MS is a big proponent of DRM infections, they are built into the core of the next version of Windows. MS also has shown a tendency to look the other way on malware and spyware when it is profitable, check out the recent near buy of Claria for more information. In the link above, it claims to have objective standards to determine whether -ware is mal- or ben-.
I asked Microsoft whether it would remove the Sony DRM infection a week or so ago, and a Microsoft spokesVole said:
I connected with my colleagues who can speak to this, and they wanted me to tell you that the security of our customers' information is a top priority at Microsoft, and we have invested considerable resources in the security of our products and processes. As such, we are concerned about any malware, including rootkits, which targets our customers and negatively impacts the security, reliability and performance of their systems. Both Windows Defender and the Malicious Software Removal Tool (MSRT) have established objective criteria to determine what code will be classified for removal. We are evaluating the current situation to determine if any action from Microsoft is necessary.
This tells me as of last week, a rootkit was not exactly a high priority to remove even with obvious negative security implications and exploits in the wild. While I have absolutely no evidence to back this up, I sense business motives and potential precedent settings trumped user security in this case. Is that acceptable practice from a security vendor?
The other problem is that it didn't notice the DRM infection for months. Now, to be perfectly fair to MS, this is not only a Microsoft problem, no other security products vendor noticed it either. I would guess this is mainly because of the method of spreading, namely it doesn't spread without a CD, more or less 'old school' virus style. Few malware removal companies probably test CDs like this, but I would guess most will have this on their short lists from now on. Not finding it months ago is not something that Microsoft should be blamed for in any way.
The timeliness and tepidity on the response is something I will ping it for, if there was a virus raging all over the networks, you can bet it wouldn't take it a week to talk about a response. Again, I sense the heavy hand of the dollar at work here.
So, what do we end the day with? Microsoft dipping a toe in the water and saying it will remove a solitary DRM infection. No future pledges, no strong stand. I was honestly hoping MS would stand up and plant a stake in the ground about things like this. A week later with a murmur in a blog is not the response of a market leader.
That brings us to the whole debate about trusting MS security products. While some security vendors did stand up early and wave a flag about this, others sidestepped and had a stunningly lacklustre response. These had all the feel of a bare minimum PR ass covering than a bold statement about its protection philosophy. Well, maybe it really was a statement about its protection philosophy.
More troublesome is that no one is decrying the use of a EULA to 'OK' the use of rootkits. Now, I realise that 'legitimate' software companies try to fool people into believing these EULAs that you can't read before you buy the -ware, and can't return if you don't agree, hold water, but think of the implications. Real malware vendors are now using EULAs to 'legitimise' their infections just like Sony did. Imagine if on page 37 of the dense legalese, it said that you agree to allow it to take and use your credit card information? Luckily, not a single one of the security vendors stood up and decried this practice, mainly because they use it against you too.
But enough ranting. Let me end this with a couple of up notes. If you want to find a trustworthy security vendor, I would recommend looking for ones that stood up on the Sony malware DRM infection issue and said 'this is bad' early and loudly. F-Secure comes to mind, but there are others. The ones that said 'grumble, mumble, maybe, sorta' a week later are not what you want to have protecting your machines.
The other happy note is this gives us a really nice test of who is looking out for your best interests. Does the removal tool remove all the infection, or just the cloak? To me, that is the best current test of who is actually looking out for you, not their chequebook. µ