**Updated** Sysinternals claims 'compelling evidence' of rootkits in Alcohol and DAEMON Tools

G@M3FR3@K used our news submit to tell us that if we read the latest blog entry over at Sysinternals, Mark Russinovich is compelled to think that there are some rootkit type drivers being used in various softwares in order to thwart content protection. Some he names, some he does not, claiming there are "several" out there using such techniques. However, considering he is the one that exposed Sony and their use of a rootkit for protecting BMG music, we have to take these accusations seriously. In addition, to add insult to injury, he says that it's not even necessary to use the security busting measures to get the job done.

ADVERTISEMENT

Even though he wont come right out and say it in his blog, he strongly suggests that Alcohol and Daemon tools are using dangerous hidden drivers that can cause serious security risks for those that use the DRM busting tools. In fact, he makes the statement that: "It's therefore ironic, though not surprising, that several CD burning and disc emulation utilities are also using rootkits, though the technology is being used in the opposite way: to prevent DRM software from enforcing copy restrictions."

However, we can read a small snippet from the article that leaves us wondering if we are using a software that uses rootkits or not.

Using Rootkits to Defeat Digital Rights Management

"Paralleling the Alcohol example, the key is part of Daemon Tools' virtual device driver and appears to contain configuration information, implying that Daemon Tools hides the key to fool game anti-emulation software by preventing it from finding a way to distinguish virtual volumes from real ones.

There's no proof that Alcohol and Daemon Tools use rootkits to evade DRM, but the evidence is compelling. If they do their usage is clearly unethical and even potentially runs afoul of the US Digital Millennium Copyright Act (DMCA). In any case, there's no reason for these products, or any product as I've stated previously, to employ rootkit techniques."

Although this article is very technical and goes into quite some detail, the door is left open, or at least Mr. Russinovich is being coy about his accusations. What is the truth? This is what the end user must know. Tools are handy, especially if they are needed to restore our Fair Use rights, but not at the sake of giving up our computers to hackers. Nothing is worth that risk.  

ADVERTISEMENT

**Update**


By Spath, Moderator CD Freaks
Optical Storage Technical Discussions
 


However, lets take a closer look at Mr.
Russinovich's definition of a rootkit from his blog article and we quote:


"I arrived at my working definition for the word rootkit several years
ago as: Software that hides itself or other objects, such as files, processes,
and Registry keys, from view of standard diagnostic, administrative, and
security software."

Therefore, Mark feels that anything hidden,
malicious or not, whether you installed it yourself or not, is a rootkit.
Following his definition, some antivirus and IPS products can also be considered
rootkits, something that many security professionals do not agree
on.

To summarize:

ADVERTISEMENT


  • Are Daemon Tools and Alcohol 120% rootkits
    ? Not according to the common definition. But to do the job we want them to do
    they have to use the same advanced low-level techniques that rootkits,
    viruses, anti-viruses and kernel debuggers use.

  • Did Mark discover anything malicious or
    suspicious in DT ? No, he just explained part of DT normal behaviour, whose
    goal is to hide itself from copy protections.

  • Are these emulation tools a security risk ?
    Maybe, but nothing in
    Mark's post proves it. And again, any driver you
    install is a
    potential security risk.

Source: Sysinternals

No posts to display