Slashdot Mirror

← Back to Stories (view on slashdot.org)

Real Story of the Rogue Rootkit

Posted by Zonk on from the when-good-rootkits-go-bad-on-fox dept.

BokLM writes "Wired has an interesting article from Bruce Schneier about what's happening with the Sony Rootkit, and criticizing the anti-virus companies for not protecting its users. From the article: 'Much worse than not detecting it before Russinovich's discovery was the deafening silence that followed. When a new piece of malware is found, security companies fall over themselves to clean our computers and inoculate our networks. Not in this case.'"

12 of 427 comments (clear)

  1. Mirror by Anonymous Coward · · Score: 3, Informative

    Wired's webserver was borked before this even hit the front page. A functional mirror for everyone's perusal.

  2. The brick advertisement by 72beetle · · Score: 4, Informative

    Imagine this: a brick comes sailing through your window, smashing glass everywhere. You pick it up and wrapped around the brick is a flyer for a glass replacement company.

    This is how I've viewed the major AV companies for quite some time. Sure, there are non-affiliated virus threats out there, but they perpetuate their own business as well.

    I didn't think that my opinion of McAffee and Norton could sink any lower... but I was wrong.

    --
    -Those who dance are considered insane by those who can't hear the music.
  3. Printer Friendly by TubeSteak · · Score: 4, Informative
    http://www.wired.com/news/print/0,1294,69601,00.ht ml
    3-Pages of Wired goodness
    this isn't one of those lightning-fast internet worms; this one has been spreading since mid-2004. Because it spread through infected CDs, not through internet connections, they didn't notice?

    Reminds me of the good old days when computer viruses were spread around on 3 1/2 floppy disks. Nothing like a boot sector virus to spoil your day.

    Links From The Article
    Apparently there is a criminal investigation going on...
    In Italy
    On Friday, the Milan-based (Association for Freedom in Electronic Interactive Communications - Electronic Frontiers Italy) filed a complaint about Sony's software with the head of Italy's cybercrime investigation unit...

    The complaint alleges that XCP violates a number of Italy's computer security laws by causing damage to users' systems and by acting in the same way as malicious software, according to Andrea Monti, chairman of the ALCEI-EFI. "What Sony did qualifies as a criminal offense under Italian law,"

    Class action lawsuit
    Apparently step 3 is that you have to "reside in either California or New York." Sadly, step 4 is not Profit!

    --
    [Fuck Beta]
    o0t!
  4. Sony's DRM breaks by mhollis · · Score: 3, Informative

    It does not work and cannot work when it warns the user, as the Rootkit DRM program has to ask for an administrator password before you install.

    On a Macintosh running OS X.

    --
    Gods don't kill people, people with gods kill people.
  5. Re:Fear? by ParadoxDruid · · Score: 3, Informative

    In regard to your question:

    Define a custom page stylesheet (userChrome stuff in Mozilla), with

    a {
        color: black;
        text-decoration: none;
    }

    Then, you can go to View -> PageStyle and switch between the original page style and your new style.

    --
    This statement is solely an opinion. Kindly take it as such in all cases.
  6. Rampant Hypocrisy by dragonfly_blue · · Score: 4, Informative
    I think this just highlights the hypocritical nature of the antivirus vendors; by measuring the time between the Mark Russinovich post unveiling the rootkit on October 31, and the subsequent addition of the rootkit's signature to the various antivirus vendor's products, you can draw some fairly interesting conclusions about the relationships between antivirus companies, consumers, virus/malware authors, and software companies (or in Sony's case, companies offering products that happen to contain additional software).

    • F-Secure - Nov 1st, 2005
    • Symantec - November 8, 2005: Renamed to SecurityRisk.First4DRM from SecurityRisk.Aries November 11, 2005: Added link to removal tool.
    • Computer Associates - listed, unknown date.
    • Kapersky - Nov 2, 2005

    It's interesting how some of the vendors are listing information about the rootkit, but see uninterested in adding a signature, claiming that it's not really a virus (which is true) because it doesn't self-replicate. That's fine, I guess, because if they started detecting rootkits, they'd have a lot more work to do, but I think it's kind of shortsighted of them to think that people won't get angry that they paid for a $40/year subscription for a product that doesn't detect when their system gets totally rooted.

    (I'm always tempted to spell it r00tk1t, but I'm trying to act more mature these days...)

    --
    Free music from Jack Merlot.
  7. It's a shame what big companies can get away with. by djdavetrouble · · Score: 5, Informative

    one word:
    Bhopal
    .

    --
    music lover since 1969
  8. Becasue it is not an audio CD. by geekoid · · Score: 3, Informative

    No CD sticker on thaose cases. It is an application that plays music.

    Just becasue it's round, shiney and plays music, does not make ti a red book standard. i.e. CD

    --
    The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
  9. Re:It's a shame what big companies can get away wi by vivek7006 · · Score: 4, Informative

    Mod parent up.

    He is referring to the bhopal gas tragedy of 1984, http://en.wikipedia.org/wiki/Bhopal_gas_tragedy/ where thousands of people were killed and Union Carbide pretty much got away with it. The CEO Warren Anderson is a fugitive and is on the wanted list of CBI India.

  10. Re:Bah... by LarsG · · Score: 3, Informative

    Do you expect the AV companies to buy and test music CDs for malware before this broke out (not in hindsight!).

    According to F-Secure's blog, they had received tips that Sony CDs might contain a rootkit at least a month before Mark broke the story.

    "We didn't go public with the info right away as we were worried with the implications (especially with the info on how virus writers can use this to hide files which have names starting with "$sys$"). So we were in the middle of discussions with Sony BMG and First 4 Internet when Mark broke the news on Monday."

    --
    If J.K.R wrote Windows: Puteulanus fenestra mortalis!
  11. Re:Actually by lgw · · Score: 4, Informative

    The SOny rootkit was *not* a virus, so expecting AV software to do something about it isn't appropriate. The rootkit was spyware that came along with something the user installed by choice, no different from weatherbug or any of that other silly BS. That makes it a bit touchy deciding to remove it, just like removing some other BS that a user is sure they need. Most of these companies moved to remove the cloaking aspect as soon as it was known, closing the security hole, but (legally) removing the underlying software would remove the ability to play the Sony CD. You don't just go around uninstalling programs that users think they need (no matter how silly).

    I suspect that for 99% of non-geek users, the ability to play the Sony CD was much more important than removing "some rootkit, whatever that is". And you probably can't remove the software and leave the ability to play the CD without violating the DMCA, so what are you going to do?

    --
    Socialism: a lie told by totalitarians and believed by fools.
  12. Re:It's a shame what big companies can get away wi by argel · · Score: 4, Informative

    Correct URL: http://en.wikipedia.org/wiki/Bhopal_gas_tragedy (no trailing slash).

    --

    -- Argel