Chapter 1 / Empty Cup Mind

Wondershare

DC 2006 and Black Hat USA 2006, respectively. According to COSElNC's

website:��

The focus of the AML is cutting-edge research in to malicious software

technology like rookits, various techniques of bypassing security mecha¬

nisms inherent in software systems and applications and virtuaiization

security.

The same sort of work is done at outfits like SecLirity-Assessment.com, a

New Zealand-based company that showcased the DDefy rootkit at Black Hat

Japan 2006. The DDefy rootkit used a kernel-mode filter driver (i.e., ddefy.

sys) to demonstrate that it's entirely feasible to undermine runtime disk imag¬

ing tools.

Digital Rights Management

This comes back to what I said about financial motives. Sony, in particular,

used rootkit technology to implement digital rights management (DRM)

functionality. The code, which installed itself with Sony's CD player, hid

files, directories, tasks, and registry keys whose names begin with "$sys$."�''

The rootkit also phoned home to Sony's website, disclosing the player's ID

and the IP address of the user's machine. Afler Mark Russinovich, of System

Internals fame, talked about this on his blog, the media jumped all over the

story and Sony ended up going to court.

It's Not a Rootkit, It's a Feature

Sometimes a vendor will use rootkit technology simply to insulate the user

from implementation details that might otherwise confuse him. For instance,

after exposing Sony's rootkit, Mark Russinovich turned his attention to the

stealth technology in Symantec's System Works product.-�

SystemWorks offered a feature known as the "Norton Protected Recycle

Bin," which utilized a directory named NPROTECT. SystemWorks created this

folder inside of each volume's RECYCLER directory. To prevent users from de¬

leting it, SystemWorks concealed the NPROTECT folder from certain Windows

25. http://www.cosei]ic.coni/en/index.php?rt=about.

26. Mark Russinovich, Sony, Rootkits and Digital Rights Management Gone Too Far, Octobcr,

31, 2005.

27. Mark Russinovich, Rootkits in Commercial Software, January, 15, 2006.

20 I Part I