Slashdot Mirror

F-Secure has details about this too.

Using the REG utility in WinXP or Win2K Resource Kit, it's not too hard to write a script to scan your PC's registries for this key. Something like

for /f %%i in (computerlist.txt) do (
        echo %%i >>scanlist.txt
        reg query \\%%i\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersi on\Run /s | find "ScanRegistry" >>scanlist.txt 2>&1
)

then look in scanlist.txt for any 'hits'.

>> if i scan my hardrive tonighte with avg or macafee or norton, am i protected ?

Possibly yes, but also possibly not. This virus wil disable many common AV programs. My reccomendation would be to use a specialized scanner such as the one from f-secure: http://www.f-secure.com/v-descs/nyxem_e.shtml. I just used that one myself.

The 'Nyxem.e' is a mass-mailing worm that also tries to spread using remote shares.

Worm-Nyxem-E propagates via email. It sends a copy of itself using its own Simple Mail Transfer Protocol (SMTP) server. Having its own SMTP server allows it to send email messages without relying on email application like Microsoft Outlook.

>This is year 22 of me using a Microsoft OS...virus free.
>The most important component for virus protection is the one sitting between the chair and the >keyboard. Everything else (including OS choice) is largely irrelevant.

You fell for Microsoft's viral marketing.

I'd like to mention that a virus checker is no protection if it doesn't recognise the virus. I was using some crappy virus software in 1999. My machine was infected with the WinCIH virus. It destroyed my BIOS and overwrote sections of my hard disk four days before my final paper was due. Fortunately, the paper was only 2500 words and I had a printed copy I could retype. I managed to retrieve the data a few months later, but I had to quickly buy a new motherboard to resurrect the machine. Nowadays I use a decent well-known virus checker and disable BIOS updates.
--
Avoid miner viruses by covering the shaft.

Actually not just Gibson, but other security folks f-secure, call this a "feature". I mean c'mon, you should be thanking MSFT, this is a great 'hook'.

From what I can tell, if you uninstall it, you lose the system protected recycle bin (designed to prevent you from deleting your pr0n, actually it provides a hidden place for viruses to hide). Therefore, you're safe.
If you are still paranoid, reinstall it and run the update patch with fixes it.
Or, check out BlackLight Rootkit Elimination Technology, which is supposed to eliminate (or at least detect) the rootkit.

For those of us who dislike reading TFA, we'd never find out about the free utility linked in TFA to check if the rootkit is there.

I never thought back then that memory leak could mean buffer overflow which could mean security vulnerability

In this case, its not a buffer overflow bug. In fact, its not even a bug, per say. Its a feature, or at least a really bad design flaw that no one has stumbled upon/abused up until now. See F-Secure's writeup.

Patch has been released.
Get it here http://www.microsoft.com/technet/security/Bulletin /ms06-001.mspx

According to the folks at F-secure, it co-exists well with Ilfak's unofficial patch as well as the REGSVR32 workaround. Read their blog here. http://www.f-secure.com/weblog/archives/archive-01 2006.html#00000771

According to this F-Secure's Web log, it tells what is going wrong with the Windows Metafiles (WMF) vulnerability. It turns out this is not really a bug, it's just a bad design from another era. When Windows Metafiles were designed in late 1980s, a feature was included that allowed the image files to contain actual code. This code would be executed via a callback in special situations. This was not a bug; this was something which was needed at the time. The feature now in the limelight is known as the Escape() function and especially the SetAbortProc subfunction, and has been around since Windows 3.0, shipped in 1990...

Seen on Digg. This Broadband Reports' security forum thread mentioned this as well.

Copied and pasted from my AQFL Web site.

The fix is from Ilfak Guilfanov.

To quote F-Secure (http://www.f-secure.com/weblog/archives/archive-1 22005.html#00000756):

"Now, we wouldn't normally blog about a security patch that is not coming from the original vendor. But Ilfak Guilfanov isn't just anybody. He's the main author of IDA (Interactive Disassembler Pro) and is arguably one of the best low-level Windows experts in the world.

More details from Ilfak's blog: http://www.hexblog.com./"

The guy is legit.

F-Secure has more on it: http://www.f-secure.com/weblog/#00000761

Windows Metafiles are a file representation of drawing commands. They are more flexible than bitmaps and get used quite a lot in things like for caching images of every OLE object embedded inside a MS word or powerpoint document. There just happens to be one operation to set a callback when a printing aborts which can be saved to a WMF file, which, when followed by something to abort the rendering, lets you jump to the nominated location.

This back door is built into windows from version 3.0 onwards. Any app that displays WMF images from untrusted sources (lotus notes, maybe msword, even google desktop search) is vulnerable. This is potentially code red for the desktop.

I have the patch on all my systems, the author works for IDA, the debugger tool, and is well respected. I dont care whether IT central will push it out or not; I think they ought to before the back to work/school event causes major worm attacks using it. It will be pretty embarrassing for microsoft though -a third-party emergency fix for windows, in the same year that Vista, "Windows Secured" is due to ship.

There is not an 'EXEC' segement type in the metadata specification itself, if you will.

In the internet age, it's hard to believe, but in fact, yes, there is. This isn't a buffer overflow exploit; this is actually the way metafiles were intended to work. AC makes the same point a bit more rudely.

BZZZT!!! Wrong answer! Thanks for playing though.

Read this to find out where you went wrong

How are you detecting the WMF files? I hope it's not just by file extension as it can also be exploited using .jpg - http://www.f-secure.com/weblog/archives/archive-01 2006.html#00000759

I too work for a large PC retailer as a technician and I am seeing a massive increase in work due to this exploit too.

Again I'm seeing this slip past Norton, McAfee, AVG and Spysweeper. I'm not sure why the major AV vendors haven't got any definition in place to deal with this yet. It's causing me a large headache since at this time of year we're already at our busiest and the last thing I needed was dealing with this.

Another problem I've seen a large upsurge in customers with is a program called SpyAxe. It purports to rid your computer of spyware but it actually issues fake warnings about spyware infestations to con you into buying the full commercial version. My users are getting warnings in your task bar that look as though they are from Microsoft Security Center along the lines of "...you're infected click here to download app to remove it blah blah...". The program is brought onto the PC by the trojan "Trojan-Downloader.Win32.Zlob". There is some infor regarding this from F-Secure http://www.f-secure.com/sw-desc/spyaxe.shtml
This too slips right past Internet security packages such as Norton and McAfee. For the money people pay for AV protection the vendors really need to get their act together in my opinion.

Ok, ignore my other message, I trust him.

Are The Internet Storm Center http://isc.sans.org/diary.php?rss&storyid=996 and F-Secure http://www.f-secure.com/weblog/archives/archive-12 2005.html#00000756 good enough for you?

See discussion list at
http://www.aota.net/forums/showthread.php?p=143053
also check out FSecure's blog:
http://www.f-secure.com/weblog/

There is information available on temporary fixes from the following sites
http://isc.sans.org/diary.php?rss&storyid=996
http://www.f-secure.com/weblog/#00000760
http://www.grc.com/sn/notes-020.htm

be aware the runnable patch is completely unofficial, the only action microsoft suggest is unregistering a vulnerable dll which only mitigates the most common method of exploitation while not fixing the underlying problem.
NFI how long it will take microsoft to have an official patch out, but from the sans site, it doesnt look promising that it will appear soon.

Here is some information on the WMF threats.

http://www.f-secure.com/weblog/archives/archive-12 2005.html#00000754 --- Several sites listed there. I also found a site last night while searching for, of all things, internet tetris clones. Luckily FF prompted for download, but yeah...if you google for "tetris", it was one of the first 3 or 4 to come up (YMMV, result order may have changed by now.)

Good news: Google seem to have pulled that link, but
Bad news: the file offered for download is dsi_ckp5.exe which is not likely to run on your Mac.

The site is infested with the usual warez crop of pr0n & gambling camp followers. I went there using Safari on a Mac, and collected a cookie from fuck-access.com, and exhibitionist.ws, which will both be valid for 15 years ;-) I had my access counted by ads.clicksor.com, banner.paypopup.com, counter.yadro.ru, gfx.passwordbyphone.com, popunder.paypopup.com, t0.extreme-dm.com, and that's without any malware...

Of course fwiw crackz.ws is one of the anchor sites for this exploit as listed by F-Secure, and it's still up at the time of this posting :-(

According to F-Secures weblog they really didn't have to open the file, it was enough that Google Desktop Search indexed the file..

Here are some details:
http://www.f-secure.com/sw-desc/spyaxe.shtml

Here is the very nice NZ company behind it:
http://www.spyaxe.com/

and for a quick infection just go here:
www.needupdate.com

or here:
http://www.dns404.net/

sigh...

From F-secure's blog:

Do note that it's really easy to get burned by this exploit if you're analysing it under Windows. All you need to do is to access an infected web site with IE or view a folder with infected files with the Windows Explorer.

You can get burned even while working in a DOS box! This happened on one of our test machines where we simply used the WGET command-line tool to download a malicious WMF file. That's it, it was enough to download the file. So how on earth did it have a chance to execute?

The test machine had Google Desktop installed. It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.

Read the F-Secure blog.

Or read my previous comment.

F-Secure didn't simply crack the algorithm yesterday.

There are going to be risks no matter what security products a bank provides to its customers. After a year and a half working as a malware analyst, I know well that a "Clean" Virus Scan will provide customers with nothing but a false sense of security. Sober for instance has currently has 20+ variants that are known. You can bet there are plenty of malware variants in the wild that have no signatures. What the banks need to do is provide their customers with adequate computer security and let the customer decide which products are best for them.

I don't see this program getting much mention in the press but F-Secure's BlackLight Beta scans for rootkits on Windows systems and I tested it on a friend's system which had the Sony rootkit on it and it listed all the files found re: Sony rootkit. It's still in beta, but it works.

From the Register: Both antivirus firm F-Secure and security information site SysInternals.com identified the copy protection scheme as a rootkit. F-Secure and other antivirus firms - including Symantec, the owner of SecurityFocus - have release signatures for their antivirus software suites to detect the presence of the Sony BMG code.

F-secure blog tells also about this. Then they give removal instructions. What more do you need?

From the Register: Both antivirus firm F-Secure and security information site SysInternals.com identified the copy protection scheme as a rootkit. F-Secure and other antivirus firms - including Symantec, the owner of SecurityFocus - have release signatures for their antivirus software suites to detect the presence of the Sony BMG code.

F-secure blog tells also about this. Then they give removal instructions. What more do you need?

This is the text of an e-mail I, Tamas Feher from Hungary, antivirus support worker by profession, sent to Mark and Bruce yesterday to enlighten them about the factual falsity of their bold claims.

****************

Dear Mr. Mark Russinovich

I am totally outraged by your behaviour.

Ad 1., You were not the original in-the-wild discoverer of the Sony BMG -
XCP system level copy protection mechnanism. It was F-Secure Corp., the
finnish anti-virus vendor, whose proprietary Blacklight tool found it on a
customer's PC on 30th September 2005.

They have proof on the F-Secure weblog, read the write-up:
http://www.f-secure.com/weblog/archives/archive-11 2005.html#00000694

Why do you celebrate yourself then?
Now even Bruce Schneier is singing the same false anti-AV tune of yours:
http://wired.com/news/privacy/0,1848,69601,00.html ?tw=wn_tophead_2

To the contrary: XCP was discovered by an anti-virus company, period.

Ad 2., You simply spat in the soup of others. F-Secure has been in quiet
negotiations with Sony BMG for several weeks, trying to convince the giant
behind closed curtains to revoce the XCP "rootkit" technology voluntarily
and Sony did that. The new rootkit-less software version appeared on
Sony's website mere two days after your irresponsible and uncoordinated
disclosure. Don't dream for a minute that you did that, it is impossible
to develop such new code in less than two days. Why do you celebrate
yourself then?

Ad 3., It happened because it was in development for weeks as a result of
F-Secure's quiet diplomacy, not because of your cowboy attitude. The vast
majority of the world does not value vigilantism, unlike americans who
grew up in a gun-slinging culture. Unilateralism is not the solution, as
has been shown this case and the Dubya Bush Jr. Instead of being proud you
should be ashamed, because your action caused tremendous harm to the IT
security industry.

Security is about trust above all and your antagonizing stance demolishes
trust. You literally incited hatred and encouraged hackers to create
malicious code against XCP. Megacorporates will never trust IT security
firms any more and this may demolish the current many small firms
industry, leading to monopoly situation, which they can afford to create,
and then even you will be gagged! You digged a good part of the grave for
our "ideally competitive IT security market".

Ad 4., Buggy software and resulting exploitable code is not a crime as of
now, not even if provided by Sony-BMG. If you want that changed go to the
Capitol and petition the government to that extent. Inciting hackers,
however, to attack and trojanize buggy software and create electronic
anarchy is cyberterrorism and not substantially different from a bus
bombing. How are you different from Mullah Omar who preaches terror
from a cave over the west's mistakes? Both belong to Gitmo.

Ad 5., The DMCA gives every right to Sony to protect its property of art.
They support fair use as defined by the law. An audio CD disc is listened
to in a discman, a hi-fi deck or a car stereo system, none of them
are affected by the XCP software at all. When you put it in the optical drive
of a computer you admit you want to copy it, because that is the only
explanation for not putting it in a deck or a portable CD player.

I have no sympathy for bootleggers. A good part of the money media giants
earn are flowing into the tax purse of the gov't and much of that supports
defence. Every single song fetched from P2P steals a cartridge from the
magazine of an M16 rifle as worn by an american GI. When Private Johnny
runs out of ammo and the fanatics cut him down, who will protect you and
your family from the wrath of is

Do you expect the AV companies to buy and test music CDs for malware before this broke out (not in hindsight!).

According to F-Secure's blog, they had received tips that Sony CDs might contain a rootkit at least a month before Mark broke the story.

"We didn't go public with the info right away as we were worried with the implications (especially with the info on how virus writers can use this to hide files which have names starting with "$sys$"). So we were in the middle of discussions with Sony BMG and First 4 Internet when Mark broke the news on Monday."

When I read about this first thing this morning I fired off an email to SANS http://www.isc.sans.org/ and got a reply quite quickly.

According to F-Secure http://www.f-secure.com/weblog the Trojan doesn't currently work, and in fact rebooting rids the computer of the infection.

We have just analyzed the first malware (Breplibot.b) that is trying to hide on machines that have Sony DRM software installed. Luckily, the bot has a design flaw. If the Sony DRM rootkit is active (hiding) in the system during infection, the bot will not run at all. Moreover, the bot cannot survive a reboot because of a programming error. In any case, this is a very good example of why software should not use rootkit hiding techniques.

This opens another plan of attack which I think will have more chance of succeeding (at least for public mind-share. I can't judge the legal value of the argument).

This isn't to say that their DRM code isn't destructive crapware. You appear to have simply confused the names of the different evil components.

Well, the grandparent poster confused them and I should have been more careful in my reply. Also, some reports appear to be contradictory about whether or not the rootkit part is disabled or completely removed. On the F-Secure weblog, they write that the hiding part of the rootkit (the aries.sys) is removed by the update. I suppose that I should believe them, but the information available from various sources is a bit confusing and I do not want to cripple my own system by installing that rootkit+DRM and checking what is left after I run the "service pack". I hope that this whole mess will be clearer in a couple of days and that some reliable information will be available from other places than just some blogs and their comments.

Anyway, the grandparent was hoping that the software that cripples your system (the daemon that checks what programs are running and modifies your CD driver) would be removed after the update. This is clearly not the case. It appears that the programs that consume resources and may break your system if you attempt to uninstall them are part of the DRM system, not part of the additional rootkit.

Posted by: Dickrichard | Nov 1, 2005 11:03:07 PM

I'm posting this via a proxy just in case Sony doesn't like what I post...
After reading this news story I decided to go after this software and defeat it, and I did.

The following is how you kill this hidden install. I did this in Windows XP Pro, so attempt on another OS at your discretion. This will require Administrator rights. Please read through the entire instruction set, and if you don't feel comfortable attempting this, then don't. The rest of you, follow me ;)
1. hit windowsKey+R to open the RUN command. Type services.msc to run the services dialog. Find 'Plug and Play Device Manager' in the list, right click and choose Properties. Under the General tab of the box that comes up, in the middle there should be the "startup type" of the service. Set this value to "disabled" and click OK. Next find the service named 'XCP CD Proxy' and set its startup type to disabled as well. You won't be able to stop these services, only disable them from starting next time Windows starts.
2. Download and run the latest Blacklight beta from http://www.f-secure.com/blacklight/ This program will find the 'super hidden' CD proxy files we're trying to get rid of. When it finishes searching click next until you reach the screen that shows you all the hidden files it found. Select all these files and click the "rename" button to the right. Windows will restart once you click OK, and the files will be renamed.
3. Once Windows restarts you will have lost any and all CD/DVD drives. DON'T PANIC! Hit windowsKey+Pause/Break to open up your System dialog. Click on the Hardware tab, then on the "Device Manager" button. Your system will not list any CD/DVD drives, but you should see IDE slot(s) that have little yellow circles with exclamation points over them indicating a device with a problem. In order to restore the drivers to their un-sony-altered state you must right click on the affected device and choose "uninstall driver". Do this for each device with a problem.
4. Now that you have uninstalled the affected drivers, simply navigate to your Control Panel via the Start Menu and choose "Add Hardware". The add hardware wizard will run and find your previously disabled devices. Your drives are now restored and functional, and this potentially dangerous menace vanquished.
5. Advanced users may now go and clean up the mess, but this step is not necessary. Delete renamed files, and dare I say it, registry keys that pertain to Sony's program. Use this list for reference: http://www.europe.f-secure.com/v-descs/xcp_drm.sht ml but nothing really beats searching.

As an added note, once I got my drives back up and running, I popped in the CD that put this program on my computer. I was able to use a multi-session aware program (Roxio) to access the audio portion of the disk and rip MP3s to my hard drive where they will now be listened to in my preferred player the way God intended it to be. Oh, and the only illegal thing that went on here was what Sony did!

CONSUMER 1 - SONY 0

P.S. Once you rip MP3s from your Sony disc, burn it the old fashioned way, with gasoline and a match!

Posted by: Dickrichard | Nov 1, 2005 11:03:07 PM

I'm posting this via a proxy just in case Sony doesn't like what I post...
After reading this news story I decided to go after this software and defeat it, and I did.

The following is how you kill this hidden install. I did this in Windows XP Pro, so attempt on another OS at your discretion. This will require Administrator rights. Please read through the entire instruction set, and if you don't feel comfortable attempting this, then don't. The rest of you, follow me ;)
1. hit windowsKey+R to open the RUN command. Type services.msc to run the services dialog. Find 'Plug and Play Device Manager' in the list, right click and choose Properties. Under the General tab of the box that comes up, in the middle there should be the "startup type" of the service. Set this value to "disabled" and click OK. Next find the service named 'XCP CD Proxy' and set its startup type to disabled as well. You won't be able to stop these services, only disable them from starting next time Windows starts.
2. Download and run the latest Blacklight beta from http://www.f-secure.com/blacklight/ This program will find the 'super hidden' CD proxy files we're trying to get rid of. When it finishes searching click next until you reach the screen that shows you all the hidden files it found. Select all these files and click the "rename" button to the right. Windows will restart once you click OK, and the files will be renamed.
3. Once Windows restarts you will have lost any and all CD/DVD drives. DON'T PANIC! Hit windowsKey+Pause/Break to open up your System dialog. Click on the Hardware tab, then on the "Device Manager" button. Your system will not list any CD/DVD drives, but you should see IDE slot(s) that have little yellow circles with exclamation points over them indicating a device with a problem. In order to restore the drivers to their un-sony-altered state you must right click on the affected device and choose "uninstall driver". Do this for each device with a problem.
4. Now that you have uninstalled the affected drivers, simply navigate to your Control Panel via the Start Menu and choose "Add Hardware". The add hardware wizard will run and find your previously disabled devices. Your drives are now restored and functional, and this potentially dangerous menace vanquished.
5. Advanced users may now go and clean up the mess, but this step is not necessary. Delete renamed files, and dare I say it, registry keys that pertain to Sony's program. Use this list for reference: http://www.europe.f-secure.com/v-descs/xcp_drm.sht ml but nothing really beats searching.

As an added note, once I got my drives back up and running, I popped in the CD that put this program on my computer. I was able to use a multi-session aware program (Roxio) to access the audio portion of the disk and rip MP3s to my hard drive where they will now be listened to in my preferred player the way God intended it to be. Oh, and the only illegal thing that went on here was what Sony did!

CONSUMER 1 - SONY 0

P.S. Once you rip MP3s from your Sony disc, burn it the old fashioned way, with gasoline and a match!

It is not stated in the EULA that this rootkit will be installed, plus there's no way to uninstall it through add.remove programs.

You can contact Sony directly and they will send you tools to remove the DRM software.

The F-Secure blog talks a little about this. It appears their removal software installs ActiveX controls.. just really messed up.

So is it or isn't it enough for a lawsuit? Anyone know of any developments in this area?

A lawsuit on what grounds? That you agreed to something and then they installed their software based on your agreement? I have a feeling that the "oh, no one reads those things" isn't really going to work all that well against Sony's legal team.

Hereis a link to F-secure's "detailed" writeup about what the DRM installer puts on your machine.

Don't buy DRM'd CDs as they don't allow you to exercise fair-use. Sadly, most people don't care anymore.

--
Remove one sig.

F-secure's BlackLight detects it, although they advise against using the removal tools to get rid of it - it might disable the access to that drive letter. http://www.f-secure.com/weblog/

F-secure's page about the XCP DRM Software: http://europe.f-secure.com/v-descs/xcp_drm.shtml

Here's your problem with that.

Let's just say that such a tool compares kernel modules and key system files to a list of approved modules' checksums. A rootkit could easily modify the list with its own checksum, so if this was a totally automated process, it wouldn't work.

The other options include having the user sign/validate the checksum list, but that will increase the complexity of the process to the point that most OSes/distributions will not include such a tool. If the signature is performed by a key that is managed by the OS directly, once again, the root kit could automate this process as well.

On another note, the Windows Security model allows for different rights levels: guest, user, power user, admin, AND System. Administrators can elevate to system (there are tools with the appropriate API calls for this ... try psexec from SysInternals). And system is the rights context that is required for access to things like SAM password stores in the registry, etc. Administrators cannot just "navigate" or "browse" to these critical points with the standard toolsets.

I like the idea of using hardware to force read-only critical sections for high security systems, and for items like what F-Secure can offer for normal-security systems.

your agument is the same for cabir

Does this sound familiar ? :

Cabir replicates over bluetooth connections and arrives to phone messaging inbox as caribe.sis file what contains the worm. When user clicks the caribe.sis and chooses to install the Caribe.sis file the worm activates and starts looking for new devices to infect over bluetooth.

To get cabir you need

1. Have Bluetooth switched on
2. Have an active connection
3. Accept this file
4. Press OK to install

Mellisa was not "the good old days". I remember the first virus i got on my old 386. Monkey.B. http://www.f-secure.com/v-descs/monkey.shtml

*nods* On the other hand, I just visited http://www.f-prot.com/ and http://www.f-secure.com/ and they mention that the companies were founded in 1993 and 1988, respectively - so that would suggest that they're not the same. But then, the F-Secure website *does* mention F-Prot, talking about "F-Secure Anti-Virus for DOS (F-Prot)". Could it be that they were different companies initially that merged at a later point? I seem to recall that F-Secure was formerly Datafellows, too...

No, it's the other way around - Zotob is cleaned by some other worms.

F-Secure has a hi-tech diagram how it works here.

Both Symantec link and F-Secure link

States that only Windows 2000 machines were affected.

F-Secure Writes: "The exploit uses fixed offsets inside Windows 2000 version of umpnpmgr.dll. This means that only Windows 2000 systems (SP0-4) are affected."

it may be bigger in some networks, and not so big in others. I think it just depends how militant your organization is on pushing patches out. We're very militant in that aspect, and it seems that policy has saved our asses from zotob. Some of the writeups on zoton indicates that if your running win xp sp2, your pretty much immune already. I'd say about 95% of our boxes here are XP sp2, 4% win 2k, and 1% the odd random professor with an unpatched xp sp1 notebook (that eventually i'll have to hunt down and update).

http://www.f-secure.com/v-descs/zotob_a.shtml