Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Privacy Security Software

Real Story of the Rogue Rootkit 427

Posted by Zonk
from the when-good-rootkits-go-bad-on-fox dept.
BokLM writes "Wired has an interesting article from Bruce Schneier about what's happening with the Sony Rootkit, and criticizing the anti-virus companies for not protecting its users. From the article: 'Much worse than not detecting it before Russinovich's discovery was the deafening silence that followed. When a new piece of malware is found, security companies fall over themselves to clean our computers and inoculate our networks. Not in this case.'"
This discussion has been archived. No new comments can be posted.

Real Story of the Rogue Rootkit

Comments Filter:
  • by Anonymous Coward on Thursday November 17, 2005 @05:00PM (#14056894)
    ... the malware was not made by the anti virus companies so how could we expect them to make the antidote?

    Now don your tin foil hats!
    • DMCA risks. (Score:5, Interesting)

      by Anonymous Coward on Thursday November 17, 2005 @05:13PM (#14057038)
      If the Antivirus companies start destroying Sony copy-protection technologies, they're almost certain to get in trouble. Surely they don't want to violate the DMCA.
      • Actually (Score:5, Interesting)

        by einhverfr (238914) <chris.travers@gmail . c om> on Thursday November 17, 2005 @05:58PM (#14057514) Homepage Journal
        Read http://www.groklaw.net/article.php?story=200511131 64717817 [groklaw.net]

        The creator of the rootkit (First 4 Internet) apparently worked with Symantec and other major antivirus companies to make sure that it would neither be detected nor removed by their software according to CNET.

        This is a very damning accusation.
  • Mirror (Score:3, Informative)

    by Anonymous Coward on Thursday November 17, 2005 @05:01PM (#14056899)
    Wired's webserver was borked before this even hit the front page. A functional mirror [nyud.net] for everyone's perusal.
  • Bah... (Score:5, Interesting)

    by Poromenos1 (830658) on Thursday November 17, 2005 @05:01PM (#14056900) Homepage
    It's a shame what big companies can get away with. I mean, no matter how you look at this, a rootkit is a rootkit, there was nothing subjective about this. Yet, the fact that it was by Sony made people keep their mouths shut. It's a shame.
    • by Lead Butthead (321013) on Thursday November 17, 2005 @05:17PM (#14057077) Journal
      It's their "rootkit," our "DRM enforcement agent." The same sort of nonsense about their "terrorist," our "freedom fighter." that were promoted by the whitehouse in 80's.
    • Re:Bah... (Score:2, Insightful)

      by l2718 (514756)

      I think's things are not so simple. While this is a rootkit, "infected" systems don't display the normal symptoms: no (appreciable) slowdown, no annoying popups, no self-propagation or open ports. Moreover, the "phone home" behaviour is very limited. Since the average user didn't notice, there were no complaints. Do you expect the AV companies to buy and test music CDs for malware before this broke out (not in hindsight!). Since it took a Windows guru to figure out something was wrong, I'd expect these

      • Re:Bah... (Score:5, Insightful)

        by LiquidCoooled (634315) on Thursday November 17, 2005 @05:27PM (#14057198) Homepage Journal
        What is a (better informed) user wants to play the CD despite the rootkit?

        Rule #1: Disable Autorun.

        If microsoft had disabled this action by default, it would have prevented this being a widespread problem in the firstplace.

        AUdio CDs should be nothing more than data. A media player is installed on every single computer that can play audio CDs.

        Sony should not have messed with that, and if MS had defaulted it then 1st$ wouldn't have exploited it.
        • by geekoid (135745) <dadinportland AT yahoo DOT com> on Thursday November 17, 2005 @07:26PM (#14058317) Homepage Journal
          Don't put this on MS in any way. Autorun is a feature that the users want to see.
          Just because a user want's a Program to intall automaticaly, doesn't mean they deserve a root kit install. It is not an exploit becasue auotrun works as designed.
          I am not a MS apologist, but don't blame MS for this, it is SONYs doing, and SONY bears 100% of the blame.

          If I thought a brick through your window, is it the home builders fault for putting windows in your home? Is it your fault because you use glass windows? No.
          • The real solution to autorun, is similar to how Apple has done it in OS X, or how many Linux distros do it, which is to open a folder displaying the contents of the disk, and not open an application that could be an installer. In the case of MacOS (at least from 7 on through X, I haven't used MacOS since before 7.6.1), a folder can actually be assigned a "view", where icons show up where you want them, and in X, you can have a background in the window (in 9 and below, companies got around the not able to h
        • Re:Bah... (Score:5, Insightful)

          by SilverspurG (844751) * on Thursday November 17, 2005 @07:30PM (#14058360) Homepage Journal
          You did notice from '95 to '98 nearly every CD enabled application would annoy you with the "it is recommended to enable Autorun by going to the Control Panel... etc. etc. etc" Oh wait? You didn't notice that? Probably because you didn't think to disable autorun 'til now so that you could take part in the brow-beating.

          You did notice that, from '98-'02, nearly every CD burning application on Windows began to annoy you with the "It is required for this application to function properly that you enable the Autorun feature of the CD drive by going to the Control Panel... etc. etc. etc." Oh? What's that? You didn't notice these error boxes? Probably because you didn't think to disable autorun until now so that you could take part in the brow-beating.

          I, on the other hand (am an arrogant prick), and I did spend all of those years turning off Autorun until it just became impossible to use any CDROM enabled Windows software without it.

          By the way, I like most of your posts. I've just been waiting for the last two weeks to slam someone on the "just disable autorun" issue and you happened to be the poster of the day. :)
      • Re:Bah... (Score:3, Informative)

        by QuantumG (50515)
        Uhhh, it causes your CD burning software not to work.. and in many cases it caused people's CD/DVD drives not to work.
      • Re:Bah... (Score:5, Insightful)

        by eric76 (679787) on Thursday November 17, 2005 @05:33PM (#14057261)
        While this is a rootkit, "infected" systems don't display the normal symptoms: no (appreciable) slowdown, no annoying popups, no self-propagation or open ports.

        Methinks thee art confusing rootkits with spyware.

        The last thing a rootkit author would want in a rootkit would be for it to be noticeable to the average user. Or even to the expert user. If symptoms are noticed, it isn't a good rootkit.

        • Re:Bah... (Score:3, Interesting)

          by Bloater (12932)
          > Methinks thee art confusing rootkits with spyware.

          "Thee" should be "Thou"

          "Thee" is to "Thou" as "me" is to "I".
      • Re:Bah... (Score:5, Insightful)

        by nigelo (30096) on Thursday November 17, 2005 @05:33PM (#14057266)
        TFA points out that this has been out there for over a year, not just "a few days".

        Just because the symptoms are barely noticeable does not make it acceptable.

        Just because it comes from a CD does not make it acceptable, either.

        If the "(cluelss) user" inserts the CD again, the AV software should do what it should have done the first time - issue a large warning and block the activity. If this had happened a year ago, there wouldn't be several hundred thousand machines with it installed today.
      • Re:Bah... (Score:5, Insightful)

        by drakaan (688386) on Thursday November 17, 2005 @05:37PM (#14057306) Homepage Journal

        I think's things are not so simple.

        And then some...

        While this is a rootkit, "infected" systems don't display the normal symptoms: no (appreciable) slowdown, no annoying popups, no self-propagation or open ports. Moreover, the "phone home" behaviour is very limited. Since the average user didn't notice, there were no complaints.

        That's not the issue, really.

        Do you expect the AV companies to buy and test music CDs for malware before this broke out (not in hindsight!). Since it took a Windows guru to figure out something was wrong, I'd expect these companies to take a few days. Several (including Microsoft, in fact) already classify it as malware and look for it.

        It took somebody looking for evidence of rootkits on a well-maintained system that should have been rootkit free. I expect AV companies to do *that*, yes. You say "already" as if the rootkit had only been around for a few days. It's been around for many months, and the fact that we didn't know that before the guys at sysinternals noticed it is inexcusable.

        Sony distributed software to millions of random people that installed half of itself silently, offered no option to not install, left machines vulnerable to infection by absolutely any wanna-be hacker that can spell "$sys$", has no uninstaller, leaves no indication that it *is* installed, makes the machines that it is installed on unstable if removed, and uses bandwidth and network connectivity without informing the owner of the computer.

        If AV vendors can't protect against this type of threat, and cannot identify cloaked software when it has been distributed for a year, I don't exactly have a lot of faith in the security of any machines protected by their software (sadly, that seems to be every AV vendor). Maybe Mr. Russinovich could give a few paid talks at each of these companies about how to detect rootkits...

        I'm off to go install SuSE on my desktop...cheers.

        • Re:Bah... (Score:5, Insightful)

          by SilverspurG (844751) * on Thursday November 17, 2005 @07:35PM (#14058397) Homepage Journal
          So the burning question in my mind is... Didn't any of the Symantec or Norton of McAfee firewalls pick up the unwanted network activity?

          Oh wait... "XCP media player wishes to access the internet. Would you like to allow this action?"

          Some effing firewall...
      • Re:Bah... (Score:4, Informative)

        by LarsG (31008) on Thursday November 17, 2005 @06:35PM (#14057842) Journal
        Do you expect the AV companies to buy and test music CDs for malware before this broke out (not in hindsight!).

        According to F-Secure's blog [f-secure.com], they had received tips that Sony CDs might contain a rootkit at least a month before Mark broke the story.

        "We didn't go public with the info right away as we were worried with the implications (especially with the info on how virus writers can use this to hide files which have names starting with "$sys$"). So we were in the middle of discussions with Sony BMG and First 4 Internet when Mark broke the news on Monday."
    • by djdavetrouble (442175) on Thursday November 17, 2005 @05:41PM (#14057347) Homepage
      one word:
      Bhopal
      .
  • Clearly (Score:5, Insightful)

    by Trails (629752) on Thursday November 17, 2005 @05:02PM (#14056918)
    The AV companies are just gunshy of Sony's squad of legal attack ninjas. Not surprising given that this is grey area. I think the author makes a decent point (that the AV companies moved slowly), but the real failing here is the draconian legislation that made this a grey area in the first place. Hopefully these wee little gaps in consumer protection get plugged as a result of this.
  • by moehoward (668736) on Thursday November 17, 2005 @05:03PM (#14056935)

    I have to ask... If you were infected by this thing, then why not call law enforcement? You know it is malware of the worst kind and you know exactly who did it to you. Why not call the FBI or your Attorney General and file a criminal report? Couldn't you list Sony or the record store/online store you got it from as the source? I don't know. Seems like a good form of civil disobedience at the very least.

    Isn't that what we're supposed to do?

    Of course, all Slashdotters were not infected because we all boycott music companies anyway. Right?? Or did I miss a memo?
    • by Hosiah (849792) on Thursday November 17, 2005 @05:20PM (#14057114)
      Of course, all Slashdotters were not infected because we all boycott music companies anyway. Right?? Or did I miss a memo?

      Apparently:

      To:all Slashdotters
      From: The Big Penguin
      Subject: Protective measures

      We will be switching exclusively to the Linux operating system at 1200 hours effective Tuesday. This will ensure that we can run any music CD with impunity, be it ripped or legit.

      Sincerly,
      T.B.P.

    • My other and I are dumping all our Sony artists CDs at the resale shop. I'm also done with future artists dumb enough to support Sony BMG.

      Why do this?

      You can get record stores to stop selling Sony artists.

      You can't get Sony to stop.

      You can't change the RIAA which came to power through the voterd in the US (I don't vote/rape).

      You can hurt the artists. I'm amazed how many artists are on Sony. I e-mailed the ones I could, and I will never support Sony BMG again.

      The $1000 I save on my PS3+games will be spent
    • Certainly not this slashdotter. I haven't bought a new CD in more than four years except for when I went to a band's concert and bought it there.
  • AV companies can't afford to take the threat of a libel lawsuit lightly. They have to step carefully whenever someone with backing installs malicious software on your box. Why do you think it took them so long to get into the spyware removal business? Lawsuits.
    • by HiThere (15173) *
      And I can't afford to consider recommending them lightly.

      I'm not claiming that they are a *part* of a criminal conspiracy. But they were aware of it and did NOTHING to alert their customers. I.e., they intentionally did not perform the service that they were being paid money to perform. That looks to me like malfeasance, but perhaps only government employees can commit malfeasance. IANAL.

      It certainly looks like fraud. They claimed and received money to provide a service that they intentionally did not p
  • DMCA (Score:4, Insightful)

    by PacketScan (797299) on Thursday November 17, 2005 @05:05PM (#14056949)
    No shit no one touched it..

    They are Scared Shitless...

    Until Now.
    • Re:DMCA (Score:5, Insightful)

      by Mundocani (99058) on Thursday November 17, 2005 @05:20PM (#14057112)
      The article makes a big issue of painting this to be big corporations supporting big corporations, but I suspect you're right and that it's actually because of the DMCA. The anti-virus companies removed the cloaking code, nothing too risky about that as far as the DMCA goes. Removing the rest of the code however isn't nearly so clear cut. Personally, I'd love to see the DMCA gutted, but until it is this sort of issue is going to be there. When is it ok to remove a piece of software which is a combination of copyright protection AND spyware? Seems like a very fuzzy area in the DMCA indeed given that an anti-virus company can't exactly pick apart the software to leave the protection features in place while knocking out the spyware.

      This issue isn't about big companies supporting big companies, it's about companies not knowing where the legal line is on what they can remove from your computer without being slapped with a DMCA lawsuit.
  • NGSCB? (Score:5, Interesting)

    by interiot (50685) on Thursday November 17, 2005 @05:05PM (#14056952) Homepage
    What happens when Sony's rootkit hides under the protection of Windows Vista's NGSCB [wikipedia.org]? Will antivirus vendors be able to remove bad code that ends up in the NGSCB? Given that Window's kernel in insecure enough to allow itself to be rootkitted, what is the chance that NGSCB itself will be subverted? Doesn't the fact that NGSCB is designed to hide code from normal users and knowledgable debuggers alike mean that it's somewhat similar to what the Sony rootkit tries to do?
    • Built-in DRM (Score:5, Insightful)

      by dereference (875531) on Thursday November 17, 2005 @05:13PM (#14057039)
      That's a great point, although I suspect the reality will be even more bleak.

      Sony won't need to install a rootkit, because the Microsoft DRM will be designed specifically to help enforce things like Sony's EULA. Why should Sony bother with a rootkkit when the OS itself will impose the limits by design?

      • That can be a great anti-Vista publicity.

        "With Vista you don't have to worry about shit like the Sony rootkit, because he is already in!"
      • Re:Built-in DRM (Score:5, Insightful)

        by interiot (50685) on Thursday November 17, 2005 @05:40PM (#14057338) Homepage
        The rootkit wasn't necessarily the worst part of the problem though...

        One issue was lack of disclosure. Parts of the program were uninstallable, staying in the background, constantly eating a little CPU. The program "phoned home", and neither the EULA or any normal documentation let the user know that would happen.

        The other problem was stability. Because the program was meant to filter the audio CD driver information, and generally do low-level stuff, and it was poorly coded, it caused a computer system to be less stable.

        These problems were only discovered because of skilled people at Sysinternals. In the future though, if programs can be more protected by the NGSCB, they will have greater free reign to do this type of activity without scrutiny. Certainly it will be easier if simply processes and files aren't hidden anymore, since that, combined with seeing TCP data being sent out whenever you play a CD, will be a large tip-off. However, we all benefit if skilled people can expose spyware wherever it occurs, and ultimately, if NGSCB helps cloak some activity, then that may ultimately make it harder for peoplpe like Mark Russinovich to do their work for the public good.

    • if when NGCSB gets owned, NGCSB will nolonger protect malicious code hiding in it because scanners will be able to use the same exploit, unless the malware plugs the hole behind it.
  • & wich flavours of UNIX/Linux is it for ? ...and what are the symptoms ?
  • sony (Score:4, Insightful)

    by akhomerun (893103) on Thursday November 17, 2005 @05:06PM (#14056961)
    i'm still shocked that a "legitimate" company that's widely purchased from, and is a household name, would distribute software that anti-virus companies would consider to be malware. i'm still shocked that sony let this kind of thing slide, it's so obvious that they didn't even check to see what they were doing before they did it.
    • Yeah, it's called due diligence and it's something large companies are notoriously bad at. Of course, nothing is going to happen. If the LAME dudes or DVD Jon were going to sue Sony they would have let us know by now.
      • Re:sony (Score:5, Insightful)

        by Mattcelt (454751) on Thursday November 17, 2005 @05:28PM (#14057206)
        I think you're forgetting that DVD Jon and the others don't have a team of lawyers at their immediate disposal like more companies do, so it takes time for them to seek legal counsel. It may be days or weeks before they announce an intention to sue Sony.
    • Re:sony (Score:3, Interesting)

      by Azarael (896715)
      Beyond that, who is going to properly regulate NGSCP code to keep out the poorly coded crap? From the sounds of it, you won't be able do anything to fix it or get rid of it unless MS or whoever decides to patch it. As far as I can tell it will be pretty much a black hole full of all sorts of stuff that can, will and does kill your machine.
  • Fear? (Score:5, Interesting)

    by dada21 (163177) * <adam.dada@gmail.com> on Thursday November 17, 2005 @05:07PM (#14056976) Homepage Journal
    When news of the criminal root kit hit full blast, I figured it would immediately get nuked by the AV companies. As things progressed and no one but MSFT came to the rescue, it made wonder if there was fear or maybe even collusion.

    Yet the bigger story here in the fact that a blogger was the breaking source.

    My media is 75% blogs now. Many use links to back their opinions (I'd love to see a standard bibliogtaphical Wiki for referencing). They're faster than the daily news and less likely to be afraid of corporate threats.

    BTW, anyone know a way for me to toggle link text format fron standard (blue w/ underline) to normal (black no underline) and back, quickly?
    • Re:Fear? (Score:4, Informative)

      by ParadoxDruid (602583) on Thursday November 17, 2005 @05:30PM (#14057226) Homepage
      In regard to your question:

      Define a custom page stylesheet (userChrome stuff in Mozilla), with

      a {
          color: black;
          text-decoration: none;
      }

      Then, you can go to View -> PageStyle and switch between the original page style and your new style.
    • BTW, anyone know a way for me to toggle link text format fron standard (blue w/ underline) to normal (black no underline) and back, quickly?

      css [w3.org]. make a personal stylesheet and tell your browser to use it and to let your personal styles override site styles, then turn it off when you don't want it.

  • by krgallagher (743575) on Thursday November 17, 2005 @05:07PM (#14056978) Homepage
    "Much worse than not detecting it before Russinovich's discovery was the deafening silence that followed. When a new piece of malware is found, security companies fall over themselves to clean our computers and inoculate our networks. Not in this case."

    Yeah that has been my reaction. When I heard about it the first thing I began doing was searching for detection and removal software. I found nothing. I could not believe that Mcafee was not publishing a fix.

  • by Viewsonic (584922) on Thursday November 17, 2005 @05:08PM (#14056982)
    It was very hard, even for Microsoft to figure out how to remove the damn thing without disabling the CD/DVD drive entirely. The first anti-virus patches that thought they fixed this was actually disabling peoples drives without knowing it. Microsoft had to work with Sony to figure out what the hell they had actually done. It really sucks.
  • by Spazntwich (208070) on Thursday November 17, 2005 @05:08PM (#14056990)
    They don't exist to make gigantic corporate enemies.

    Like it or not, detecting and removing Sony's malware puts them at series risk for DMCA lawsuits and the like and is thus a bad business decision. Anyone who thinks they're in it to actually better their customers and not their bottom line is living in fantasy land.
  • by Hosiah (849792) on Thursday November 17, 2005 @05:12PM (#14057031)
    Never simply shoot yourself in the foot when you can shoot yourself in both feet while hanging yourself with a bungee cord, disembowling yourself with a potato-peeler, running a crowbar up your ass, and jumping though a foot of plate glass to fall into a pool of sulfuric acid all at the same time.

    Man, all this just in time for Christmas. When I'm shopping this Holiday Season, I think I'll just run up to store clerks and ask them if they carry Sony products and if they say yes, ask "For the love of God, WHY???" and then run away laughing.

  • by 72beetle (177347) on Thursday November 17, 2005 @05:14PM (#14057055) Homepage
    Imagine this: a brick comes sailing through your window, smashing glass everywhere. You pick it up and wrapped around the brick is a flyer for a glass replacement company.

    This is how I've viewed the major AV companies for quite some time. Sure, there are non-affiliated virus threats out there, but they perpetuate their own business as well.

    I didn't think that my opinion of McAffee and Norton could sink any lower... but I was wrong.
  • DRM is useless (Score:5, Interesting)

    by gasmonso (929871) on Thursday November 17, 2005 @05:15PM (#14057062) Homepage

    Companies are so worried about piracy that they go to these extremes. What they need to look at is why are people pirating. Many people pirate because the thought of spending $17 for a cd is rediculous considering that only a few songs are worth a damn. Secondly, DRM makes it worse because people can't rip the audio for their mp3 player. This drives people to piracy and the DRM makes it worse and drives the consumer away. Just lower the damn prices and let me burn it, rip, or do anything else I want with it because it's mine!

    gasmonso http://religiousfreaks.com/ [religiousfreaks.com]
    • You're right that people download music because CDs are really expensive, and because they insist on being able to use their iPods.

      But now there's an even more obvious reason to download music in an open format like MP3: MP3s cannot suddenly turn on you and break your computer.

      I'm sure I'm not alone when I state that I will never buy a Sony or BMG CD again, ever, unless it comes with a bold-printed, legally-binding guarantee that the damn thing is a plain-Jane, Red-Book-compatible, fully-rippable CD. And I'
  • I'm in the UK. Do the US-centric have anything to report on this?
  • Printer Friendly (Score:5, Informative)

    by TubeSteak (669689) on Thursday November 17, 2005 @05:20PM (#14057113) Journal
    http://www.wired.com/news/print/0,1294,69601,00.ht ml [wired.com]
    3-Pages of Wired goodness
    this isn't one of those lightning-fast internet worms; this one has been spreading since mid-2004. Because it spread through infected CDs, not through internet connections, they didn't notice?

    Reminds me of the good old days when computer viruses were spread around on 3 1/2 floppy disks. Nothing like a boot sector virus to spoil your day.

    Links From The Article
    Apparently there is a criminal investigation going on...
    In Italy [computerworld.com]
    On Friday, the Milan-based (Association for Freedom in Electronic Interactive Communications - Electronic Frontiers Italy) filed a complaint about Sony's software with the head of Italy's cybercrime investigation unit...

    The complaint alleges that XCP violates a number of Italy's computer security laws by causing damage to users' systems and by acting in the same way as malicious software, according to Andrea Monti, chairman of the ALCEI-EFI. "What Sony did qualifies as a criminal offense under Italian law,"

    Class action lawsuit [boingboing.net]
    Apparently step 3 is that you have to "reside in either California or New York." Sadly, step 4 is not Profit!

  • by nonother (845183) on Thursday November 17, 2005 @05:21PM (#14057121)
    While it is a good article, it leaves out what was just recently posted on Slashdot - the use of open source software to create it. That's another important part of the legal quandry. Also the article really seems to minimize the fact that it also effects Macs. While it is true that the user must provide a password (on the Mac), Sony insisted it did not effect Mac and Linux computers.
  • by z0I!) (914679) on Thursday November 17, 2005 @05:21PM (#14057123) Homepage
    The double standard of the security companies is troubling... If I released this application (sony's rootkit) it would be considered malware immediately. The fact that they only remove a portion of it is also strange. That is like removing the part of a spam generating worm that sends emails to others but leaving the rest of it to waste CPU time scavanging my address book. Also... What I wonder is, is what consequences will come from the alleged GPL violations? Is anyone suing Sony or first4Internet for copyright infringment? If not, does this send a signal to big corps that it's ok to steal code that is GPL'd because the parties that wrote it probably don't have the time/money to do anything about it anyway?
  • At least, not purchasing their electronic products is very simple. There are lots of competing companies. As to CDs --- well, get one and rip it, on Linux, of course :-).
  • Sony's DRM breaks (Score:4, Informative)

    by mhollis (727905) on Thursday November 17, 2005 @05:23PM (#14057153) Journal

    It does not work and cannot work when it warns the user, as the Rootkit DRM program has to ask for an administrator password before you install.

    On a Macintosh running OS X.

  • by creimer (824291) on Thursday November 17, 2005 @05:23PM (#14057156) Homepage
    Sony Feels Badly [userfriendly.org] :P
  • by dtjohnson (102237) on Thursday November 17, 2005 @05:24PM (#14057166)
    The weak non-response by AV companies isn't the REAL story, either...

    The REAL story is why aren't elected officials falling all over themselves to make what SONY did a criminal offense?
  • by jeti (105266) on Thursday November 17, 2005 @05:24PM (#14057168) Homepage
    Your computer is infected with the Sony DRM Rootkit.
    It compromises the security of your machine, leaving
    it open to various attacks.
    Due to legal restrictions imposed by the DMCA, the
    infection can not be removed. It is recommended to
    disconnect the computer from the internet and
    reinstall the operating system.
  • by SlashAmpersand (918025) on Thursday November 17, 2005 @05:24PM (#14057179)
    The biggest surprise for me was that Microsoft, who usually pisses me off, actually was the only company to step up to the plate in a meaningful way. I expected far, far better from the antivirus/spyware vendors. If you're going to tell me that you're going to protect my system, make me pay a subscription to keep my definitions current, and, on top of that, consume some of my system resources to do it, you'd damn well better step up to the plate when it comes to something as blatantly dangerous to my security as a rootkit.
    • The biggest surprise for me was that Microsoft, who usually pisses me off, actually was the only company to step up to the plate in a meaningful way. I expected far, far better from the antivirus/spyware vendors.

      I somewhat agree with your post, but Microsoft desperately needs good PR, as well as the fact that they are pissed that everyone is going to Sonys BlueRay. However it is Microsofts idiotic autorun feature that installs this crap in the first place.

      Yeah I know it can be disabled, but what nor
  • Lawsuits (Score:3, Insightful)

    by ucblockhead (63650) on Thursday November 17, 2005 @05:33PM (#14057258) Homepage Journal
    I suspect that the security companies don't fear lawsuits from spammers. On the other hand, one can easily imagine a company like Sony threatening lawsuits for having their DRM labelled a "virus" even if it damn-well is.
  • by 88NoSoup4U88 (721233) on Thursday November 17, 2005 @05:33PM (#14057268)
    Wow, it's getting dirtier and dirtier.

    I won't be surprised when in a few days there will be an announcement how Sony's rootkit causes world hunger, rapes dogs, and hides one sock out of every pair every once and awhile.

    Damn you Sony !... Oooh, shiny PS3 !

  • Rampant Hypocrisy (Score:5, Informative)

    by dragonfly_blue (101697) on Thursday November 17, 2005 @05:34PM (#14057281) Homepage
    I think this just highlights the hypocritical nature of the antivirus vendors; by measuring the time between the Mark Russinovich post unveiling the rootkit [sysinternals.com] on October 31, and the subsequent addition of the rootkit's signature to the various antivirus vendor's products, you can draw some fairly interesting conclusions about the relationships between antivirus companies, consumers, virus/malware authors, and software companies (or in Sony's case, companies offering products that happen to contain additional software).

    • F-Secure - Nov 1st, 2005
    • Symantec - November 8, 2005: Renamed to SecurityRisk.First4DRM from SecurityRisk.Aries November 11, 2005: Added link to removal tool.
    • Computer Associates - listed, unknown date.
    • Kapersky - Nov 2, 2005

    It's interesting how some of the vendors are listing information about the rootkit, but see uninterested in adding a signature, claiming that it's not really a virus (which is true) because it doesn't self-replicate. That's fine, I guess, because if they started detecting rootkits, they'd have a lot more work to do, but I think it's kind of shortsighted of them to think that people won't get angry that they paid for a $40/year subscription for a product that doesn't detect when their system gets totally rooted.

    (I'm always tempted to spell it r00tk1t, but I'm trying to act more mature these days...)

  • How? (Score:4, Insightful)

    by Arandir (19206) on Thursday November 17, 2005 @05:42PM (#14057354) Homepage Journal
    After seeing this story all week, I still can't get past the most basic question in my head: Why the hell is Windows executing software from an audio CD?
  • DOD Twist (Score:5, Interesting)

    by TuballoyThunder (534063) on Thursday November 17, 2005 @05:51PM (#14057451)
    The DOD pays big dollars to get a corporate license for both McAfee and Norton, which includes permission for users to use on their home computers. Considering the numer of DOD computers that got infected by the Sony DRM application, I think the people who oversee those contracts would be negligent if they did not "seek consideration" for the failure to perform.
  • This line kills me. (Score:3, Interesting)

    by PrimeNumber (136578) <PrimeNumber@NOSpaM.excite.com> on Thursday November 17, 2005 @05:53PM (#14057467) Homepage
    While Sony could be prosecuted under U.S. cybercrime law, no one thinks it will be.
     
    What I want to know is why the fuck shouldn't a corporation be held to the same rules the rest of us are? As the line above illustrates, people now assume that companies can abuse the law as they see fit and not get reprimanded.
     
    While the rest of us (AKA as not rich) get sued [newsfactor.com] into oblivion or prosecuted [hollywoodreporter.com] to the fullest for downloading a shitty CD that should only be $5.

"In the face of entropy and nothingness, you kind of have to pretend it's not there if you want to keep writing good code." -- Karl Lehenbauer

Working...