By Steve Weinstein
By Bryan Bierman
By Lindsey Rhoades
By Chaz Kangas
By Ben Westhoff and Sarah Purkrabek
By Jena Ardell
By Jesse Sendejas Jr.
By Katherine Turman
The Sony rootkit Trojan horse now in the news, a/k/a Sony's Digital Rights Management (DRM) software, fulfills the definition of malicious code I came to recognize with the genesis of Heevahava. Like that virus, it installed itself on computers with the twin intents of being hidden and difficult if not often impossible to remove by regular people without help. It did so to control access to the music contained on Sony BMG CDs. But as with computer viruses, there was no explanation of its action or command for dispatching it once it had burrowed into the system. If removed, it was designed to make copying CD music to the computer impossible by rendering the disk drive useless. To normals, it would seem the CD drive had failed.
To understand why Sony can be said to be in the virus business, it's necessary to backtrack. For a few years in the early '90s, the Crypt Newsletter published a stream of frequently brutish and malicious programs. Anyone could reconstitute them, easy as powdered milk. Through Crypt, I gathered experience in the applications of digitized badness and gained an ability to see it in the work of others, whether that of teenagers out for kicks or businessmen grasping at ways to retaliate against kids thought to be stealing the company's music. Crypt knew the textures and flavors of rotten in the machine world. It published a virtual landmine based on a useful program, only overturned and corrupted to harshly prune the directory tree of a disk. Booby traps were written to show filth to moochers of porn while, in the background, the machine was being fouled. Viruses multiplied slowly and, when finished, either displayed vulgar quotes, logged keystrokes, or played idiotic music.
The Heevahava, dumb as it was, mocked the infected by associating them with its name. In one version, it obstructed efforts to unravel its instructions. In other words, it was managing its digital rights, a copy-protected Heevahava. Face-to-face, an anti-virus software programmer threatened to punch me in the mouth at a security convention because the protection had taken him hours to dissect, time he wished to spend with his family.
I had started fooling around with computer viruses while working at a Pennsylvania newspaper. In 1992, the Michelangelo computer virus had caused a mini-panic at the company. Workers rushed to back up the newspaper's PCs, afraid the virus's detonation, set for March 6, would crash all systems. It never happened. But my curiosity was stoked; I had to find a copy. I was tipped by teenagers that the place to look was the computer virus underground, secreted away on loose networks of bedroom PCs connected by phone lines.
At the time, the virus underground hoarded its collections. To get access, you had to offer computer viruses in trade. Hence, the origin of the Crypt.
What everyone learned in the land of nasty code, was that it was elementary to subvert and destroy. There was an allure in the multitude of ways a person could be taken unawares and relieved of control of his machine and the property on it. The wide-open nature of systems meant files could be shuffled and sliced, stealthy code delivered to hidey-holes in memory, the entire roots of the operation replaced with sinister functions that put the machine under the Trojan horse's control. The corruption could be hidden away, rendered invisible. If sanitation were attempted, a crash would be instigated, digital valuables incinerated, or conditions set that would make it appear hardware had been put to death.
Trouble was, it was hard to get paid for writing things that purposely messed up the computers of others. There was reluctance in the corporate world to hire people to brainstorm screwing up the computers of othersrivals, enemies, competitors, anyone who needed to be controlled, monitored, and meddled with, like fans of pop music, all obviously thought to be thieves.
It took a true egghead, Mark Ludwig, a graduate of Caltech and MIT, to work out the early profit margins. (He eventually became the publisher of my book on virus-writers.) Ludwig's first step was to write an explanatory volume, The Little Black Book of Computer Viruses, and it started the business off with a bang.A CD-ROM packed with arcane digital troubles and entitled Outlaws of the Wild West was assembled and sold for $100. There were many takers. The crowning achievement was a $400, 200-page tome called Computer Virus Supertechnology. Government and industry security men reliably bought copies, fueling the business.
By the turn of the century that profit model was shot. Bad code became too common to sell. It was stockpiled on multiple Internet sites. Virus-writing was amplified by the growth in speed and size of the world network and the ease with which growing numbers were willing to try their hands at it. Infection landed in e-mailboxes every day.
But the fundamentals for using malicious code had been worked out by the first virus-writers. Not only could it be used to harass file-sharing network users but also to enforce digital rights. The original kids often entertained themselves by victimizing software pirates and their trading networks. The networks were anchored to antique bulletin board systems and the prevailing philosophy was that pirates deserved trouble because they were greedy. Does that sound familiar?
Plus, thieves were viewed as lamers unaware of the many ways their virtual trading market could be contaminated. To that end, in 1992, a Chicago-area high school student named Nowhere Man came up with the idea of making programs to speed the poisoning of portions of pirate file-sharing networks with an assortment of vexing dummies. Although Nowhere Man never received a piece of the intellectual credit for this, The New York Times wrote in May 2003, the recording industry was "exploring options" that included "overwhelming [music] distribution networks with potentially malicious programs that masquerade as music files." It took 11 years to get there. Today, what had been the pesky work of teenagers is corporate entertainment-industry retaliation: "Overpeer Inc. . . . is paid by the entertainment industry to combat illegal downloading with an army of computerized drones," stated the Los Angeles Times in October. "From an office overlooking the New York Public Library, [it] unleashes millions of fake files into popular networks such as eDonkey, Kazaa and Gnutella every hour."
Shotgunning fake files into networks being used for piracy was petty stuff in the early '90s, and it still is, compared to Sony BMG's rootkit Trojan horse. Discovered on the Sysinternals blog, Mark Russinovich's examination of the Sony Trojan revealed it to be the infliction of malicious software on the unwitting. Delving into its slippery ways, the blog showed the Sony malware cloaking itself within the vitals of the machine, stratagems virus writers were happy to use more than a decade ago.
The corporate-speak in Sony's "user agreement" was functionally similar to the sucker texts furnished in old Trojan horses. It was a script for gaining consent to run something on the computer while revealing little of what that something was. If cauterized later, Russinovich discovered the Sony virus had massaged the machine so that it would appear the CD-ROM drive had failed. And since it was distributed through retail, it was assured that potentially millions would get it, snaring even those who did not trade music via the Internet.
Because of outrage from music fans Sony halted production of its malware. But if a twentysomething virus-writer had written the Sony Trojan finding its way to thousands, the law would have been after him in a flash.
A few virus-writers have been dragged into criminal court and convicted. To a man, they have never been able to defend themselves with claims that they didn't know what they were doing, that it was all an accident, just fooling around or intent to protect one's property gone awry. That's because when writing code like the Heevahava's or the Sony Trojan's, the author knows implicitly that it is malicious and will cause trouble for people in unknowing contact with it. It's not illegal to write viral code and although I never put the Heevahava on someone else's machine or tried to, I did distribute it in the Crypt on virus underground bulletin boards. Once there, it was out of my control. Anyone else with bad intent could do with it what they wished. Like me, Sony's viral programming flunkies had to know the bad potential of their Trojan horse. And they were successful in purposefully loading it onto the computers of others. It would be good to arrest them.
George Smith wrote about viruses and computer security for over a decade and is the author of the book, The Virus Creation Labs.