Someone came to me recently because Nero, a company that makes DVD burning and imaging software, said that the reason their software was not functioning well was because a rootkit was breaking it.

A long time ago, Nero made some of the best CD burning software around. Those days have been over for quite some time, but the practice of calling competing software, in this case Daemon Tools, a rootkit was a new one for me. I took over the email chain and asked them to clarify themselves. Part of their response is as follows:

The newly reported problem is caused by a rootkit which is installed on the system.

The driver installed and still available on your system is ‘sptd.sys’. Please use a rootkit analyzer in order to find and remove this file from your system.

This file (sptd.sys) is installed with Deamon Tools. In general I would recommend to contact Daemon Tools for further information. Unfortunately we’re not in contact with Daemon Tools as to why I can’t tell you how their reaction will be.

Therefore I would recommend to use a rootkit analyzing tool. I’m sure that the mentioned file will be detected. E.g. use ‘RootKit Hook Analyzer’

http://www.resplendence.com/hookanalyzer

Legal disclaimer:

“Nero AG is not liable for programs that are not offered by Nero AG. The usage of those programs is performed at one’s own risk. Nero AG will not be liable for the legality of the programs.”

I did a quick search with Google and found some interesting pages. Just search for Daemon Tools and rootkit. Please take a minute and have a look at the following sites:

http://www.greatis.com/security/What%20is%20SPTD%23%23%23%23.sys.htm

http://www.neuber.com/taskmanager/process/sptd.sys.html

I hope this is the answer you expected. If you need further information feel free to contact me again.

Interesting response, but sadly about what I expected.

All the more interesting is that Nero and Daemon Tools have some similar functionality. When I have used both in the past on the same system, I didn’t have any of these problems. In looking at the URLs provided, I think I liked the last most.

The link mentioned is for Duplexsecure, which seems to make the SCSI Pass Through Direct [SPTD] driver.

I didn’t want to think that we were now in the days of competitors who called other superior products rootkits instead of fixing their software correctly, but I guess we’re there now.

Update:
I went ahead and let the people at Daemon Tools know about these shenanigans. They had the following clueful response:

There is only the one known issue which appears for any burning software and related to DAEMON Tools software if you had enabled “Hide CD-R” option in DT (this option was removed from the last DT versions).

Also, some notes about rootkits. You see, not every applications/drivers which makes hooks in system’s kernel space or user space are rootkits. Many security software like HIPS, advanced featured firewalls and even antiviruses can use hooks to protect your system. Hook it’s just a method, but it’s not a criterion which strongly points that software is a rootkit.