Korean Internet Shoppers Get More Than They Bargained For
Commercial rootkits were first brought to the public's attention with the infamous Sony DRM case. This was followed a few months later by a rootkit component included on some KinoWelt DVDs.This rootkit was part of Alpha-DVD content-protection software,produced by Korean company Settec. Discussion surrounding commercialrootkits has died down somewhat since then, however this doesn't meanthat they've gone away.
Recently we added detection for a rootkit which is installed byKorean online shopping site, Cashmoa. In order to log onto the site,the user is required to install a software package. This packageincludes a driver called cmdriver.sys. The driver behaves like arootkit by hiding processes which use a particular name. The danger isthat a malicious program using the same name would not be visible onthe Windows process list.
While it poses some danger, it is unlikely that we will see thisrootkit leveraged in a global widespread manner. Firstly, it is limitedto users in Korea. Secondly, it only allows processes to be hidden, notfiles. In the Sony case, the rootkit had a substantial install base andallowed not only processes but also files, folders and registry keys tobe hidden. Nevertheless we have added detection for the rootkit inorder to protect our customers. Cmdriver.sys is detected as SecurityRisk.Cashmoa using definitions from 04/20/2007 revision 19 and later.