Real Story of the Rogue Rootkit

BokLM writes "Wired has an interesting article from Bruce Schneier about what's happening with the Sony Rootkit, and criticizing the anti-virus companies for not protecting its users. From the article: 'Much worse than not detecting it before Russinovich's discovery was the deafening silence that followed. When a new piece of malware is found, security companies fall over themselves to clean our computers and inoculate our networks. Not in this case.'"

Clearly

[Trails]

The AV companies are just gunshy of Sony's squad of legal attack ninjas. Not surprising given that this is grey area. I think the author makes a decent point (that the AV companies moved slowly), but the real failing here is the draconian legislation that made this a grey area in the first place. Hopefully these wee little gaps in consumer protection get plugged as a result of this.

Who Else Can We Blame

[moehoward]

I have to ask... If you were infected by this thing, then why not call law enforcement? You know it is malware of the worst kind and you know exactly who did it to you. Why not call the FBI or your Attorney General and file a criminal report? Couldn't you list Sony or the record store/online store you got it from as the source? I don't know. Seems like a good form of civil disobedience at the very least.

Isn't that what we're supposed to do?

Of course, all Slashdotters were not infected because we all boycott music companies anyway. Right?? Or did I miss a memo?

DMCA

[PacketScan]

No shit no one touched it..

They are Scared Shitless...

Until Now.

sony

[akhomerun]

i'm still shocked that a "legitimate" company that's widely purchased from, and is a household name, would distribute software that anti-virus companies would consider to be malware. i'm still shocked that sony let this kind of thing slide, it's so obvious that they didn't even check to see what they were doing before they did it.

Antivirus Company Failure

[krgallagher]

"Much worse than not detecting it before Russinovich's discovery was the deafening silence that followed. When a new piece of malware is found, security companies fall over themselves to clean our computers and inoculate our networks. Not in this case."

Yeah that has been my reaction. When I heard about it the first thing I began doing was searching for detection and removal software. I found nothing. I could not believe that Mcafee was not publishing a fix.

Thats because this virus was nasty as hell.

[Viewsonic]

It was very hard, even for Microsoft to figure out how to remove the damn thing without disabling the CD/DVD drive entirely. The first anti-virus patches that thought they fixed this was actually disabling peoples drives without knowing it. Microsoft had to work with Sony to figure out what the hell they had actually done. It really sucks.

Uh, antivirus companies are out to make money.

[Spazntwich]

They don't exist to make gigantic corporate enemies.

Like it or not, detecting and removing Sony's malware puts them at series risk for DMCA lawsuits and the like and is thus a bad business decision. Anyone who thinks they're in it to actually better their customers and not their bottom line is living in fantasy land.

Built-in DRM

[dereference]

That's a great point, although I suspect the reality will be even more bleak.

Sony won't need to install a rootkit, because the Microsoft DRM will be designed specifically to help enforce things like Sony's EULA. Why should Sony bother with a rootkkit when the OS itself will impose the limits by design?

Re:Why not call law enforcement?

[99BottlesOfBeerInMyF]

Because calling law enforcement would lead to a court case: YOU vs SONY. Guess who wins every time?

What are you talking about? Making a report to law enforcement is not going to get you into a civil suit. It will be the state vs. Sony in a criminal case should they pursue it. The trouble is getting them to do so. Try calling the FBI sometime. If it isn't easily demonstrable as several grand worth of damage they will just ignore you.

Well, not really... (was:Bah...)

[Lead Butthead]

It's their "rootkit," our "DRM enforcement agent." The same sort of nonsense about their "terrorist," our "freedom fighter." that were promoted by the whitehouse in 80's.

Re:Bah...

[l2718]

I think's things are not so simple. While this is a rootkit, "infected" systems don't display the normal symptoms: no (appreciable) slowdown, no annoying popups, no self-propagation or open ports. Moreover, the "phone home" behaviour is very limited. Since the average user didn't notice, there were no complaints. Do you expect the AV companies to buy and test music CDs for malware before this broke out (not in hindsight!). Since it took a Windows guru to figure out something was wrong, I'd expect these companies to take a few days. Several (including Microsoft, in fact) already classify it as malware and look for it.

A more serious problem for AV makers is that removing this rootkit is a very delicate business, so they can't offer a solution before they ensure it actually works. Also, since this stuff comes from music CDs people might listen to again, it's not clear what the right thing to do is. What happens if the (cluelss) user inserts the CD again? What is a (better informed) user wants to play the CD despite the rootkit?

Re:DMCA

[Mundocani]

The article makes a big issue of painting this to be big corporations supporting big corporations, but I suspect you're right and that it's actually because of the DMCA. The anti-virus companies removed the cloaking code, nothing too risky about that as far as the DMCA goes. Removing the rest of the code however isn't nearly so clear cut. Personally, I'd love to see the DMCA gutted, but until it is this sort of issue is going to be there. When is it ok to remove a piece of software which is a combination of copyright protection AND spyware? Seems like a very fuzzy area in the DMCA indeed given that an anti-virus company can't exactly pick apart the software to leave the protection features in place while knocking out the spyware.

This issue isn't about big companies supporting big companies, it's about companies not knowing where the legal line is on what they can remove from your computer without being slapped with a DMCA lawsuit.

No, the REAL story is...

[dtjohnson]

The weak non-response by AV companies isn't the REAL story, either...

The REAL story is why aren't elected officials falling all over themselves to make what SONY did a criminal offense?

Never in my wildest dreams

[SlashAmpersand]

The biggest surprise for me was that Microsoft, who usually pisses me off, actually was the only company to step up to the plate in a meaningful way. I expected far, far better from the antivirus/spyware vendors. If you're going to tell me that you're going to protect my system, make me pay a subscription to keep my definitions current, and, on top of that, consume some of my system resources to do it, you'd damn well better step up to the plate when it comes to something as blatantly dangerous to my security as a rootkit.

Re:Bah...

[LiquidCoooled]

What is a (better informed) user wants to play the CD despite the rootkit?

Rule #1: Disable Autorun.

If microsoft had disabled this action by default, it would have prevented this being a widespread problem in the firstplace.

AUdio CDs should be nothing more than data. A media player is installed on every single computer that can play audio CDs.

Sony should not have messed with that, and if MS had defaulted it then 1st$ wouldn't have exploited it.

Re:sony

[Mattcelt]

I think you're forgetting that DVD Jon and the others don't have a team of lawyers at their immediate disposal like more companies do, so it takes time for them to seek legal counsel. It may be days or weeks before they announce an intention to sue Sony.

Lawsuits

[ucblockhead]

I suspect that the security companies don't fear lawsuits from spammers. On the other hand, one can easily imagine a company like Sony threatening lawsuits for having their DRM labelled a "virus" even if it damn-well is.

Re:Bah...

[eric76]

While this is a rootkit, "infected" systems don't display the normal symptoms: no (appreciable) slowdown, no annoying popups, no self-propagation or open ports.

Methinks thee art confusing rootkits with spyware.

The last thing a rootkit author would want in a rootkit would be for it to be noticeable to the average user. Or even to the expert user. If symptoms are noticed, it isn't a good rootkit.

Re:Bah...

[nigelo]

TFA points out that this has been out there for over a year, not just "a few days".

Just because the symptoms are barely noticeable does not make it acceptable.

Just because it comes from a CD does not make it acceptable, either.

If the "(cluelss) user" inserts the CD again, the AV software should do what it should have done the first time - issue a large warning and block the activity. If this had happened a year ago, there wouldn't be several hundred thousand machines with it installed today.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Bah...

[drakaan]

I think's things are not so simple.

And then some...

While this is a rootkit, "infected" systems don't display the normal symptoms: no (appreciable) slowdown, no annoying popups, no self-propagation or open ports. Moreover, the "phone home" behaviour is very limited. Since the average user didn't notice, there were no complaints.

That's not the issue, really.

Do you expect the AV companies to buy and test music CDs for malware before this broke out (not in hindsight!). Since it took a Windows guru to figure out something was wrong, I'd expect these companies to take a few days. Several (including Microsoft, in fact) already classify it as malware and look for it.

It took somebody looking for evidence of rootkits on a well-maintained system that should have been rootkit free. I expect AV companies to do *that*, yes. You say "already" as if the rootkit had only been around for a few days. It's been around for many months, and the fact that we didn't know that before the guys at sysinternals noticed it is inexcusable.

Sony distributed software to millions of random people that installed half of itself silently, offered no option to not install, left machines vulnerable to infection by absolutely any wanna-be hacker that can spell "$sys$", has no uninstaller, leaves no indication that it *is* installed, makes the machines that it is installed on unstable if removed, and uses bandwidth and network connectivity without informing the owner of the computer.

If AV vendors can't protect against this type of threat, and cannot identify cloaked software when it has been distributed for a year, I don't exactly have a lot of faith in the security of any machines protected by their software (sadly, that seems to be every AV vendor). Maybe Mr. Russinovich could give a few paid talks at each of these companies about how to detect rootkits...

I'm off to go install SuSE on my desktop...cheers.

Re:Built-in DRM

[interiot]

The rootkit wasn't necessarily the worst part of the problem though...

One issue was lack of disclosure. Parts of the program were uninstallable, staying in the background, constantly eating a little CPU. The program "phoned home", and neither the EULA or any normal documentation let the user know that would happen.

The other problem was stability. Because the program was meant to filter the audio CD driver information, and generally do low-level stuff, and it was poorly coded, it caused a computer system to be less stable.

These problems were only discovered because of skilled people at Sysinternals. In the future though, if programs can be more protected by the NGSCB, they will have greater free reign to do this type of activity without scrutiny. Certainly it will be easier if simply processes and files aren't hidden anymore, since that, combined with seeing TCP data being sent out whenever you play a CD, will be a large tip-off. However, we all benefit if skilled people can expose spyware wherever it occurs, and ultimately, if NGSCB helps cloak some activity, then that may ultimately make it harder for peoplpe like Mark Russinovich to do their work for the public good.

How?

[Arandir]

After seeing this story all week, I still can't get past the most basic question in my head: Why the hell is Windows executing software from an audio CD?

Ironically I know I'm safe....

[podRZA]

because all the music I download comes from DRM-free, regular MP3 files using bittorrent and the like. In other word, pirating music. What a strange circle this story has completed...the only way to know for sure what you are getting when you download DRM-free

Re:Libel and liability

[HiThere]

And I can't afford to consider recommending them lightly.

I'm not claiming that they are a *part* of a criminal conspiracy. But they were aware of it and did NOTHING to alert their customers. I.e., they intentionally did not perform the service that they were being paid money to perform. That looks to me like malfeasance, but perhaps only government employees can commit malfeasance. IANAL.

It certainly looks like fraud. They claimed and received money to provide a service that they intentionally did not perform.

Re:Thats because this virus was nasty as hell.

[droptone]

Well, then, why didn't they say, "We can't do anything yet because this is nasty. We are working on a fix."

Either you're naive or clueless (I hate to be so blunt, but the answer seems obvious). Companies/Politicians/Everyone these days are worried about their image. They don't want to say they are unable to do something because they, incorrectly IMO, think inaction has fewer consequences, especially in the public's mind, than action. They would rather calmly ignore something, than admit their own deficiencies. Try getting a corporation to explain why they can't do something. Won't happen. They'll ramble on about totally irrelevant issues.

"Hey Ford, why the fuck don't we have more fuel efficient vehicles?"
"Market demands, blah blah, lack of technology, blah blah, we're working on it."

It is rather sad the way they treat the consumer. Luckily the internet has revolutionized the flow of information, and that will hopefully lead towards more customer backlash against these sorts of problems in the future. The worst thing you can do right now is to inform every single consumer you can reach about Sony's actions (and misactions). Inform them about what they can do.

Re:Never in my wildest dreams

[PrimeNumber]

The biggest surprise for me was that Microsoft, who usually pisses me off, actually was the only company to step up to the plate in a meaningful way. I expected far, far better from the antivirus/spyware vendors.

I somewhat agree with your post, but Microsoft desperately needs good PR, as well as the fact that they are pissed that everyone is going to Sonys BlueRay. However it is Microsofts idiotic autorun feature that installs this crap in the first place.
 
Yeah I know it can be disabled, but what normal user would expect an audio CD to install software?

Re:Actually

[Anonymous Coward]

I'll say... so much for Symantec protecting your PC. Wow... this little rootkit debacle is really flushing out the nasty secrets, isn't it?

Anyone plan to interview Symantec's CEO about this? It'd be nice to see him put on the spot -- why are your customers paying you money when you are deliberately letting Sony install malware on your "protected PC" on the quiet? Let's hope this also wakes up the media to the fact that your DRM "rootkits" will come pre-installed with Mac OSX and Windows Vista in future.

Re:Actually

[einhverfr]

I'll say... so much for Symantec protecting your PC.

Symantec might have been the only one mentioned by name in the CNET article but it seemed to indicate that the other AV companies were in the loop. This means that I am no longer comfortable recommending AV software solutions without providing some fairly in-depth warnings about this little episode.

Re:DMCA risks.

[einhverfr]

Well.....

Microsoft only announced that they would remove it after Symantec et al made similar announcements.

This is not about the DMCA. It is about the fact that it was made in partnership with the AV companies. It is not about SONY either, but about the manufacturer (First4 Internet) working with these companies to ensure that they would not out the dirty little secret.

Re:Actually

[Anonymous Coward]

Quite, but Symantec happen to be the biggest. So I'd like to see the CEO answer a few questions:

What was the agreement between Symantec and Sony?

Were you paid money for it?

You didn't just take their word on what the "rootkit" did, surely? Did you do an investigation, or did Sony tell you what it did? Either way, you decided to overlook software that obviously made serious changes to a PC... not to mention "phoned home" like a piece of obnoxious spyware.

How many other companies do you have "agreements" with; who are they and what pieces of software do you "overlook"?

What's the going rate for fucking over your paying customers... you know, those people who paid money for your software to protect their PC from being undermined by malicious software installing itself?

Re:DMCA risks.

[E8086]

No, MS has only claimed their spyware removal tool is going to remove the part that hides the crapware. It they decided to do what was right and got sue by Sony, they have hordes of their own lawyers. This is an unfortunate case where doing what is right is not what is legal, no thanks to the DMCA. If MS removed all of it and fixed the holes and got sued they should have some leverage considering Windows IS their product and they should be allowed to defend/fix it. If Sony tries using the DMCA card, they could try claiming the Sony DRM virus bypassed some Window encryption and Sony is in violation of the DMCA. Or claim Sony's abomination makes their product look like it has more bigger security holes than it really has, defimation of character if it were a person. Sony needs to be punished for this. Customers vote with their cash, if I bought Sony products, I'd stop, but I don't, so I don't plan on ever buying anything Sony.

1. Sony, 2. ?, 3. ?, 4. ?

[is as us Infinite]

From 1st4$'s bsite about their 'XCP1 Burn Protect' tech: http://www.xcp-aurora.com/xcp1.aspx [xcp-aurora.com]

Where is XCP being used?

XCP1 and XCP Red technology is being used by all four of the major Record Labels for the protection of pre release music on internal CDRs. Albums from some of the best known artists have been successfully copy protected in this way to reduce the occurrence of leaks prior to release.

Does this mean that there are MORE CDs out there from three other major companies that are utilizing this abhorrent, reviled technology?!? Who are these other three 'major Record Labels'? Where are their public apologies? Certainly they've got it coming if they've decided to 'see whether Sony comes out on top' instead of being open, forthright, and apologetic. Having kept quiet through this whole debacle and not informing their users surely means they're even more at risk for litigation.

Of course, since 1st4$ is located in the UK, the possibility exists that they may be UK 'major Record Labels' which are smaller than their North American equivalents.

I mean, it's not like Virgin has massive stores all over North America or anything...

Re:Actually

[einhverfr]

You would have a point if Symantec didn't advertise the ability to remove trojans (which CDX certainly is) and adware (which MediaMax certainly is).

This is all SONYs wrongding, not MS

[geekoid]

Don't put this on MS in any way. Autorun is a feature that the users want to see.
Just because a user want's a Program to intall automaticaly, doesn't mean they deserve a root kit install. It is not an exploit becasue auotrun works as designed.
I am not a MS apologist, but don't blame MS for this, it is SONYs doing, and SONY bears 100% of the blame.

If I thought a brick through your window, is it the home builders fault for putting windows in your home? Is it your fault because you use glass windows? No.

Re:Bah...

[SilverspurG]

You did notice from '95 to '98 nearly every CD enabled application would annoy you with the "it is recommended to enable Autorun by going to the Control Panel... etc. etc. etc" Oh wait? You didn't notice that? Probably because you didn't think to disable autorun 'til now so that you could take part in the brow-beating.

You did notice that, from '98-'02, nearly every CD burning application on Windows began to annoy you with the "It is required for this application to function properly that you enable the Autorun feature of the CD drive by going to the Control Panel... etc. etc. etc." Oh? What's that? You didn't notice these error boxes? Probably because you didn't think to disable autorun until now so that you could take part in the brow-beating.

I, on the other hand (am an arrogant prick), and I did spend all of those years turning off Autorun until it just became impossible to use any CDROM enabled Windows software without it.

By the way, I like most of your posts. I've just been waiting for the last two weeks to slam someone on the "just disable autorun" issue and you happened to be the poster of the day. :)

Re:Bah...

[SilverspurG]

So the burning question in my mind is... Didn't any of the Symantec or Norton of McAfee firewalls pick up the unwanted network activity?

Oh wait... "XCP media player wishes to access the internet. Would you like to allow this action?"

Some effing firewall...

Re:Actually

[E8086]

"The rootkit was spyware that came along with something the user installed by choice, no different from weatherbug or any of that other silly BS."

Ok, so was it really installed by choice? I have no desire to spend my money on one of those disks and risk the security of my PC to test it. Is the user given a choice do hit "I don't agree" to an EULA and then return it to where they purchased it or does it take advantage of Windows autoplay to install without asking or informing the user first with a description of what it will do.
An EFF explanation of the ELUA said if you no longer own the physical disk you must delete any and all copies of anything on the disk. Shouldn't it be the same for the rootkit? If someone no longer owns the CD, maybe they returned it for the recall/exchange offer, shouldn't any software installed by it also have to be removed? It claims the ability to do this unpunished with a legalese shrinkwrap ELUA and shrinkwrap ELUAs have never stood up in court. If a paying customer returns or resells or trashes a protected Sony disk, the rootkit and DRM should go with the disk, of it doesn't easily go away then it's unwanted spyware and the legal owner of the computer should have the right to remove it, other than having to try their luck with Windows system restore or reformat or reinstall.

Sony screwed up and it looks like the customers are going to have to pay for their mistake with decreased performance, system crashes, having to deal with malware specifically created to take advantage of security holes created by the rootkit, including purchasing additional security software to prevent infection and the time and effort to remove them and repair the damage and/or the monetary costs if they don't have the time or know enough and have to hire someone to do it for them.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Bah...

[SilverspurG]

Your point is well observed and noted. I also agree. Leaving autorun off for all but the most introlerable applications had really, in the end, no effect. To which my response is:

If it's not necessary then why the hell did the software keep bringing up error boxes for all those years asserting that it was? Are you disputing the error boxes with the Autorun admonishments? It's called boiling a frog and social engineering. These companies knew that they were engineering the userbase to accept what would eventually be software automatically installed upon the insertion of a CDROM. Go ahead. Deny the facts. People always fsckin' do.

If ever tinfoil had a legitimate reason it's in this situation.

Re:It's a shame what big companies can get away wi

[Anonymous Coward]

The U.S. Attorney apparently does not think that it is "worthwhile" case and will not extradite him. See: http://www.bhopal.com/opinion.htm [bhopal.com]

I guess it's a different story when the shoe is on the other foot, then the US just kidnaps the suspect (from another country), exports them for torture and then puts them in prison for years and denies them the right to a fair trial etc.

It doesn't matter if it is Sony or Union Carbide, if it's a company it's OK in the USA.

Re:Clearly

[Hugonz]

It's a gray area because Sony claims it is DRM, which is illegal to remove.

It is not illegal to remote the DRM. It is illegal to bypass it and still play the restricted content. Just remove it an don't use the CD in that computer anymore.

Re:Actually

[steve_bryan]

I don't have one of these odious Sony CD's but I think you are missing the obvious. If the CD is playable in the hundreds of millions of standard CD players then it contains Red Book audio tracks. PC's don't need no stinkin' rootkit installed in order to play Red Book audio tracks. You have to install Sony's nasty software to break your computer to the point that it cannot play the standard audio. That would imply that successfully removing Sony's criminally illegal software from your computer should allow it to play that standard audio.

The continuing unfolding of this case is showing the extent to which laws about computer crime are cynically dishonest. The executives involved should be facing criminal trials and, if convicted, incarceration. Is anyone holding his breath waiting for that to happen?