Real Story of the Rogue Rootkit

BokLM writes "Wired has an interesting article from Bruce Schneier about what's happening with the Sony Rootkit, and criticizing the anti-virus companies for not protecting its users. From the article: 'Much worse than not detecting it before Russinovich's discovery was the deafening silence that followed. When a new piece of malware is found, security companies fall over themselves to clean our computers and inoculate our networks. Not in this case.'"

deafing silence

[Anonymous Coward]

Nothing to see here, please move along...

How appropriate ;-)

Bah...

[Poromenos1]

It's a shame what big companies can get away with. I mean, no matter how you look at this, a rootkit is a rootkit, there was nothing subjective about this. Yet, the fact that it was by Sony made people keep their mouths shut. It's a shame.

NGSCB?

[interiot]

What happens when Sony's rootkit hides under the protection of Windows Vista's NGSCB [wikipedia.org]? Will antivirus vendors be able to remove bad code that ends up in the NGSCB? Given that Window's kernel in insecure enough to allow itself to be rootkitted, what is the chance that NGSCB itself will be subverted? Doesn't the fact that NGSCB is designed to hide code from normal users and knowledgable debuggers alike mean that it's somewhat similar to what the Sony rootkit tries to do?

Fear?

[dada21]

When news of the criminal root kit hit full blast, I figured it would immediately get nuked by the AV companies. As things progressed and no one but MSFT came to the rescue, it made wonder if there was fear or maybe even collusion.

Yet the bigger story here in the fact that a blogger was the breaking source.

My media is 75% blogs now. Many use links to back their opinions (I'd love to see a standard bibliogtaphical Wiki for referencing). They're faster than the daily news and less likely to be afraid of corporate threats.

BTW, anyone know a way for me to toggle link text format fron standard (blue w/ underline) to normal (black no underline) and back, quickly?

DMCA risks.

[Anonymous Coward]

If the Antivirus companies start destroying Sony copy-protection technologies, they're almost certain to get in trouble. Surely they don't want to violate the DMCA.

DRM is useless

[gasmonso]

Companies are so worried about piracy that they go to these extremes. What they need to look at is why are people pirating. Many people pirate because the thought of spending $17 for a cd is rediculous considering that only a few songs are worth a damn. Secondly, DRM makes it worse because people can't rip the audio for their mp3 player. This drives people to piracy and the DRM makes it worse and drives the consumer away. Just lower the damn prices and let me burn it, rip, or do anything else I want with it because it's mine!

gasmonso http://religiousfreaks.com/ [religiousfreaks.com]

Re:Clearly

[Anonymous Coward]

I think the lack of response has to do more with anti-virus companies not having enough experience with kernel mode programming rather than any overarching fear of retaliation.

Did ClamAV pick this up?

[Dominic Burns]

I'm in the UK. Do the US-centric have anything to report on this?

Re:A thought experiment

[neomunk]

I don't care what the rest of you hip 1334 types think, this post (though slightly incoherant) trys to bring a real point to the table, and actually offers (albeit painfully) what I consider to be the most valid reason this didn't get taken care of earlier. You are NOT to question the corporate masters when they tell you how to use the software you bought, you are NOT to question when they force you to use your own property (your computer's clockticks) to make sure you don't cross the line they have placed for you. Why do we take this? Read the post again, and try THINKING (I know, I know, it's dangerous) about what this person said. It's spot on as far as I'm concerned. Sony is one of the masters (one of the High Masters of Entertainment), and if master says shoot myself in the foot for his amusement, then master gets what master wants. We've been willingly bent over so long that we didn't even notice that they stopped giving us the courtesy of a reach-around.

How about the open source?

[nonother]

While it is a good article, it leaves out what was just recently posted on Slashdot - the use of open source software to create it. That's another important part of the legal quandry. Also the article really seems to minimize the fact that it also effects Macs. While it is true that the user must provide a password (on the Mac), Sony insisted it did not effect Mac and Linux computers.

double standards, no standards?

[z0I!)]

The double standard of the security companies is troubling... If I released this application (sony's rootkit) it would be considered malware immediately. The fact that they only remove a portion of it is also strange. That is like removing the part of a spam generating worm that sends emails to others but leaving the rest of it to waste CPU time scavanging my address book. Also... What I wonder is, is what consequences will come from the alleged GPL violations? Is anyone suing Sony or first4Internet for copyright infringment? If not, does this send a signal to big corps that it's ok to steal code that is GPL'd because the parties that wrote it probably don't have the time/money to do anything about it anyway?

Re:Thats because this virus was nasty as hell.

[Daedala]

Well, then, why didn't they say, "We can't do anything yet because this is nasty. We are working on a fix."

Instead, they're saying the DRM software that hijacks your device driver is legitimate, and the rootkit was really only kinda bad because it hid legitimate software....

Re:sony

[Azarael]

Beyond that, who is going to properly regulate NGSCP code to keep out the poorly coded crap? From the sounds of it, you won't be able do anything to fix it or get rid of it unless MS or whoever decides to patch it. As far as I can tell it will be pretty much a black hole full of all sorts of stuff that can, will and does kill your machine.

What about......

[Zenzilla]

when the spyware/malware people start bundling rootkits as part of the infection? I'm not really worried much about the responce of the anti-virus people as much as I'm worried about the responce I'll get from Microsoft when I ask: How can I keep code from installing this type of code into windows.

I'm afraid the answer I'm going to get is: We don't know.

Viruses vs. Spyware vs. Rootkits ... ???

[Anonymous Coward]

It is my meager understanding the AV companies detect _viruses_. That they've forayed into spyware detection is perhaps a natural/logical path, albeit, that has still not become their primary avenue of business.

Some of the most popular spyware-detection tools aren't from the big AV players -- /.ers you know what you use on your friends'/family's boxes to get rid of such helpful toolbars ;) as ones that mom installed so she'd know when it's raining outside.

That said, there are explicit differences between terms in TFA that should be noted. Though I am no expert in the field, it's generally agreed upon that virus != spyware. (How many of you cringe when you hear "hacker" used pejoratively? Are they really a cracker/script kiddie/etc...) Let's get our diction correct.

Ok, so what are rootkits? This is where the /. crowd has the capability to shine. The onslaught of Windows rootkits may unveil a shadowy niche in computer security to the general population, however, isn't it the rootkit and it's purveyors we should be disgusted with? Author of TFA seems to think otherwise.

Do we blame the ambulance responding to the scene of a fire for our house burning down? Nay, the fire department? Suppose the fire department responded lethargicly. Then, might we play the blame game. What if the fire department arrives to confront an unknown, previously unfaced force destroying your building?

The tongue-lashing poured out by Author should best be kept to his blog, which he has proudly boasted to you, the reader, about already. Let him keep his opinions and bashing there and in /. comment sections. Save the other bandwidth for pertinent _investigative_ journalism.

Re:The brick advertisement

[Dragoonmac]

I didn't think my opinion of the digital culture could sink any lower.
When you look back and examine old BBS's you see stuff that might make the average person squirm. You find manuals on how to drive someone to suicide, you find ways to destroy a vax system from a remote location. You find e-books that make Chuck Palanhuk and his Fight Club buddies look like a bunch of weaklings. You can find manuals on how to make an exploding floppy disk for heavens sake.
  But amid all that text, all the Warezed floppys, all the unreliable explosive guides, There were people you felt you could trust. We had that with the modern web.
  Now when you scour the internet you find a variety of things. Blogs, Memes, Warezed isos, Pirate movies, any album ever recorded, any type of fetish you could concieve. With this comes new problems, Malware, Trojans, Worms. No operating system is safe anymore.
  With the digital war between blackhat and security escalating newer and nastier ways to cripple PCs are becoming ever more prevailent. Most security centers today have not implemented full rootkit detection. So are they losing? That is a matter for the individual to decide.
  But as for myself, my faith has been broken. The faith that Grisoft and Microsoft will truely protect me. The faith that a website at sony.com will not try to install things on my PC. The faith that free software will truely stay free or will go the way of Div-X 5 and Daemon Tools 4, falling prey to temtations of revenue from adware.
  In many ways we may be more physically secure today, but I think I speak for everyone who maintains a windows partition, for whatever reasons, in saying we just don't know anymore.

DOD Twist

[TuballoyThunder]

The DOD pays big dollars to get a corporate license for both McAfee and Norton, which includes permission for users to use on their home computers. Considering the numer of DOD computers that got infected by the Sony DRM application, I think the people who oversee those contracts would be negligent if they did not "seek consideration" for the failure to perform.

This line kills me.

[PrimeNumber]

While Sony could be prosecuted under U.S. cybercrime law, no one thinks it will be.
 
What I want to know is why the fuck shouldn't a corporation be held to the same rules the rest of us are? As the line above illustrates, people now assume that companies can abuse the law as they see fit and not get reprimanded.
 
While the rest of us (AKA as not rich) get sued [newsfactor.com] into oblivion or prosecuted [hollywoodreporter.com] to the fullest for downloading a shitty CD that should only be $5.

Actually

[einhverfr]

Read http://www.groklaw.net/article.php?story=200511131 64717817 [groklaw.net]

The creator of the rootkit (First 4 Internet) apparently worked with Symantec and other major antivirus companies to make sure that it would neither be detected nor removed by their software according to CNET.

This is a very damning accusation.

What about Sony computers?

[Israfels]

Does anyone know if Sony built computers, such as the VAIO, come preinstalled with the rootkit? I really wouldn't be suprised if it did.

does not...

[Anonymous Coward]

I don't know what brand of CD burning software you use, but I've had Autorun disabled on my computers for the last 7-8 years and never had a problem burning a CD.

Re:Clearly

[ZachPruckowski]

It's a gray area because Sony claims it is DRM, which is illegal to remove. If this went the other way, and an AV company started removing it before it got out to the public fully, then the AV company is removing DRM, and Sony sues, and noone backs them (except EFF and a few nerds). The AV companies were powerless until they had the mob behind them.

DRM is useless but DEADLY...

[Myrmidon]

You're right that people download music because CDs are really expensive, and because they insist on being able to use their iPods.

But now there's an even more obvious reason to download music in an open format like MP3: MP3s cannot suddenly turn on you and break your computer.

I'm sure I'm not alone when I state that I will never buy a Sony or BMG CD again, ever, unless it comes with a bold-printed, legally-binding guarantee that the damn thing is a plain-Jane, Red-Book-compatible, fully-rippable CD. And I'm never again going to insert a music CD into Windows, no matter who sells it to me. I'll rip the things in Linux, where it's safe.

This is independent of my desire to punish Sony by boycotting their products. This is legitimate fear. No individual music CD is worth the risk of having to reinstall Windows, to say nothing of the risk of being 0wned or losing some of my data.

Re:DMCA risks.

[suitepotato]

If the Antivirus companies start destroying Sony copy-protection technologies, they're almost certain to get in trouble. Surely they don't want to violate the DMCA.

This points up an interesting concept: can a virus be protected under the DMCA? Can delving into its bits be considered an IP violation? Hmmm...

Re:Bah...

[Bloater]

> Methinks thee art confusing rootkits with spyware.

"Thee" should be "Thou"

"Thee" is to "Thou" as "me" is to "I".

Re:Bah...

[Anonymous Coward]

I'm just curious .. can you give some examples ? I've had autorun disabled for as long as I've run Windows, and - as I recall - I have *never* seen an application actually request a user to enable autoplay. Most manuals even described how to start setup.exe on the CD if autorun was not enabled, and that the CD had to be in the drive when the app was started (if required). Maybe I've been lucky, but as I've seen more than my share of apps I would really appreciate it if you could back up your statement with some data/links.

I, for one, am happy on my Win2K system with Autorun firmly *disabled*. And I've yet to see any reason to enable it - in fact, quite the opposite.

And yes, I've been in IT since 1990, so the period you mentioned is covered. But I'm in the EU, so maybe it's a difference in markets?

Re:This is all SONYs wrongding, not MS

[MaestroRC]

The real solution to autorun, is similar to how Apple has done it in OS X, or how many Linux distros do it, which is to open a folder displaying the contents of the disk, and not open an application that could be an installer. In the case of MacOS (at least from 7 on through X, I haven't used MacOS since before 7.6.1), a folder can actually be assigned a "view", where icons show up where you want them, and in X, you can have a background in the window (in 9 and below, companies got around the not able to have a background limitation by just positioning icons just so so that they created an image of whatever they wanted. Very ingenious in my opinion).

I agree, autorun is a bad way to do things. The proper way is to have a good service that detects a disk, and performs a user-assigned task, such as open a media player, image app, cd burning app, or otherwise. Allowing a company to open any old program that is on the disk you just inserted, especially with the lax default permissions in windows (XP still creates all users during setup by default as admins with no passwords).

Re:Actually

[herve_masson]

I suspect that for 99% of non-geek users, the ability to play the Sony CD was much more important than removing "some rootkit,

I don't think you need to look at the story this way. You're right, the vaste majority don't have a clue about rootkits, cloacking and such obviously. But what Schneier wrote is that people pay a high price to get "protected" from those "security companies", and they deserve a much better service!
Security companies must have known about sony rookit potential risks. Especially if, like those bastards in "First 4 Internet" tells us, they have been on the loop from the begining ! By not evaluating the security breach of this copy protection, and not acting properly by not advertizing the risk and not removing the software, they prove they're either extremely incompetent, or totally biased, or both.