Real Story of the Rogue Rootkit 427
BokLM writes "Wired has an interesting article from Bruce Schneier about what's happening with the Sony Rootkit, and criticizing the anti-virus companies for not protecting its users. From the article: 'Much worse than not detecting it before Russinovich's discovery was the deafening silence that followed. When a new piece of malware is found, security companies fall over themselves to clean our computers and inoculate our networks. Not in this case.'"
Clearly (Score:5, Insightful)
Who Else Can We Blame (Score:4, Insightful)
I have to ask... If you were infected by this thing, then why not call law enforcement? You know it is malware of the worst kind and you know exactly who did it to you. Why not call the FBI or your Attorney General and file a criminal report? Couldn't you list Sony or the record store/online store you got it from as the source? I don't know. Seems like a good form of civil disobedience at the very least.
Isn't that what we're supposed to do?
Of course, all Slashdotters were not infected because we all boycott music companies anyway. Right?? Or did I miss a memo?
DMCA (Score:4, Insightful)
They are Scared Shitless...
Until Now.
sony (Score:4, Insightful)
Antivirus Company Failure (Score:3, Insightful)
Yeah that has been my reaction. When I heard about it the first thing I began doing was searching for detection and removal software. I found nothing. I could not believe that Mcafee was not publishing a fix.
Thats because this virus was nasty as hell. (Score:5, Insightful)
Uh, antivirus companies are out to make money. (Score:5, Insightful)
Like it or not, detecting and removing Sony's malware puts them at series risk for DMCA lawsuits and the like and is thus a bad business decision. Anyone who thinks they're in it to actually better their customers and not their bottom line is living in fantasy land.
Built-in DRM (Score:5, Insightful)
Sony won't need to install a rootkit, because the Microsoft DRM will be designed specifically to help enforce things like Sony's EULA. Why should Sony bother with a rootkkit when the OS itself will impose the limits by design?
Re:Why not call law enforcement? (Score:5, Insightful)
Because calling law enforcement would lead to a court case: YOU vs SONY. Guess who wins every time?
What are you talking about? Making a report to law enforcement is not going to get you into a civil suit. It will be the state vs. Sony in a criminal case should they pursue it. The trouble is getting them to do so. Try calling the FBI sometime. If it isn't easily demonstrable as several grand worth of damage they will just ignore you.
Well, not really... (was:Bah...) (Score:5, Insightful)
Re:Bah... (Score:2, Insightful)
I think's things are not so simple. While this is a rootkit, "infected" systems don't display the normal symptoms: no (appreciable) slowdown, no annoying popups, no self-propagation or open ports. Moreover, the "phone home" behaviour is very limited. Since the average user didn't notice, there were no complaints. Do you expect the AV companies to buy and test music CDs for malware before this broke out (not in hindsight!). Since it took a Windows guru to figure out something was wrong, I'd expect these companies to take a few days. Several (including Microsoft, in fact) already classify it as malware and look for it.
A more serious problem for AV makers is that removing this rootkit is a very delicate business, so they can't offer a solution before they ensure it actually works. Also, since this stuff comes from music CDs people might listen to again, it's not clear what the right thing to do is. What happens if the (cluelss) user inserts the CD again? What is a (better informed) user wants to play the CD despite the rootkit?
Re:DMCA (Score:5, Insightful)
This issue isn't about big companies supporting big companies, it's about companies not knowing where the legal line is on what they can remove from your computer without being slapped with a DMCA lawsuit.
No, the REAL story is... (Score:3, Insightful)
The REAL story is why aren't elected officials falling all over themselves to make what SONY did a criminal offense?
Never in my wildest dreams (Score:5, Insightful)
Re:Bah... (Score:5, Insightful)
Rule #1: Disable Autorun.
If microsoft had disabled this action by default, it would have prevented this being a widespread problem in the firstplace.
AUdio CDs should be nothing more than data. A media player is installed on every single computer that can play audio CDs.
Sony should not have messed with that, and if MS had defaulted it then 1st$ wouldn't have exploited it.
Re:sony (Score:5, Insightful)
Lawsuits (Score:3, Insightful)
Re:Bah... (Score:5, Insightful)
Methinks thee art confusing rootkits with spyware.
The last thing a rootkit author would want in a rootkit would be for it to be noticeable to the average user. Or even to the expert user. If symptoms are noticed, it isn't a good rootkit.
Re:Bah... (Score:5, Insightful)
Just because the symptoms are barely noticeable does not make it acceptable.
Just because it comes from a CD does not make it acceptable, either.
If the "(cluelss) user" inserts the CD again, the AV software should do what it should have done the first time - issue a large warning and block the activity. If this had happened a year ago, there wouldn't be several hundred thousand machines with it installed today.
Comment removed (Score:5, Insightful)
Re:Bah... (Score:5, Insightful)
I think's things are not so simple.
And then some...
While this is a rootkit, "infected" systems don't display the normal symptoms: no (appreciable) slowdown, no annoying popups, no self-propagation or open ports. Moreover, the "phone home" behaviour is very limited. Since the average user didn't notice, there were no complaints.
That's not the issue, really.
Do you expect the AV companies to buy and test music CDs for malware before this broke out (not in hindsight!). Since it took a Windows guru to figure out something was wrong, I'd expect these companies to take a few days. Several (including Microsoft, in fact) already classify it as malware and look for it.
It took somebody looking for evidence of rootkits on a well-maintained system that should have been rootkit free. I expect AV companies to do *that*, yes. You say "already" as if the rootkit had only been around for a few days. It's been around for many months, and the fact that we didn't know that before the guys at sysinternals noticed it is inexcusable.
Sony distributed software to millions of random people that installed half of itself silently, offered no option to not install, left machines vulnerable to infection by absolutely any wanna-be hacker that can spell "$sys$", has no uninstaller, leaves no indication that it *is* installed, makes the machines that it is installed on unstable if removed, and uses bandwidth and network connectivity without informing the owner of the computer.
If AV vendors can't protect against this type of threat, and cannot identify cloaked software when it has been distributed for a year, I don't exactly have a lot of faith in the security of any machines protected by their software (sadly, that seems to be every AV vendor). Maybe Mr. Russinovich could give a few paid talks at each of these companies about how to detect rootkits...
I'm off to go install SuSE on my desktop...cheers.
Re:Built-in DRM (Score:5, Insightful)
One issue was lack of disclosure. Parts of the program were uninstallable, staying in the background, constantly eating a little CPU. The program "phoned home", and neither the EULA or any normal documentation let the user know that would happen.
The other problem was stability. Because the program was meant to filter the audio CD driver information, and generally do low-level stuff, and it was poorly coded, it caused a computer system to be less stable.
These problems were only discovered because of skilled people at Sysinternals. In the future though, if programs can be more protected by the NGSCB, they will have greater free reign to do this type of activity without scrutiny. Certainly it will be easier if simply processes and files aren't hidden anymore, since that, combined with seeing TCP data being sent out whenever you play a CD, will be a large tip-off. However, we all benefit if skilled people can expose spyware wherever it occurs, and ultimately, if NGSCB helps cloak some activity, then that may ultimately make it harder for peoplpe like Mark Russinovich to do their work for the public good.
How? (Score:4, Insightful)
Ironically I know I'm safe.... (Score:2, Insightful)
Re:Libel and liability (Score:3, Insightful)
I'm not claiming that they are a *part* of a criminal conspiracy. But they were aware of it and did NOTHING to alert their customers. I.e., they intentionally did not perform the service that they were being paid money to perform. That looks to me like malfeasance, but perhaps only government employees can commit malfeasance. IANAL.
It certainly looks like fraud. They claimed and received money to provide a service that they intentionally did not perform.
Re:Thats because this virus was nasty as hell. (Score:2, Insightful)
Either you're naive or clueless (I hate to be so blunt, but the answer seems obvious). Companies/Politicians/Everyone these days are worried about their image. They don't want to say they are unable to do something because they, incorrectly IMO, think inaction has fewer consequences, especially in the public's mind, than action. They would rather calmly ignore something, than admit their own deficiencies. Try getting a corporation to explain why they can't do something. Won't happen. They'll ramble on about totally irrelevant issues.
It is rather sad the way they treat the consumer. Luckily the internet has revolutionized the flow of information, and that will hopefully lead towards more customer backlash against these sorts of problems in the future. The worst thing you can do right now is to inform every single consumer you can reach about Sony's actions (and misactions). Inform them about what they can do.
Re:Never in my wildest dreams (Score:3, Insightful)
I somewhat agree with your post, but Microsoft desperately needs good PR, as well as the fact that they are pissed that everyone is going to Sonys BlueRay. However it is Microsofts idiotic autorun feature that installs this crap in the first place.
Yeah I know it can be disabled, but what normal user would expect an audio CD to install software?
Re:Actually (Score:1, Insightful)
I'll say... so much for Symantec protecting your PC. Wow... this little rootkit debacle is really flushing out the nasty secrets, isn't it?
Anyone plan to interview Symantec's CEO about this? It'd be nice to see him put on the spot -- why are your customers paying you money when you are deliberately letting Sony install malware on your "protected PC" on the quiet? Let's hope this also wakes up the media to the fact that your DRM "rootkits" will come pre-installed with Mac OSX and Windows Vista in future.
Re:Actually (Score:4, Insightful)
Symantec might have been the only one mentioned by name in the CNET article but it seemed to indicate that the other AV companies were in the loop. This means that I am no longer comfortable recommending AV software solutions without providing some fairly in-depth warnings about this little episode.
Re:DMCA risks. (Score:3, Insightful)
Microsoft only announced that they would remove it after Symantec et al made similar announcements.
This is not about the DMCA. It is about the fact that it was made in partnership with the AV companies. It is not about SONY either, but about the manufacturer (First4 Internet) working with these companies to ensure that they would not out the dirty little secret.
Re:Actually (Score:2, Insightful)
Quite, but Symantec happen to be the biggest. So I'd like to see the CEO answer a few questions:
What was the agreement between Symantec and Sony?
Were you paid money for it?
You didn't just take their word on what the "rootkit" did, surely? Did you do an investigation, or did Sony tell you what it did? Either way, you decided to overlook software that obviously made serious changes to a PC... not to mention "phoned home" like a piece of obnoxious spyware.
How many other companies do you have "agreements" with; who are they and what pieces of software do you "overlook"?
What's the going rate for fucking over your paying customers... you know, those people who paid money for your software to protect their PC from being undermined by malicious software installing itself?
Re:DMCA risks. (Score:3, Insightful)
1. Sony, 2. ?, 3. ?, 4. ? (Score:1, Insightful)
Of course, since 1st4$ is located in the UK, the possibility exists that they may be UK 'major Record Labels' which are smaller than their North American equivalents.
I mean, it's not like Virgin has massive stores all over North America or anything...
Re:Actually (Score:5, Insightful)
This is all SONYs wrongding, not MS (Score:4, Insightful)
Just because a user want's a Program to intall automaticaly, doesn't mean they deserve a root kit install. It is not an exploit becasue auotrun works as designed.
I am not a MS apologist, but don't blame MS for this, it is SONYs doing, and SONY bears 100% of the blame.
If I thought a brick through your window, is it the home builders fault for putting windows in your home? Is it your fault because you use glass windows? No.
Re:Bah... (Score:5, Insightful)
You did notice that, from '98-'02, nearly every CD burning application on Windows began to annoy you with the "It is required for this application to function properly that you enable the Autorun feature of the CD drive by going to the Control Panel... etc. etc. etc." Oh? What's that? You didn't notice these error boxes? Probably because you didn't think to disable autorun until now so that you could take part in the brow-beating.
I, on the other hand (am an arrogant prick), and I did spend all of those years turning off Autorun until it just became impossible to use any CDROM enabled Windows software without it.
By the way, I like most of your posts. I've just been waiting for the last two weeks to slam someone on the "just disable autorun" issue and you happened to be the poster of the day.
Re:Bah... (Score:5, Insightful)
Oh wait... "XCP media player wishes to access the internet. Would you like to allow this action?"
Some effing firewall...
Re:Actually (Score:5, Insightful)
Ok, so was it really installed by choice? I have no desire to spend my money on one of those disks and risk the security of my PC to test it. Is the user given a choice do hit "I don't agree" to an EULA and then return it to where they purchased it or does it take advantage of Windows autoplay to install without asking or informing the user first with a description of what it will do.
An EFF explanation of the ELUA said if you no longer own the physical disk you must delete any and all copies of anything on the disk. Shouldn't it be the same for the rootkit? If someone no longer owns the CD, maybe they returned it for the recall/exchange offer, shouldn't any software installed by it also have to be removed? It claims the ability to do this unpunished with a legalese shrinkwrap ELUA and shrinkwrap ELUAs have never stood up in court. If a paying customer returns or resells or trashes a protected Sony disk, the rootkit and DRM should go with the disk, of it doesn't easily go away then it's unwanted spyware and the legal owner of the computer should have the right to remove it, other than having to try their luck with Windows system restore or reformat or reinstall.
Sony screwed up and it looks like the customers are going to have to pay for their mistake with decreased performance, system crashes, having to deal with malware specifically created to take advantage of security holes created by the rootkit, including purchasing additional security software to prevent infection and the time and effort to remove them and repair the damage and/or the monetary costs if they don't have the time or know enough and have to hire someone to do it for them.
Comment removed (Score:5, Insightful)
Re:Bah... (Score:3, Insightful)
If it's not necessary then why the hell did the software keep bringing up error boxes for all those years asserting that it was? Are you disputing the error boxes with the Autorun admonishments? It's called boiling a frog and social engineering. These companies knew that they were engineering the userbase to accept what would eventually be software automatically installed upon the insertion of a CDROM. Go ahead. Deny the facts. People always fsckin' do.
If ever tinfoil had a legitimate reason it's in this situation.
Re:It's a shame what big companies can get away wi (Score:1, Insightful)
I guess it's a different story when the shoe is on the other foot, then the US just kidnaps the suspect (from another country), exports them for torture and then puts them in prison for years and denies them the right to a fair trial etc.
It doesn't matter if it is Sony or Union Carbide, if it's a company it's OK in the USA.
Re:Clearly (Score:4, Insightful)
It is not illegal to remote the DRM. It is illegal to bypass it and still play the restricted content. Just remove it an don't use the CD in that computer anymore.
Re:Actually (Score:3, Insightful)
The continuing unfolding of this case is showing the extent to which laws about computer crime are cynically dishonest. The executives involved should be facing criminal trials and, if convicted, incarceration. Is anyone holding his breath waiting for that to happen?