Why couldn’t Microsoft detect the Sony DRM kit automatically?

Microsoft has decided to add support for removing the Sony DRM rootkit to its various malicious software removal tools. My article at ArsTechnica on the subject has more info.

One of the commenters on the Ars post said something to the effect of “Why didn’t Microsoft just remove this automatically (rather than needing to write custom code for removing it after it happened)?” This is an interesting question, and I’d like to discuss it a bit. As Mark’s original blog post points out, the thing manages to spray garbage all over the system, by hooking, modifying, cloaking, and otherwise not playing nice in the sandbox.

The problem here is that any single action by the rootkit is not necessarily an illegal operation. Granted, most would say that system call hooking is totally wrong, but there can be legitimate uses for this too. Furthermore, although any number of things that rootkit authors do could theoretically be stopped, Microsoft can’t just break badly behaved apps.

Some have discussed the hook question on NTDEV again this week. This topic seems to pop up with regularity; this time, it was Don Burn who started the fun by requesting that Microsoft implement the same system call hooking preventions that it has implemented for x64 windows. Microsoft’s reason for not doing this is that they are afraid that too many apps would break. Scary thought… so many apps need hooks that Microsoft thinks it would be unwise to break them all. Woah.

One possible solution to the hook problem, and by extension, to the problem of crapware doing immoral (if not illegal) things to the operating system would be to support opt-in mechanisms for the increased restrictions. Microsoft has already employed this technique for hardware-based DEP (although this method has its shortcomings).

Whatever the case, even given that increased controls might be present in the system, there’s still no good way for Microsoft to say, with certainty, that software is doing illegal or immoral things in many cases. In some cases (such as most hooks), there is currently no way to even tell that the behavior is taking place.

So, bottom line, I’d rather my anti-crapware software not make guesses. I’ll stick to what works for me: staying current with updates, running as a restricted user, keeping my firewall on, and keeping my head firmly attached during web surfing.

Leave a Reply

Your email address will not be published. Required fields are marked *