The Register

Revealed: Remember the Sony rootkit rumpus? It was almost oh so much worse

Retired Microsoft engineer, Dave Plummer, offered a blast from the past last week with a look back at the infamous Sony Windows “rootkit” scandal.

In his latest video, Tempest obsessive and author Plummer confessed to having once been the owner of Windows components such as Calculator and CD Autorun.

Calculator is, bar the odd edge case or two, and the infamous Pentium FDIV, not the most controversial of tools.

Nonetheless, said Plummer: “Trust me… being the name on the code review line can have a certain amount of ‘pucker factor’ because the stakes involved are really high, and the press would be really bad if you did make a mistake.”

CD Autorun was, on the other hand, “that boring, staid old component that nobody loved and a few people hated.”

It would also become somewhat controversial.

The thing about it was that it could silently run code on an inserted disc – perhaps a setup program. Perhaps a game. Or perhaps install a rootkit (see sidebar) in a misguided attempt to fight off perceived threats from pirates…

A self-confessed Sony fanboy (and possessed of lots of branded kit), Plummer recounted the tale.

As Plummer pointed out, the discovery of the Sony DRM issue occurred in 2005, and the man had long left Microsoft by then. AutoRun had a longer history that dated back to Windows 95.

It also had a sibling by the name of AutoPlay.

Plummer told us a story that took place in the 1990s. An AutoPlay developer took a look at what was possible (thanks to the somewhat laissez-faire approach taken to security at the time) while the component was being first put together and came away alarmed.

You see, the internal development version of the code was very media-agnostic. It didn’t matter if the media was a CD or not. It could be one of those new-fangled USB things. It could even be a network drive. Windows simply didn’t care – the shell showed the user nothing. Instead it was up to the autoplay title to throw up a user interface.

So, any time a volume turned up (say, a network drive,) the original development code would look for autorun.inf and do what it was told before the user had a chance to intervene.

What could possibly go wrong?

The reaction of the higher-ups to the security concerns belied a different Microsoft in those days. A clunky shell pop-up was deemed something that might yank the user out of an otherwise magical Windows experience. Filtering so only some drive types worked might have made the feature feel unpredictable.

The shipment of what could only be described as Rookitting for Dummies drew ever closer, and our hero apparently resorted to alternative means by which to get his point across.

He wrote a little autoplay app, one that would harmlessly change the user’s desktop wallpaper (on reboot), hid it as system files on file server locations frequently used by the team, and waited.

Copious patience was not required. Before long, the amusing desktop bitmap was being reported throughout the team and heads were being scratched. It was eventually a kernel developer that tumbled the mystery. A net use created an unusually large spike in disk I/O, and watching what was actually happening using a debugger showed the hidden code in action.

The result was that the big cheeses were sufficiently alarmed to pop in some restrictions on eligible media. Testing? Stick everyone’s favourite inbox app, notepad.exe, onto a CD to see how the shell handled paths.

Alas, Microsoft hadn’t reckoned with the “good guys” – aka Sony – shipping CDs with a hybrid ISO and Red Book format. Sure, apps duking it out for top billing on the Start Menu was par for the course. But a silently installed rootkit? Who would do such a thing?

Hindsight is a wonderful thing. The delightfully naive “CD-ROM = OK” assumption turned out, as Plummer explained, Sony exploited and Russinovich discovered, to have flaws of its own. ®

READ MORE HERE