Recent Posts

Tags

News

  • A blog about Microsoft Windows development, focused on kernel-mode driver development, the Windows DDK, WDK, and related tools.

    To elaborate on the copyright notice at the bottom: all content produced by me on this site is copyright and licensed as follows:

    <!-- Creative Commons License --> Creative Commons License
    This work is licensed under a Creative Commons License. <!-- /Creative Commons License --> <!-- <rdf:RDF xmlns="http://web.resource.org/cc/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <Work rdf:about=""> <dc:type rdf:resource="http://purl.org/dc/dcmitype/Text" /> <license rdf:resource="http://creativecommons.org/licenses/by-nc/2.0/" /> </Work> <License rdf:about="http://creativecommons.org/licenses/by-nc/2.0/"> <permits rdf:resource="http://web.resource.org/cc/Reproduction" /> <permits rdf:resource="http://web.resource.org/cc/Distribution" /> <requires rdf:resource="http://web.resource.org/cc/Notice" /> <requires rdf:resource="http://web.resource.org/cc/Attribution" /> <prohibits rdf:resource="http://web.resource.org/cc/CommercialUse" /> <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" /> </License> </rdf:RDF> -->

    Although I work for Positive Networks, this work is my own and is not connected with my employer in any way.

    <!-- technorati again --> <script type="text/javascript" src="http://embed.technorati.com/embed/8xz8dihr.js"> </script>

Community

Email Notifications

Other Blogs

General

Technical Resources

About Me

Archives

Kernel Mustard

Reflections on Windows System Programming
Steve Dispensa, MVP - Windows DDK

Why couldn't Microsoft detect the Sony DRM kit automatically?

Microsoft has decided to add support for removing the Sony DRM rootkit to its various malicious software removal tools. My article at ArsTechnica on the subject has more info.

One of the commenters on the Ars post said something to the effect of "Why didn't Microsoft just remove this automatically (rather than needing to write custom code for removing it after it happened)?" This is an interesting question, and I'd like to discuss it a bit. As Mark's original blog post points out, the thing manages to spray garbage all over the system, by hooking, modifying, cloaking, and otherwise not playing nice in the sandbox.

The problem here is that any single action by the rootkit is not necessarily an illegal operation. Granted, most would say that system call hooking is totally wrong, but there can be legitimate uses for this too. Furthermore, although any number of things that rootkit authors do could theoretically be stopped, Microsoft can't just break badly behaved apps.

Some have discussed the hook question on NTDEV again this week. This topic seems to pop up with regularity; this time, it was Don Burn who started the fun by requesting that Microsoft implement the same system call hooking preventions that it has implemented for x64 windows. Microsoft's reason for not doing this is that they are afraid that too many apps would break. Scary thought... so many apps need hooks that Microsoft thinks it would be unwise to break them all. Woah.

One possible solution to the hook problem, and by extension, to the problem of crapware doing immoral (if not illegal) things to the operating system would be to support opt-in mechanisms for the increased restrictions. Microsoft has already employed this technique for hardware-based DEP (although this method has its shortcomings).

Whatever the case, even given that increased controls might be present in the system, there's still no good way for Microsoft to say, with certainty, that software is doing illegal or immoral things in many cases. In some cases (such as most hooks), there is currently no way to even tell that the behavior is taking place.

So, bottom line, I'd rather my anti-crapware software not make guesses. I'll stick to what works for me: staying current with updates, running as a restricted user, keeping my firewall on, and keeping my head firmly attached during web surfing.

Posted: Nov 12 2005, 10:48 PM by Steve Dispensa | with 1 comment(s)
Filed under:

Comments

TrackBack said:

# November 13, 2005 10:11 PM
Leave a Comment

(required) 

(required) 

(optional)

(required)