08.30.07
Sony… Another Root Kit… Not Quite!
I saw a blog post the other day claiming that Sony had released another root-kit... well "sort-of". At least they said in their initial (and follow-up) posts that the software had a legit use and was being used as intended. The interesting post came from McAfee who, of course, raised a bit stink about nothing and, in turn, caused the story to be picked up by the media. Apparently they even drove Sony to pull the product. Let me say this as clearly as I possibly can:
THIS ISN'T A ROOTKIT!
There we go... Did everyone get that? This is software which is being sold for the intended purpose of hiding files. It sort of reminds me of software that I used 10 years ago called Magic Folders. Does that make MF a rootkit that's lasted 10 years? Nope. It's software with an intended purpose. This is where we run into problems, and company's like Zango have ammunition for attacking vendors that label them as Spyware, Malware, Rootkits, etc... Every last thing is the end of the world when you're an AV vendor... that or the news is so slow they have to pick on legit software.
So if we want to call this software a rootkit... then I'm going to call Windows a rootkit... After all Alternate Data Streams allow me to hide files... So by McAfee/F-Secure's logic, Windows is a rootkit. So that opens up an interesting question... Can the primary operating system be a rootkit? Oh yeah... it doesn't matter because legit software can be labeled as a rootkit just because we feel like it.
I've commented before on AV vendors doing things that things that are "fishy", and of course only the AV vendors jumped up to defend themselves... I'm sure this will happen again here... but let's face it people... This was legit software that could be used for a malicious purpose. Wireshark, ettercap, nmap, metasploit are all legit software but could be used for malicious purposes... Shall we go around raising a fuss about them? We don't... so why do it about this?
I have to admit that sometimes I really don't get the AV companies... I've also been thinking about it as I write this post and I'd like to be the first one to point to the AV vendors and say that the software they sell is nothing more than malware. After all they process my email when I retrieve it via Outlook, they go through the email, no different than malware would.. So why not... Let's label everything that acts like, or could be used like, malware as malware... So, step one... Label AV as malware. What's next?
kurt wismer said,
August 30, 2007 at 2:23 pm
“THIS ISN’T A ROOTKIT!”
you’re right, it’s not a rootkit - most of what gets called rootkit today isn’t a rootkit, but if symantec and kaspersky can both get blasted for providing rootkits (for hiding a protected trash bin and file integrity data respectively) then anyone can…
unfortunately the morons popularizing the current concept of a rootkit have twisted the definition to the point where if it hides something then it’s a rootkit… this is the definition hoglund uses, it’s the definition russinovich uses, so it should be no surprise that av vendors would follow along (in fact, i believe russinovich admitted to following along too)…
i’ve made the same arguments you have about the stupidity of this classification (i even mentioned that windows allows hiding files - see http://anti-virus-rants.blogspot.com/2006/02/this-has-got-to-stop.html) but unfortunately we’re going to need a lot more than just a voice or two in the darkness telling people this is dumb before they wise up…