What makes a rootkit?

The Sony copy-protection fiasco has moved the term from hacker lingo to a threat known and feared by ordinary PC owners.

The Sony BMG copy protection debacle has pulled "rootkit" out of the hacker underground and into the wider world of regular computer users.

But while those PC owners may now recognize the term, that doesn't necessarily mean they know what kind of threat it describes. And in the Sony case, not even the experts can agree on whether the record label's antipiracy technology meets the technical definition of a rootkit.

"I would say it is more a stealth technology than a rootkit," said Vincent Weafer, the senior director at Symantec Security Response. "A rootkit is used by people trying to maintain remote access to a system. Sony is an example of a much more limited technology. It was only designed to hide itself."

That argument over semantics is important to security providers, which have to define threats before they defend against them. But in general it matters little, since all the experts agree that the technology ultimately acts as a rootkit would, making it every bit as dangerous as if it were installed by hackers.

Sony's copy-protection software, created by U.K.-based First 4 Internet, is installed on a computer's hard drive when certain Sony BMG Music Entertainment CDs are played on a Windows PC and after the listener accepts a license agreement.

The software uses the programming tool at the center of the controversy, which buries itself deep in the internals of a Microsoft Windows PC. It blocks all but the most technically-savvy users from being able to detect its presence. It is also invisible to most security products, which typically don't look that deep into a computer's workings.

"Rootkits can hide on the machine because they operate at a very low level in the operating system," said Joe Telafici, the director of operations at McAfee's Avert labs.

Behind the code
The term "rootkit" originates from the Unix world. It refers to a set of tools that would hide any trace of an intruder yet maintain full, or "root," access on system running the operating system.

"A rootkit retains access to the system that has been previously compromised, and it hides itself from someone who is authorized to use the computer," said Jon Orbeton, a senior security analyst at security software maker Zone Labs.

Critics say that Sony's software left PCs vulnerable to attack because it provided a hiding place for other applications. Trojan horses that try to commandeer a system and take advantage of the cloak provided by the CD software have already appeared on the Internet. In addition, Sony initially didn't provide an uninstall tool (which exacerbated the situation).

All this adds up to a rootkit, experts such as Dan Kaminsky say. Kaminsky is the security researcher who has estimated that the Sony software is installed on at least 500,000 PCs.

"I had the same reaction that a number of security people had: Is Sony getting remote root on machines?" Kaminsky said. "Are they getting the capability to run code on a machine? That's what fundamentally makes it a rootkit: evasion of user knowledge."

Rootkits are available for sale online and some hackers even offer to create custom rootkits for payment, experts said. Often the software is used to hide a backdoor on a computer that lets hackers enter surreptitiously. Typically, it arrives in a Trojan horse or via malicious Web download. Some adware makers also use rootkits to cover up their software.

Featured Video