Real Story of the Rogue Rootkit

BokLM writes "Wired has an interesting article from Bruce Schneier about what's happening with the Sony Rootkit, and criticizing the anti-virus companies for not protecting its users. From the article: 'Much worse than not detecting it before Russinovich's discovery was the deafening silence that followed. When a new piece of malware is found, security companies fall over themselves to clean our computers and inoculate our networks. Not in this case.'"

Mirror

[Anonymous Coward]

Wired's webserver was borked before this even hit the front page. A functional mirror [nyud.net] for everyone's perusal.

The brick advertisement

[72beetle]

Imagine this: a brick comes sailing through your window, smashing glass everywhere. You pick it up and wrapped around the brick is a flyer for a glass replacement company.

This is how I've viewed the major AV companies for quite some time. Sure, there are non-affiliated virus threats out there, but they perpetuate their own business as well.

I didn't think that my opinion of McAffee and Norton could sink any lower... but I was wrong.

Printer Friendly

[TubeSteak]

http://www.wired.com/news/print/0,1294,69601,00.ht ml [wired.com]
3-Pages of Wired goodness

this isn't one of those lightning-fast internet worms; this one has been spreading since mid-2004. Because it spread through infected CDs, not through internet connections, they didn't notice?

Reminds me of the good old days when computer viruses were spread around on 3 1/2 floppy disks. Nothing like a boot sector virus to spoil your day.

Links From The Article
Apparently there is a criminal investigation going on...
In Italy [computerworld.com]

On Friday, the Milan-based (Association for Freedom in Electronic Interactive Communications - Electronic Frontiers Italy) filed a complaint about Sony's software with the head of Italy's cybercrime investigation unit...

The complaint alleges that XCP violates a number of Italy's computer security laws by causing damage to users' systems and by acting in the same way as malicious software, according to Andrea Monti, chairman of the ALCEI-EFI. "What Sony did qualifies as a criminal offense under Italian law,"

Class action lawsuit [boingboing.net]
Apparently step 3 is that you have to "reside in either California or New York." Sadly, step 4 is not Profit!

Sony's DRM breaks

[mhollis]

It does not work and cannot work when it warns the user, as the Rootkit DRM program has to ask for an administrator password before you install.

On a Macintosh running OS X.

Re:Bah...

[QuantumG]

Uhhh, it causes your CD burning software not to work.. and in many cases it caused people's CD/DVD drives not to work.

Re:Fear?

[ParadoxDruid]

In regard to your question:

Define a custom page stylesheet (userChrome stuff in Mozilla), with

a {
    color: black;
    text-decoration: none;
}

Then, you can go to View -> PageStyle and switch between the original page style and your new style.

Re: OT but informative

[Anonymous Coward]

BTW, anyone know a way for me to toggle link text format fron standard (blue w/ underline) to normal (black no underline) and back, quickly?

Yes, use Opera. You can set a "user" CSS for yourself and switch back and forth from "author" mode to "user" mode with a button or keypress (shift-g).

Hope that helps.

Rampant Hypocrisy

[dragonfly_blue]

I think this just highlights the hypocritical nature of the antivirus vendors; by measuring the time between the Mark Russinovich post unveiling the rootkit [sysinternals.com] on October 31, and the subsequent addition of the rootkit's signature to the various antivirus vendor's products, you can draw some fairly interesting conclusions about the relationships between antivirus companies, consumers, virus/malware authors, and software companies (or in Sony's case, companies offering products that happen to contain additional software).

• F-Secure - Nov 1st, 2005
• Symantec - November 8, 2005: Renamed to SecurityRisk.First4DRM from SecurityRisk.Aries November 11, 2005: Added link to removal tool.
• Computer Associates - listed, unknown date.
• Kapersky - Nov 2, 2005

It's interesting how some of the vendors are listing information about the rootkit, but see uninterested in adding a signature, claiming that it's not really a virus (which is true) because it doesn't self-replicate. That's fine, I guess, because if they started detecting rootkits, they'd have a lot more work to do, but I think it's kind of shortsighted of them to think that people won't get angry that they paid for a $40/year subscription for a product that doesn't detect when their system gets totally rooted.

(I'm always tempted to spell it r00tk1t, but I'm trying to act more mature these days...)

It's a shame what big companies can get away with.

[djdavetrouble]

one word:
Bhopal
.

Re:Another bruce presswhore event

[pthisis]

I swear to god that guy [Bruce] hasn't contributed anything meaningful to the public since 1998 and yet he's still...there

Aside from the value of getting publicity for security issues:
1999: Solitaire algorithm published. An output-feedback mode stream cipher which can be easily calculated using a pen, paper, and a deck of cards, allowing people without computers to use strong encryption in their communications. This system was featured in Neal Stephenson's Cryptonomicon.
2003: Helix algorithm published. A fast stream cipher comparable in speed to RC4 and with low per-message overhead, making it suitable for very small messages.
2004: Phelix algorithm published, a refinement of the earlier Helix algorithm.

Re:Fear?

[arrrrg]

BTW, anyone know a way for me to toggle link text format fron standard (blue w/ underline) to normal (black no underline) and back, quickly?

Perhaps the LinkVisitor [mozdev.org] Firefox plugin is what you're looking for. Among other things, it has context menu options for "mark all links as (un)visited".

Re:Thats because this virus was nasty as hell.

[Daedala]

This rootkit was designed to hide a legitimate application, but it can be used to hide other objects, including malicious software. [symantec.com]

McAfee(R) AVERT(tm) recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. [nai.com]

Microsoft is only removing XCP, not the DRM. I haven't been able to find any statements from Microsoft regarding the DRM at all.

Becasue it is not an audio CD.

[geekoid]

No CD sticker on thaose cases. It is an application that plays music.

Just becasue it's round, shiney and plays music, does not make ti a red book standard. i.e. CD

Re:Bah...

[drakaan]

You realise that because most distributions use modules, that a clever hacker (who's already got root) can easily install a root kit on your machine that cloaks itself, via good ol' insmod.

That says a lot, really, about the difference in playing said CD on Windows vs. Linux. A typical Linux user is *probably* not going to be in a situation where he opens a CD and a program automagically runs with root/admin permissions. True, cloaking and rootkits can happen on Linux, but it's a much harder job to do without doing something purposely evil, like using a known bug that has root elevation privileges (and even then, the linux community itself would be highly likely to notice a commercially distributed rootkit).

It's getting hard to take, is all.

Re:It's a shame what big companies can get away wi

[vivek7006]

Mod parent up.

He is referring to the bhopal gas tragedy of 1984, http://en.wikipedia.org/wiki/Bhopal_gas_tragedy/ [wikipedia.org] where thousands of people were killed and Union Carbide pretty much got away with it. The CEO Warren Anderson is a fugitive and is on the wanted list of CBI India.

Re:Bah...

[LarsG]

Do you expect the AV companies to buy and test music CDs for malware before this broke out (not in hindsight!).

According to F-Secure's blog [f-secure.com], they had received tips that Sony CDs might contain a rootkit at least a month before Mark broke the story.

"We didn't go public with the info right away as we were worried with the implications (especially with the info on how virus writers can use this to hide files which have names starting with "$sys$"). So we were in the middle of discussions with Sony BMG and First 4 Internet when Mark broke the news on Monday."

Re:Actually

[lgw]

The SOny rootkit was *not* a virus, so expecting AV software to do something about it isn't appropriate. The rootkit was spyware that came along with something the user installed by choice, no different from weatherbug or any of that other silly BS. That makes it a bit touchy deciding to remove it, just like removing some other BS that a user is sure they need. Most of these companies moved to remove the cloaking aspect as soon as it was known, closing the security hole, but (legally) removing the underlying software would remove the ability to play the Sony CD. You don't just go around uninstalling programs that users think they need (no matter how silly).

I suspect that for 99% of non-geek users, the ability to play the Sony CD was much more important than removing "some rootkit, whatever that is". And you probably can't remove the software and leave the ability to play the CD without violating the DMCA, so what are you going to do?

Re:How?

[cens0r]

Technically these aren't audio CD's. They are data CD's that just happen to have some audio tracks.

'Toggle quickly'...

[abiessu]

Not sure what you want, but if the html/css is yours, you can add css sections to cover the :hover attribute (like a:link:hover, etc.). Using a global :hover isn't usually all that helpful though (for color changes anyways).

Re:It's a shame what big companies can get away wi

[argel]

Correct URL: http://en.wikipedia.org/wiki/Bhopal_gas_tragedy [wikipedia.org] (no trailing slash).

Re:It's a shame what big companies can get away wi

[z-man]

Your link is broken, you meant http://en.wikipedia.org/wiki/Bhopal_gas_tragedy [wikipedia.org] without the trailing slash.

Re:Why not call law enforcement?

[QuantumG]

Another idiot. Never in the history of the world has a corporation been charged with a criminal offense. It doesn't even make sense. You might charge the directors of a company or the executives of a company with a criminal offense but you don't charge the company.

Re:Actually

[mungtor]

When we first heard about this where I work we hopped on Symantec's site looking for an uninstaller (since we run Norton AV Corporate). All we found was a notice that Sony had threatend Symantec with legal action if they provided an un-installer since it was their (Sony's) position that this was neither a virus nor malware.

In the ensuing fallout, Symantec apparently has decided that they can provide an uninstaller but they do strongly advise using Sony's product (which generally uncloaks and does not cleanly uninstall).

Re:Why not call law enforcement?

[igb]

``Never in the history of the world has a corporation been charged with a criminal offence''.

• Balfour Beatty were charged with Corporate Manslaughter over Hatfield. http://news.bbc.co.uk/1/hi/uk/4225877.stm [bbc.co.uk]
• Barrow Council was charged with Corporate Manslaughter after a legionaires disease incident http://news.bbc.co.uk/1/hi/england/cumbria/4473573 .stm [bbc.co.uk]
• And I presume the law is on the statute books just for decoration. http://www.cps.gov.uk/legal/section5/chapter_b.htm l [cps.gov.uk]

Yes, there are lots of problems with the laws on Corporate Manslaughter, and I don't believe many prosecutions have succeeded. The standard of responsibility in the Health and Safety at Work act is high (I think you have to show reckless disregard or similar, which is very hard), and there's a lot of discussion about changing it. I can't remember the outcome of the most obvious case, which was the Herald of Free Enterprise disaster. But I suspect that the poster I'm replying to thinks ``history of the world'' means ``history of the USA''. I don't know enough about US law to comment on that.

ian