check and file
meta-properties are all implemented using ADS. There are documented
APIs for accessing these streams (although listing them is tricky).


Patching the service table also has it's own legitimate uses: regmon
and filemon both uses these API for legitimate needs: monitoring
system activity.

What is however extremely wrong is the fact that Sony's DRM system
tries to hide itself from the user. It has absolutely no legitimate
reason to do so except deceive the user. Now, IANAL but I would think
that this falls under "non authorized use" wich is, IIRC, a federal
crime in the US.


good luck,
Stephane

RWssc> I agree that any application that physically modifies the system in order
RWssc> to hide itself is way out of line.  But do we have to change the premise 
RWssc> of what a rootkit is, or at least how we detect rootkits,  if legitimate 
RWssc> applications want to use capabilities of the system which are at this time 
RWssc> only used by rootkits and other malicious  code.  One example of this is 
RWssc> alternate data streams, for the most part we assume they don't have a 
RWssc> legitimate use for non-malicious applications, but if a legitimate 
RWssc> application chooses to use alternate data streams do we immediately label 
RWssc> them as malicious code?


-- 
Best regards,
 Stephane                            mailto:security at admin.fulgan.com



More information about the list mailing list