Real Story of the Rogue Rootkit 427
BokLM writes "Wired has an interesting article from Bruce Schneier about what's happening with the Sony Rootkit, and criticizing the anti-virus companies for not protecting its users. From the article: 'Much worse than not detecting it before Russinovich's discovery was the deafening silence that followed. When a new piece of malware is found, security companies fall over themselves to clean our computers and inoculate our networks. Not in this case.'"
This time... (Score:5, Funny)
Now don your tin foil hats!
DMCA risks. (Score:5, Interesting)
Actually (Score:5, Interesting)
The creator of the rootkit (First 4 Internet) apparently worked with Symantec and other major antivirus companies to make sure that it would neither be detected nor removed by their software according to CNET.
This is a very damning accusation.
Re:Actually (Score:4, Insightful)
Symantec might have been the only one mentioned by name in the CNET article but it seemed to indicate that the other AV companies were in the loop. This means that I am no longer comfortable recommending AV software solutions without providing some fairly in-depth warnings about this little episode.
Re:Actually (Score:5, Informative)
I suspect that for 99% of non-geek users, the ability to play the Sony CD was much more important than removing "some rootkit, whatever that is". And you probably can't remove the software and leave the ability to play the CD without violating the DMCA, so what are you going to do?
Re:Actually (Score:5, Insightful)
Re:Actually (Score:5, Insightful)
Ok, so was it really installed by choice? I have no desire to spend my money on one of those disks and risk the security of my PC to test it. Is the user given a choice do hit "I don't agree" to an EULA and then return it to where they purchased it or does it take advantage of Windows autoplay to install without asking or informing the user first with a description of what it will do.
An EFF explanation of the ELUA said if you no longer own the physical disk you must delete any and all copies of anything on the disk. Shouldn't it be the same for the rootkit? If someone no longer owns the CD, maybe they returned it for the recall/exchange offer, shouldn't any software installed by it also have to be removed? It claims the ability to do this unpunished with a legalese shrinkwrap ELUA and shrinkwrap ELUAs have never stood up in court. If a paying customer returns or resells or trashes a protected Sony disk, the rootkit and DRM should go with the disk, of it doesn't easily go away then it's unwanted spyware and the legal owner of the computer should have the right to remove it, other than having to try their luck with Windows system restore or reformat or reinstall.
Sony screwed up and it looks like the customers are going to have to pay for their mistake with decreased performance, system crashes, having to deal with malware specifically created to take advantage of security holes created by the rootkit, including purchasing additional security software to prevent infection and the time and effort to remove them and repair the damage and/or the monetary costs if they don't have the time or know enough and have to hire someone to do it for them.
Re:Actually (Score:3, Insightful)
Re:DMCA risks. (Score:3, Insightful)
Microsoft only announced that they would remove it after Symantec et al made similar announcements.
This is not about the DMCA. It is about the fact that it was made in partnership with the AV companies. It is not about SONY either, but about the manufacturer (First4 Internet) working with these companies to ensure that they would not out the dirty little secret.
Re:DMCA risks. (Score:3, Insightful)
Mirror (Score:3, Informative)
Bah... (Score:5, Interesting)
Well, not really... (was:Bah...) (Score:5, Insightful)
Re:Bah... (Score:2, Insightful)
I think's things are not so simple. While this is a rootkit, "infected" systems don't display the normal symptoms: no (appreciable) slowdown, no annoying popups, no self-propagation or open ports. Moreover, the "phone home" behaviour is very limited. Since the average user didn't notice, there were no complaints. Do you expect the AV companies to buy and test music CDs for malware before this broke out (not in hindsight!). Since it took a Windows guru to figure out something was wrong, I'd expect these
Re:Bah... (Score:5, Insightful)
Rule #1: Disable Autorun.
If microsoft had disabled this action by default, it would have prevented this being a widespread problem in the firstplace.
AUdio CDs should be nothing more than data. A media player is installed on every single computer that can play audio CDs.
Sony should not have messed with that, and if MS had defaulted it then 1st$ wouldn't have exploited it.
This is all SONYs wrongding, not MS (Score:4, Insightful)
Just because a user want's a Program to intall automaticaly, doesn't mean they deserve a root kit install. It is not an exploit becasue auotrun works as designed.
I am not a MS apologist, but don't blame MS for this, it is SONYs doing, and SONY bears 100% of the blame.
If I thought a brick through your window, is it the home builders fault for putting windows in your home? Is it your fault because you use glass windows? No.
Re:This is all SONYs wrongding, not MS (Score:3, Interesting)
Re:Bah... (Score:5, Insightful)
You did notice that, from '98-'02, nearly every CD burning application on Windows began to annoy you with the "It is required for this application to function properly that you enable the Autorun feature of the CD drive by going to the Control Panel... etc. etc. etc." Oh? What's that? You didn't notice these error boxes? Probably because you didn't think to disable autorun until now so that you could take part in the brow-beating.
I, on the other hand (am an arrogant prick), and I did spend all of those years turning off Autorun until it just became impossible to use any CDROM enabled Windows software without it.
By the way, I like most of your posts. I've just been waiting for the last two weeks to slam someone on the "just disable autorun" issue and you happened to be the poster of the day.
Re:Bah... (Score:3, Insightful)
If it's not necessary then why the hell did the software keep bringing up error boxes for all those years asserting that it was? Are you disputing the error boxes with the Autorun admonishments? It's called boiling a frog and social engineering. These companies knew that they were engineering the userbase to accept what would
Re:Bah... (Score:3, Informative)
Re:Bah... (Score:5, Insightful)
Methinks thee art confusing rootkits with spyware.
The last thing a rootkit author would want in a rootkit would be for it to be noticeable to the average user. Or even to the expert user. If symptoms are noticed, it isn't a good rootkit.
Re:Bah... (Score:3, Interesting)
"Thee" should be "Thou"
"Thee" is to "Thou" as "me" is to "I".
Re:Bah... (Score:5, Insightful)
Just because the symptoms are barely noticeable does not make it acceptable.
Just because it comes from a CD does not make it acceptable, either.
If the "(cluelss) user" inserts the CD again, the AV software should do what it should have done the first time - issue a large warning and block the activity. If this had happened a year ago, there wouldn't be several hundred thousand machines with it installed today.
Re:Bah... (Score:5, Insightful)
I think's things are not so simple.
And then some...
While this is a rootkit, "infected" systems don't display the normal symptoms: no (appreciable) slowdown, no annoying popups, no self-propagation or open ports. Moreover, the "phone home" behaviour is very limited. Since the average user didn't notice, there were no complaints.
That's not the issue, really.
Do you expect the AV companies to buy and test music CDs for malware before this broke out (not in hindsight!). Since it took a Windows guru to figure out something was wrong, I'd expect these companies to take a few days. Several (including Microsoft, in fact) already classify it as malware and look for it.
It took somebody looking for evidence of rootkits on a well-maintained system that should have been rootkit free. I expect AV companies to do *that*, yes. You say "already" as if the rootkit had only been around for a few days. It's been around for many months, and the fact that we didn't know that before the guys at sysinternals noticed it is inexcusable.
Sony distributed software to millions of random people that installed half of itself silently, offered no option to not install, left machines vulnerable to infection by absolutely any wanna-be hacker that can spell "$sys$", has no uninstaller, leaves no indication that it *is* installed, makes the machines that it is installed on unstable if removed, and uses bandwidth and network connectivity without informing the owner of the computer.
If AV vendors can't protect against this type of threat, and cannot identify cloaked software when it has been distributed for a year, I don't exactly have a lot of faith in the security of any machines protected by their software (sadly, that seems to be every AV vendor). Maybe Mr. Russinovich could give a few paid talks at each of these companies about how to detect rootkits...
I'm off to go install SuSE on my desktop...cheers.
Re:Bah... (Score:5, Insightful)
Oh wait... "XCP media player wishes to access the internet. Would you like to allow this action?"
Some effing firewall...
Re:Bah... (Score:3, Informative)
You realise that because most distributions use modules, that a clever hacker (who's already got root) can easily install a root kit on your machine that cloaks itself, via good ol' insmod.
That says a lot, really, about the difference in playing said CD on Windows vs. Linux. A typical Linux user is *probably* not going to be in a situation where he opens a CD and a program automagically runs with root/admin permissions. True, cloaking and rootkits can happen on Linux, but it's a much harder job to do w
Re:Bah... (Score:4, Informative)
According to F-Secure's blog [f-secure.com], they had received tips that Sony CDs might contain a rootkit at least a month before Mark broke the story.
"We didn't go public with the info right away as we were worried with the implications (especially with the info on how virus writers can use this to hide files which have names starting with "$sys$"). So we were in the middle of discussions with Sony BMG and First 4 Internet when Mark broke the news on Monday."
It's a shame what big companies can get away with. (Score:5, Informative)
Bhopal
.
Re:It's a shame what big companies can get away wi (Score:5, Informative)
He is referring to the bhopal gas tragedy of 1984, http://en.wikipedia.org/wiki/Bhopal_gas_tragedy/ [wikipedia.org] where thousands of people were killed and Union Carbide pretty much got away with it. The CEO Warren Anderson is a fugitive and is on the wanted list of CBI India.
Re:It's a shame what big companies can get away wi (Score:5, Informative)
Clearly (Score:5, Insightful)
Re:Clearly (Score:2, Interesting)
Comment removed (Score:5, Insightful)
Re:Clearly (Score:5, Interesting)
Comment removed (Score:5, Insightful)
Re:Clearly (Score:4, Insightful)
It is not illegal to remote the DRM. It is illegal to bypass it and still play the restricted content. Just remove it an don't use the CD in that computer anymore.
Who Else Can We Blame (Score:4, Insightful)
I have to ask... If you were infected by this thing, then why not call law enforcement? You know it is malware of the worst kind and you know exactly who did it to you. Why not call the FBI or your Attorney General and file a criminal report? Couldn't you list Sony or the record store/online store you got it from as the source? I don't know. Seems like a good form of civil disobedience at the very least.
Isn't that what we're supposed to do?
Of course, all Slashdotters were not infected because we all boycott music companies anyway. Right?? Or did I miss a memo?
Re:Who Else Can We Blame (Score:5, Funny)
Apparently:
To:all Slashdotters
From: The Big Penguin
Subject: Protective measures
We will be switching exclusively to the Linux operating system at 1200 hours effective Tuesday. This will ensure that we can run any music CD with impunity, be it ripped or legit.
Sincerly,
T.B.P.
Re:Who Else Can We Blame (Score:2)
Why do this?
You can get record stores to stop selling Sony artists.
You can't get Sony to stop.
You can't change the RIAA which came to power through the voterd in the US (I don't vote/rape).
You can hurt the artists. I'm amazed how many artists are on Sony. I e-mailed the ones I could, and I will never support Sony BMG again.
The $1000 I save on my PS3+games will be spent
Re:Who Else Can We Blame (Score:2)
Re:Why not call law enforcement? (Score:5, Insightful)
Because calling law enforcement would lead to a court case: YOU vs SONY. Guess who wins every time?
What are you talking about? Making a report to law enforcement is not going to get you into a civil suit. It will be the state vs. Sony in a criminal case should they pursue it. The trouble is getting them to do so. Try calling the FBI sometime. If it isn't easily demonstrable as several grand worth of damage they will just ignore you.
Re:Why not call law enforcement? (Score:2)
Re:Why not call law enforcement? (Score:3, Informative)
Re:Why not call law enforcement? (Score:3, Informative)
Yes, there are lots of problem
Re:Call the FBI (Score:3, Funny)
<adjusts hat>
Re:Why not call law enforcement? (Score:2)
Libel and liability (Score:2)
Re:Libel and liability (Score:3, Insightful)
I'm not claiming that they are a *part* of a criminal conspiracy. But they were aware of it and did NOTHING to alert their customers. I.e., they intentionally did not perform the service that they were being paid money to perform. That looks to me like malfeasance, but perhaps only government employees can commit malfeasance. IANAL.
It certainly looks like fraud. They claimed and received money to provide a service that they intentionally did not p
DMCA (Score:4, Insightful)
They are Scared Shitless...
Until Now.
Re:DMCA (Score:5, Insightful)
This issue isn't about big companies supporting big companies, it's about companies not knowing where the legal line is on what they can remove from your computer without being slapped with a DMCA lawsuit.
NGSCB? (Score:5, Interesting)
Built-in DRM (Score:5, Insightful)
Sony won't need to install a rootkit, because the Microsoft DRM will be designed specifically to help enforce things like Sony's EULA. Why should Sony bother with a rootkkit when the OS itself will impose the limits by design?
anti-Vista publicity (Score:3, Funny)
"With Vista you don't have to worry about shit like the Sony rootkit, because he is already in!"
Damn them! (Score:4, Funny)
Yet another example of over-agressive bundling.
Re:Built-in DRM (Score:5, Insightful)
One issue was lack of disclosure. Parts of the program were uninstallable, staying in the background, constantly eating a little CPU. The program "phoned home", and neither the EULA or any normal documentation let the user know that would happen.
The other problem was stability. Because the program was meant to filter the audio CD driver information, and generally do low-level stuff, and it was poorly coded, it caused a computer system to be less stable.
These problems were only discovered because of skilled people at Sysinternals. In the future though, if programs can be more protected by the NGSCB, they will have greater free reign to do this type of activity without scrutiny. Certainly it will be easier if simply processes and files aren't hidden anymore, since that, combined with seeing TCP data being sent out whenever you play a CD, will be a large tip-off. However, we all benefit if skilled people can expose spyware wherever it occurs, and ultimately, if NGSCB helps cloak some activity, then that may ultimately make it harder for peoplpe like Mark Russinovich to do their work for the public good.
Re:NGSCB? (Score:2)
RootKit ??? What rootkit ?? (Score:2, Funny)
Re:RootKit ??? What rootkit ?? (Score:3)
sony (Score:4, Insightful)
Re:sony (Score:2)
Re:sony (Score:5, Insightful)
Re:sony (Score:3, Interesting)
Re:sony (Score:2)
Fear? (Score:5, Interesting)
Yet the bigger story here in the fact that a blogger was the breaking source.
My media is 75% blogs now. Many use links to back their opinions (I'd love to see a standard bibliogtaphical Wiki for referencing). They're faster than the daily news and less likely to be afraid of corporate threats.
BTW, anyone know a way for me to toggle link text format fron standard (blue w/ underline) to normal (black no underline) and back, quickly?
Re:Fear? (Score:4, Informative)
Define a custom page stylesheet (userChrome stuff in Mozilla), with
a {
color: black;
text-decoration: none;
}
Then, you can go to View -> PageStyle and switch between the original page style and your new style.
Re:Fear? (Score:2)
css [w3.org]. make a personal stylesheet and tell your browser to use it and to let your personal styles override site styles, then turn it off when you don't want it.
Antivirus Company Failure (Score:3, Insightful)
Yeah that has been my reaction. When I heard about it the first thing I began doing was searching for detection and removal software. I found nothing. I could not believe that Mcafee was not publishing a fix.
Thats because this virus was nasty as hell. (Score:5, Insightful)
Re:Thats because this virus was nasty as hell. (Score:5, Interesting)
Instead, they're saying the DRM software that hijacks your device driver is legitimate, and the rootkit was really only kinda bad because it hid legitimate software....
Re:Thats because this virus was nasty as hell. (Score:3, Informative)
This rootkit was designed to hide a legitimate application, but it can be used to hide other objects, including malicious software. [symantec.com]
McAfee(R) AVERT(tm) recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. [nai.com]
Microsoft is only removing XCP, not the DRM. I haven't been able to find any statements from Microsoft regarding the DRM at all.
Uh, antivirus companies are out to make money. (Score:5, Insightful)
Like it or not, detecting and removing Sony's malware puts them at series risk for DMCA lawsuits and the like and is thus a bad business decision. Anyone who thinks they're in it to actually better their customers and not their bottom line is living in fantasy land.
Re:Uh, antivirus companies are out to make money. (Score:2)
Let's call it "Sony's Law": (Score:5, Funny)
Man, all this just in time for Christmas. When I'm shopping this Holiday Season, I think I'll just run up to store clerks and ask them if they carry Sony products and if they say yes, ask "For the love of God, WHY???" and then run away laughing.
The brick advertisement (Score:5, Informative)
This is how I've viewed the major AV companies for quite some time. Sure, there are non-affiliated virus threats out there, but they perpetuate their own business as well.
I didn't think that my opinion of McAffee and Norton could sink any lower... but I was wrong.
DRM is useless (Score:5, Interesting)
Companies are so worried about piracy that they go to these extremes. What they need to look at is why are people pirating. Many people pirate because the thought of spending $17 for a cd is rediculous considering that only a few songs are worth a damn. Secondly, DRM makes it worse because people can't rip the audio for their mp3 player. This drives people to piracy and the DRM makes it worse and drives the consumer away. Just lower the damn prices and let me burn it, rip, or do anything else I want with it because it's mine!
gasmonso http://religiousfreaks.com/ [religiousfreaks.com]DRM is useless but DEADLY... (Score:3, Interesting)
But now there's an even more obvious reason to download music in an open format like MP3: MP3s cannot suddenly turn on you and break your computer.
I'm sure I'm not alone when I state that I will never buy a Sony or BMG CD again, ever, unless it comes with a bold-printed, legally-binding guarantee that the damn thing is a plain-Jane, Red-Book-compatible, fully-rippable CD. And I'
Did ClamAV pick this up? (Score:2, Interesting)
Printer Friendly (Score:5, Informative)
3-Pages of Wired goodness
Reminds me of the good old days when computer viruses were spread around on 3 1/2 floppy disks. Nothing like a boot sector virus to spoil your day.
Links From The Article
Apparently there is a criminal investigation going on...
In Italy [computerworld.com]
Class action lawsuit [boingboing.net]
Apparently step 3 is that you have to "reside in either California or New York." Sadly, step 4 is not Profit!
How about the open source? (Score:3, Interesting)
double standards, no standards? (Score:5, Interesting)
can't we just boycot Sony? (Score:2)
Sony's DRM breaks (Score:4, Informative)
It does not work and cannot work when it warns the user, as the Rootkit DRM program has to ask for an administrator password before you install.
On a Macintosh running OS X.
A word from User Friendly... (Score:4, Funny)
Re:A word from User Friendly... (Score:4, Funny)
Sony's starting to do a lot of things badly.
No, the REAL story is... (Score:3, Insightful)
The REAL story is why aren't elected officials falling all over themselves to make what SONY did a criminal offense?
Security Alert (Score:5, Funny)
It compromises the security of your machine, leaving
it open to various attacks.
Due to legal restrictions imposed by the DMCA, the
infection can not be removed. It is recommended to
disconnect the computer from the internet and
reinstall the operating system.
Never in my wildest dreams (Score:5, Insightful)
Re:Never in my wildest dreams (Score:3, Insightful)
I somewhat agree with your post, but Microsoft desperately needs good PR, as well as the fact that they are pissed that everyone is going to Sonys BlueRay. However it is Microsofts idiotic autorun feature that installs this crap in the first place.
Yeah I know it can be disabled, but what nor
Lawsuits (Score:3, Insightful)
Heh, the dirt is piling up. (Score:5, Funny)
I won't be surprised when in a few days there will be an announcement how Sony's rootkit causes world hunger, rapes dogs, and hides one sock out of every pair every once and awhile.
Damn you Sony !... Oooh, shiny PS3 !
Rampant Hypocrisy (Score:5, Informative)
It's interesting how some of the vendors are listing information about the rootkit, but see uninterested in adding a signature, claiming that it's not really a virus (which is true) because it doesn't self-replicate. That's fine, I guess, because if they started detecting rootkits, they'd have a lot more work to do, but I think it's kind of shortsighted of them to think that people won't get angry that they paid for a $40/year subscription for a product that doesn't detect when their system gets totally rooted.
(I'm always tempted to spell it r00tk1t, but I'm trying to act more mature these days...)
How? (Score:4, Insightful)
Becasue it is not an audio CD. (Score:4, Informative)
Just becasue it's round, shiney and plays music, does not make ti a red book standard. i.e. CD
Re:How? (Score:3, Informative)
DOD Twist (Score:5, Interesting)
This line kills me. (Score:3, Interesting)
What I want to know is why the fuck shouldn't a corporation be held to the same rules the rest of us are? As the line above illustrates, people now assume that companies can abuse the law as they see fit and not get reprimanded.
While the rest of us (AKA as not rich) get sued [newsfactor.com] into oblivion or prosecuted [hollywoodreporter.com] to the fullest for downloading a shitty CD that should only be $5.
Re:A thought experiment (Score:3, Funny)
Re:A thought experiment (Score:2)
Re:A thought experiment (Score:2, Interesting)
Re:Another bruce presswhore event (Score:3, Informative)
Aside from the value of getting publicity for security issues:
1999: Solitaire algorithm published. An output-feedback mode stream cipher which can be easily calculated using a pen, paper, and a deck of cards, allowing people without computers to use strong encryption in their communications. This system was featured in Neal Stephenson's Cryptonomicon.
2003: Helix algorithm published. A