Real Story of the Rogue Rootkit

BokLM writes "Wired has an interesting article from Bruce Schneier about what's happening with the Sony Rootkit, and criticizing the anti-virus companies for not protecting its users. From the article: 'Much worse than not detecting it before Russinovich's discovery was the deafening silence that followed. When a new piece of malware is found, security companies fall over themselves to clean our computers and inoculate our networks. Not in this case.'"

This time...

[by Anonymous Coward]

... the malware was not made by the anti virus companies so how could we expect them to make the antidote?

Now don your tin foil hats!

DMCA risks.

[by Anonymous Coward]

If the Antivirus companies start destroying Sony copy-protection technologies, they're almost certain to get in trouble. Surely they don't want to violate the DMCA.

Actually

[einhverfr (238914)]

Read http://www.groklaw.net/article.php?story=200511131 64717817 [groklaw.net]

The creator of the rootkit (First 4 Internet) apparently worked with Symantec and other major antivirus companies to make sure that it would neither be detected nor removed by their software according to CNET.

This is a very damning accusation.

Re:Actually

[lgw (121541)]

The SOny rootkit was *not* a virus, so expecting AV software to do something about it isn't appropriate. The rootkit was spyware that came along with something the user installed by choice, no different from weatherbug or any of that other silly BS. That makes it a bit touchy deciding to remove it, just like removing some other BS that a user is sure they need. Most of these companies moved to remove the cloaking aspect as soon as it was known, closing the security hole, but (legally) removing the underlying software would remove the ability to play the Sony CD. You don't just go around uninstalling programs that users think they need (no matter how silly).

I suspect that for 99% of non-geek users, the ability to play the Sony CD was much more important than removing "some rootkit, whatever that is". And you probably can't remove the software and leave the ability to play the CD without violating the DMCA, so what are you going to do?

Re:Actually

[einhverfr (238914)]

You would have a point if Symantec didn't advertise the ability to remove trojans (which CDX certainly is) and adware (which MediaMax certainly is).

Re:Actually

[E8086 (698978)]

"The rootkit was spyware that came along with something the user installed by choice, no different from weatherbug or any of that other silly BS."

Ok, so was it really installed by choice? I have no desire to spend my money on one of those disks and risk the security of my PC to test it. Is the user given a choice do hit "I don't agree" to an EULA and then return it to where they purchased it or does it take advantage of Windows autoplay to install without asking or informing the user first with a description of what it will do.
An EFF explanation of the ELUA said if you no longer own the physical disk you must delete any and all copies of anything on the disk. Shouldn't it be the same for the rootkit? If someone no longer owns the CD, maybe they returned it for the recall/exchange offer, shouldn't any software installed by it also have to be removed? It claims the ability to do this unpunished with a legalese shrinkwrap ELUA and shrinkwrap ELUAs have never stood up in court. If a paying customer returns or resells or trashes a protected Sony disk, the rootkit and DRM should go with the disk, of it doesn't easily go away then it's unwanted spyware and the legal owner of the computer should have the right to remove it, other than having to try their luck with Windows system restore or reformat or reinstall.

Sony screwed up and it looks like the customers are going to have to pay for their mistake with decreased performance, system crashes, having to deal with malware specifically created to take advantage of security holes created by the rootkit, including purchasing additional security software to prevent infection and the time and effort to remove them and repair the damage and/or the monetary costs if they don't have the time or know enough and have to hire someone to do it for them.

Bah...

[Poromenos1 (830658)]

It's a shame what big companies can get away with. I mean, no matter how you look at this, a rootkit is a rootkit, there was nothing subjective about this. Yet, the fact that it was by Sony made people keep their mouths shut. It's a shame.

Well, not really... (was:Bah...)

[Lead Butthead (321013)]

It's their "rootkit," our "DRM enforcement agent." The same sort of nonsense about their "terrorist," our "freedom fighter." that were promoted by the whitehouse in 80's.

It's a shame what big companies can get away with.

[djdavetrouble (442175)]

one word:
Bhopal
.

Re:It's a shame what big companies can get away wi

[vivek7006 (585218)]

Mod parent up.

He is referring to the bhopal gas tragedy of 1984, http://en.wikipedia.org/wiki/Bhopal_gas_tragedy/ [wikipedia.org] where thousands of people were killed and Union Carbide pretty much got away with it. The CEO Warren Anderson is a fugitive and is on the wanted list of CBI India.

Re:It's a shame what big companies can get away wi

[argel (83930)]

Correct URL: http://en.wikipedia.org/wiki/Bhopal_gas_tragedy [wikipedia.org] (no trailing slash).

Re:Bah...

[LiquidCoooled (634315)]

What is a (better informed) user wants to play the CD despite the rootkit?

Rule #1: Disable Autorun.

If microsoft had disabled this action by default, it would have prevented this being a widespread problem in the firstplace.

AUdio CDs should be nothing more than data. A media player is installed on every single computer that can play audio CDs.

Sony should not have messed with that, and if MS had defaulted it then 1st$ wouldn't have exploited it.

Re:Bah...

[SilverspurG (844751)]

You did notice from '95 to '98 nearly every CD enabled application would annoy you with the "it is recommended to enable Autorun by going to the Control Panel... etc. etc. etc" Oh wait? You didn't notice that? Probably because you didn't think to disable autorun 'til now so that you could take part in the brow-beating.

You did notice that, from '98-'02, nearly every CD burning application on Windows began to annoy you with the "It is required for this application to function properly that you enable the Autorun feature of the CD drive by going to the Control Panel... etc. etc. etc." Oh? What's that? You didn't notice these error boxes? Probably because you didn't think to disable autorun until now so that you could take part in the brow-beating.

I, on the other hand (am an arrogant prick), and I did spend all of those years turning off Autorun until it just became impossible to use any CDROM enabled Windows software without it.

By the way, I like most of your posts. I've just been waiting for the last two weeks to slam someone on the "just disable autorun" issue and you happened to be the poster of the day. :)

Re:Bah...

[eric76 (679787)]

While this is a rootkit, "infected" systems don't display the normal symptoms: no (appreciable) slowdown, no annoying popups, no self-propagation or open ports.

Methinks thee art confusing rootkits with spyware.

The last thing a rootkit author would want in a rootkit would be for it to be noticeable to the average user. Or even to the expert user. If symptoms are noticed, it isn't a good rootkit.

Re:Bah...

[nigelo (30096)]

TFA points out that this has been out there for over a year, not just "a few days".

Just because the symptoms are barely noticeable does not make it acceptable.

Just because it comes from a CD does not make it acceptable, either.

If the "(cluelss) user" inserts the CD again, the AV software should do what it should have done the first time - issue a large warning and block the activity. If this had happened a year ago, there wouldn't be several hundred thousand machines with it installed today.

Re:Bah...

[drakaan (688386)]

I think's things are not so simple.

And then some...

While this is a rootkit, "infected" systems don't display the normal symptoms: no (appreciable) slowdown, no annoying popups, no self-propagation or open ports. Moreover, the "phone home" behaviour is very limited. Since the average user didn't notice, there were no complaints.

That's not the issue, really.

Do you expect the AV companies to buy and test music CDs for malware before this broke out (not in hindsight!). Since it took a Windows guru to figure out something was wrong, I'd expect these companies to take a few days. Several (including Microsoft, in fact) already classify it as malware and look for it.

It took somebody looking for evidence of rootkits on a well-maintained system that should have been rootkit free. I expect AV companies to do *that*, yes. You say "already" as if the rootkit had only been around for a few days. It's been around for many months, and the fact that we didn't know that before the guys at sysinternals noticed it is inexcusable.

Sony distributed software to millions of random people that installed half of itself silently, offered no option to not install, left machines vulnerable to infection by absolutely any wanna-be hacker that can spell "$sys$", has no uninstaller, leaves no indication that it *is* installed, makes the machines that it is installed on unstable if removed, and uses bandwidth and network connectivity without informing the owner of the computer.

If AV vendors can't protect against this type of threat, and cannot identify cloaked software when it has been distributed for a year, I don't exactly have a lot of faith in the security of any machines protected by their software (sadly, that seems to be every AV vendor). Maybe Mr. Russinovich could give a few paid talks at each of these companies about how to detect rootkits...

I'm off to go install SuSE on my desktop...cheers.

Re:Bah...

[SilverspurG (844751)]

So the burning question in my mind is... Didn't any of the Symantec or Norton of McAfee firewalls pick up the unwanted network activity?

Oh wait... "XCP media player wishes to access the internet. Would you like to allow this action?"

Some effing firewall...

Clearly

[Trails (629752)]

The AV companies are just gunshy of Sony's squad of legal attack ninjas. Not surprising given that this is grey area. I think the author makes a decent point (that the AV companies moved slowly), but the real failing here is the draconian legislation that made this a grey area in the first place. Hopefully these wee little gaps in consumer protection get plugged as a result of this.

Re:Clearly

[jcr (53032)]

Not surprising given that this is grey area.

Nope.

This is not a grey area, this is a crime, and it is also a civil tort. Sony will learn this at great expense over the next couple of years in litigation.

-jcr

Re:Clearly

[ZachPruckowski (918562)]

It's a gray area because Sony claims it is DRM, which is illegal to remove. If this went the other way, and an AV company started removing it before it got out to the public fully, then the AV company is removing DRM, and Sony sues, and noone backs them (except EFF and a few nerds). The AV companies were powerless until they had the mob behind them.

Re:Clearly

[jcr (53032)]

It's a gray area because Sony claims it is DRM, which is illegal to remove.

Sony has damaged other people's property. I can chase a burglar, but if he hides in your house I'm not entitled to burn it down.

-jcr

Who Else Can We Blame

[moehoward (668736)]

I have to ask... If you were infected by this thing, then why not call law enforcement? You know it is malware of the worst kind and you know exactly who did it to you. Why not call the FBI or your Attorney General and file a criminal report? Couldn't you list Sony or the record store/online store you got it from as the source? I don't know. Seems like a good form of civil disobedience at the very least.

Isn't that what we're supposed to do?

Of course, all Slashdotters were not infected because we all boycott music companies anyway. Right?? Or did I miss a memo?

Re:Who Else Can We Blame

[Hosiah (849792)]

Of course, all Slashdotters were not infected because we all boycott music companies anyway. Right?? Or did I miss a memo?

Apparently:

To:all Slashdotters
From: The Big Penguin
Subject: Protective measures

We will be switching exclusively to the Linux operating system at 1200 hours effective Tuesday. This will ensure that we can run any music CD with impunity, be it ripped or legit.

Sincerly,
T.B.P.

Re:Why not call law enforcement?

[99BottlesOfBeerInMyF (813746)]

Because calling law enforcement would lead to a court case: YOU vs SONY. Guess who wins every time?

What are you talking about? Making a report to law enforcement is not going to get you into a civil suit. It will be the state vs. Sony in a criminal case should they pursue it. The trouble is getting them to do so. Try calling the FBI sometime. If it isn't easily demonstrable as several grand worth of damage they will just ignore you.

DMCA

[PacketScan (797299)]

No shit no one touched it..

They are Scared Shitless...

Until Now.

Re:DMCA

[Mundocani (99058)]

The article makes a big issue of painting this to be big corporations supporting big corporations, but I suspect you're right and that it's actually because of the DMCA. The anti-virus companies removed the cloaking code, nothing too risky about that as far as the DMCA goes. Removing the rest of the code however isn't nearly so clear cut. Personally, I'd love to see the DMCA gutted, but until it is this sort of issue is going to be there. When is it ok to remove a piece of software which is a combination of copyright protection AND spyware? Seems like a very fuzzy area in the DMCA indeed given that an anti-virus company can't exactly pick apart the software to leave the protection features in place while knocking out the spyware.

This issue isn't about big companies supporting big companies, it's about companies not knowing where the legal line is on what they can remove from your computer without being slapped with a DMCA lawsuit.

NGSCB?

[interiot (50685)]

What happens when Sony's rootkit hides under the protection of Windows Vista's NGSCB [wikipedia.org]? Will antivirus vendors be able to remove bad code that ends up in the NGSCB? Given that Window's kernel in insecure enough to allow itself to be rootkitted, what is the chance that NGSCB itself will be subverted? Doesn't the fact that NGSCB is designed to hide code from normal users and knowledgable debuggers alike mean that it's somewhat similar to what the Sony rootkit tries to do?

Built-in DRM

[dereference (875531)]

That's a great point, although I suspect the reality will be even more bleak.

Sony won't need to install a rootkit, because the Microsoft DRM will be designed specifically to help enforce things like Sony's EULA. Why should Sony bother with a rootkkit when the OS itself will impose the limits by design?

Re:Built-in DRM

[interiot (50685)]

The rootkit wasn't necessarily the worst part of the problem though...

One issue was lack of disclosure. Parts of the program were uninstallable, staying in the background, constantly eating a little CPU. The program "phoned home", and neither the EULA or any normal documentation let the user know that would happen.

The other problem was stability. Because the program was meant to filter the audio CD driver information, and generally do low-level stuff, and it was poorly coded, it caused a computer system to be less stable.

These problems were only discovered because of skilled people at Sysinternals. In the future though, if programs can be more protected by the NGSCB, they will have greater free reign to do this type of activity without scrutiny. Certainly it will be easier if simply processes and files aren't hidden anymore, since that, combined with seeing TCP data being sent out whenever you play a CD, will be a large tip-off. However, we all benefit if skilled people can expose spyware wherever it occurs, and ultimately, if NGSCB helps cloak some activity, then that may ultimately make it harder for peoplpe like Mark Russinovich to do their work for the public good.

Damn them!

[SuperKendall (25149)]

With Vista you don't have to worry about shit like the Sony rootkit, because he is already in!

Yet another example of over-agressive bundling.

sony

[akhomerun (893103)]

i'm still shocked that a "legitimate" company that's widely purchased from, and is a household name, would distribute software that anti-virus companies would consider to be malware. i'm still shocked that sony let this kind of thing slide, it's so obvious that they didn't even check to see what they were doing before they did it.

Re:sony

[Mattcelt (454751)]

I think you're forgetting that DVD Jon and the others don't have a team of lawyers at their immediate disposal like more companies do, so it takes time for them to seek legal counsel. It may be days or weeks before they announce an intention to sue Sony.

Fear?

[dada21 (163177)]

When news of the criminal root kit hit full blast, I figured it would immediately get nuked by the AV companies. As things progressed and no one but MSFT came to the rescue, it made wonder if there was fear or maybe even collusion.

Yet the bigger story here in the fact that a blogger was the breaking source.

My media is 75% blogs now. Many use links to back their opinions (I'd love to see a standard bibliogtaphical Wiki for referencing). They're faster than the daily news and less likely to be afraid of corporate threats.

BTW, anyone know a way for me to toggle link text format fron standard (blue w/ underline) to normal (black no underline) and back, quickly?

Re:Fear?

[ParadoxDruid (602583)]

In regard to your question:

Define a custom page stylesheet (userChrome stuff in Mozilla), with

a {
    color: black;
    text-decoration: none;
}

Then, you can go to View -> PageStyle and switch between the original page style and your new style.

Thats because this virus was nasty as hell.

[Viewsonic (584922)]

It was very hard, even for Microsoft to figure out how to remove the damn thing without disabling the CD/DVD drive entirely. The first anti-virus patches that thought they fixed this was actually disabling peoples drives without knowing it. Microsoft had to work with Sony to figure out what the hell they had actually done. It really sucks.

Re:Thats because this virus was nasty as hell.

[Daedala (819156)]

Well, then, why didn't they say, "We can't do anything yet because this is nasty. We are working on a fix."

Instead, they're saying the DRM software that hijacks your device driver is legitimate, and the rootkit was really only kinda bad because it hid legitimate software....

Uh, antivirus companies are out to make money.

[Spazntwich (208070)]

They don't exist to make gigantic corporate enemies.

Like it or not, detecting and removing Sony's malware puts them at series risk for DMCA lawsuits and the like and is thus a bad business decision. Anyone who thinks they're in it to actually better their customers and not their bottom line is living in fantasy land.

Let's call it "Sony's Law":

[Hosiah (849792)]

Never simply shoot yourself in the foot when you can shoot yourself in both feet while hanging yourself with a bungee cord, disembowling yourself with a potato-peeler, running a crowbar up your ass, and jumping though a foot of plate glass to fall into a pool of sulfuric acid all at the same time.

Man, all this just in time for Christmas. When I'm shopping this Holiday Season, I think I'll just run up to store clerks and ask them if they carry Sony products and if they say yes, ask "For the love of God, WHY???" and then run away laughing.

The brick advertisement

[72beetle (177347)]

Imagine this: a brick comes sailing through your window, smashing glass everywhere. You pick it up and wrapped around the brick is a flyer for a glass replacement company.

This is how I've viewed the major AV companies for quite some time. Sure, there are non-affiliated virus threats out there, but they perpetuate their own business as well.

I didn't think that my opinion of McAffee and Norton could sink any lower... but I was wrong.

DRM is useless

[gasmonso (929871)]

Companies are so worried about piracy that they go to these extremes. What they need to look at is why are people pirating. Many people pirate because the thought of spending $17 for a cd is rediculous considering that only a few songs are worth a damn. Secondly, DRM makes it worse because people can't rip the audio for their mp3 player. This drives people to piracy and the DRM makes it worse and drives the consumer away. Just lower the damn prices and let me burn it, rip, or do anything else I want with it because it's mine!

gasmonso http://religiousfreaks.com/ [religiousfreaks.com]

Printer Friendly

[TubeSteak (669689)]

http://www.wired.com/news/print/0,1294,69601,00.ht ml [wired.com]
3-Pages of Wired goodness

this isn't one of those lightning-fast internet worms; this one has been spreading since mid-2004. Because it spread through infected CDs, not through internet connections, they didn't notice?

Reminds me of the good old days when computer viruses were spread around on 3 1/2 floppy disks. Nothing like a boot sector virus to spoil your day.

Links From The Article
Apparently there is a criminal investigation going on...
In Italy [computerworld.com]

On Friday, the Milan-based (Association for Freedom in Electronic Interactive Communications - Electronic Frontiers Italy) filed a complaint about Sony's software with the head of Italy's cybercrime investigation unit...

The complaint alleges that XCP violates a number of Italy's computer security laws by causing damage to users' systems and by acting in the same way as malicious software, according to Andrea Monti, chairman of the ALCEI-EFI. "What Sony did qualifies as a criminal offense under Italian law,"

Class action lawsuit [boingboing.net]
Apparently step 3 is that you have to "reside in either California or New York." Sadly, step 4 is not Profit!

double standards, no standards?

[z0I!) (914679)]

The double standard of the security companies is troubling... If I released this application (sony's rootkit) it would be considered malware immediately. The fact that they only remove a portion of it is also strange. That is like removing the part of a spam generating worm that sends emails to others but leaving the rest of it to waste CPU time scavanging my address book. Also... What I wonder is, is what consequences will come from the alleged GPL violations? Is anyone suing Sony or first4Internet for copyright infringment? If not, does this send a signal to big corps that it's ok to steal code that is GPL'd because the parties that wrote it probably don't have the time/money to do anything about it anyway?

Sony's DRM breaks

[mhollis (727905)]

It does not work and cannot work when it warns the user, as the Rootkit DRM program has to ask for an administrator password before you install.

On a Macintosh running OS X.

A word from User Friendly...

[creimer (824291)]

Sony Feels Badly [userfriendly.org] :P

Security Alert

[jeti (105266)]

Your computer is infected with the Sony DRM Rootkit.
It compromises the security of your machine, leaving
it open to various attacks.
Due to legal restrictions imposed by the DMCA, the
infection can not be removed. It is recommended to
disconnect the computer from the internet and
reinstall the operating system.

Never in my wildest dreams

[SlashAmpersand (918025)]

The biggest surprise for me was that Microsoft, who usually pisses me off, actually was the only company to step up to the plate in a meaningful way. I expected far, far better from the antivirus/spyware vendors. If you're going to tell me that you're going to protect my system, make me pay a subscription to keep my definitions current, and, on top of that, consume some of my system resources to do it, you'd damn well better step up to the plate when it comes to something as blatantly dangerous to my security as a rootkit.

Heh, the dirt is piling up.

[88NoSoup4U88 (721233)]

Wow, it's getting dirtier and dirtier.

I won't be surprised when in a few days there will be an announcement how Sony's rootkit causes world hunger, rapes dogs, and hides one sock out of every pair every once and awhile.

Damn you Sony !... Oooh, shiny PS3 !

Rampant Hypocrisy

[dragonfly_blue (101697)]

I think this just highlights the hypocritical nature of the antivirus vendors; by measuring the time between the Mark Russinovich post unveiling the rootkit [sysinternals.com] on October 31, and the subsequent addition of the rootkit's signature to the various antivirus vendor's products, you can draw some fairly interesting conclusions about the relationships between antivirus companies, consumers, virus/malware authors, and software companies (or in Sony's case, companies offering products that happen to contain additional software).

• F-Secure - Nov 1st, 2005
• Symantec - November 8, 2005: Renamed to SecurityRisk.First4DRM from SecurityRisk.Aries November 11, 2005: Added link to removal tool.
• Computer Associates - listed, unknown date.
• Kapersky - Nov 2, 2005

It's interesting how some of the vendors are listing information about the rootkit, but see uninterested in adding a signature, claiming that it's not really a virus (which is true) because it doesn't self-replicate. That's fine, I guess, because if they started detecting rootkits, they'd have a lot more work to do, but I think it's kind of shortsighted of them to think that people won't get angry that they paid for a $40/year subscription for a product that doesn't detect when their system gets totally rooted.

(I'm always tempted to spell it r00tk1t, but I'm trying to act more mature these days...)

How?

[Arandir (19206)]

After seeing this story all week, I still can't get past the most basic question in my head: Why the hell is Windows executing software from an audio CD?

DOD Twist

[TuballoyThunder (534063)]

The DOD pays big dollars to get a corporate license for both McAfee and Norton, which includes permission for users to use on their home computers. Considering the numer of DOD computers that got infected by the Sony DRM application, I think the people who oversee those contracts would be negligent if they did not "seek consideration" for the failure to perform.