By Lou Dolinar
Updated Feb. 20, 2006
Last in a series

Hacking has gone mainstream. In recent columns we've looked at products that break Windows security, reveal hidden passwords and allow your boss to spy on you - and you to spy on your neighbor. These don't originate in the netherworld of computer abusers; rather, they're targeted for sale to Fortune 500 companies.

Since everybody's doing it, we weren't too surprised to read recently that Sony is using yet another commercially available hacking tool to embed CD copy protection on PCs.

The tool, called a rootkit, is a system for hiding the contents and workings of nefarious software within Windows. It can even go so far as to destroy Windows if an effort is made to remove the software in question. The best-known rootkit is Hacker Defender, and when it appeared a couple of years ago, spyware experts were aghast to learn it was used to spread viruses. If I understand the http://hxdef.czweb.org/antidetection.php correctly, it ilIt has since evolved into a product that its author, who goes by the handle Holy Father, is selling online for several hundred dollars a copy.

Why use rootkits? Authors of spyware - tracking software that aids in surreptitiously collecting information and directing computer clicks to favored advertisers - primarily use rootkits to thwart antispyware scanners. Rootkits also are used to protect programs known as Trojan horses, which allow remote spammers to take over your PC and use it to launch avalanches of e-mail. And, of course, happy-go-lucky virus writers can use rootkits to disable malware scanners and block access to Web sites that contain security tools.

Rootkit detectors are useful in ways that virus and spyware scanners are not. Scanners typically look for specific patterns of malware, meaning that they can fail to find malware that isn't widely distributed. Rootkits, in the hands of an expert, can find just about anything.

One such expert, Mark Russinovich, provides a fascinating detective yarn at sysinternals.com about how he discovered the Sony rootkit. He was browsing the contents of his computer with a program he wrote, RootkitRevealer, and discovered dozens of hidden directories, device drivers and a program on his disk. He spent a weekend picking away at the files before realizing the software had been installed when he played a Sony CD, by the Van Zant brothers, "Get Right with the Man." The software couldn't be removed without damaging Windows. It was also running constantly, using up 1 to 2 percent of Russinovich's computer's capacity - even when no CD was present. He posted this yarn on his blog, and the resulting protests forced Sony and the company that wrote the software, First 4 Internet Ltd., to release a patch to remove it. Alas, the patch seems to have raised more issues than it resolves, and the controversy continues.

What does all this mean to you? If you consider yourself an amateur with PCs, bear in mind Russinovich's experience - you don't want to go mucking around with something that has the potential to damage your computer.

But more advanced users should take a look. If your computer is still misbehaving even after you weeded it thoroughly with antivirus and antispyware software, RootkitRevealer is worth a shot. It will give you a list of files, directories and registry entries that are hiding from the operating system. Normally, you'll look these names up on the Internet to see if tools have been designed to remove them. Absent a tool for a specific infestation, you may need to back up your data, reformat your drive and reinstall all your software.

Long-term, most security software eventually will incorporate antirootkit features. Computer Associates, for example, has already added Sony's software to its Pest Patrol hit list. And Microsoft incorporates some antirootkit features in its free Malicious Software Removal Tool.