Slashdot Mirror
Real Story of the Rogue Rootkit
BokLM writes "Wired has an interesting article from Bruce Schneier about what's happening with the Sony Rootkit, and criticizing the anti-virus companies for not protecting its users. From the article: 'Much worse than not detecting it before Russinovich's discovery was the deafening silence that followed. When a new piece of malware is found, security companies fall over themselves to clean our computers and inoculate our networks. Not in this case.'"
The AV companies are just gunshy of Sony's squad of legal attack ninjas. Not surprising given that this is grey area. I think the author makes a decent point (that the AV companies moved slowly), but the real failing here is the draconian legislation that made this a grey area in the first place. Hopefully these wee little gaps in consumer protection get plugged as a result of this.
I have to ask... If you were infected by this thing, then why not call law enforcement? You know it is malware of the worst kind and you know exactly who did it to you. Why not call the FBI or your Attorney General and file a criminal report? Couldn't you list Sony or the record store/online store you got it from as the source? I don't know. Seems like a good form of civil disobedience at the very least.
Isn't that what we're supposed to do?
Of course, all Slashdotters were not infected because we all boycott music companies anyway. Right?? Or did I miss a memo?
"If you want to improve, be content to be thought foolish and stupid." - Epictetus
No shit no one touched it..
They are Scared Shitless...
Until Now.
i'm still shocked that a "legitimate" company that's widely purchased from, and is a household name, would distribute software that anti-virus companies would consider to be malware. i'm still shocked that sony let this kind of thing slide, it's so obvious that they didn't even check to see what they were doing before they did it.
Yeah that has been my reaction. When I heard about it the first thing I began doing was searching for detection and removal software. I found nothing. I could not believe that Mcafee was not publishing a fix.
Insert Generic Sig Here:
It was very hard, even for Microsoft to figure out how to remove the damn thing without disabling the CD/DVD drive entirely. The first anti-virus patches that thought they fixed this was actually disabling peoples drives without knowing it. Microsoft had to work with Sony to figure out what the hell they had actually done. It really sucks.
They don't exist to make gigantic corporate enemies.
Like it or not, detecting and removing Sony's malware puts them at series risk for DMCA lawsuits and the like and is thus a bad business decision. Anyone who thinks they're in it to actually better their customers and not their bottom line is living in fantasy land.
Sony won't need to install a rootkit, because the Microsoft DRM will be designed specifically to help enforce things like Sony's EULA. Why should Sony bother with a rootkkit when the OS itself will impose the limits by design?
Because calling law enforcement would lead to a court case: YOU vs SONY. Guess who wins every time?
What are you talking about? Making a report to law enforcement is not going to get you into a civil suit. It will be the state vs. Sony in a criminal case should they pursue it. The trouble is getting them to do so. Try calling the FBI sometime. If it isn't easily demonstrable as several grand worth of damage they will just ignore you.
It's their "rootkit," our "DRM enforcement agent." The same sort of nonsense about their "terrorist," our "freedom fighter." that were promoted by the whitehouse in 80's.
ELOI, ELOI, LAMA SABACHTHANI!?
I think's things are not so simple. While this is a rootkit, "infected" systems don't display the normal symptoms: no (appreciable) slowdown, no annoying popups, no self-propagation or open ports. Moreover, the "phone home" behaviour is very limited. Since the average user didn't notice, there were no complaints. Do you expect the AV companies to buy and test music CDs for malware before this broke out (not in hindsight!). Since it took a Windows guru to figure out something was wrong, I'd expect these companies to take a few days. Several (including Microsoft, in fact) already classify it as malware and look for it.
A more serious problem for AV makers is that removing this rootkit is a very delicate business, so they can't offer a solution before they ensure it actually works. Also, since this stuff comes from music CDs people might listen to again, it's not clear what the right thing to do is. What happens if the (cluelss) user inserts the CD again? What is a (better informed) user wants to play the CD despite the rootkit?
The weak non-response by AV companies isn't the REAL story, either...
The REAL story is why aren't elected officials falling all over themselves to make what SONY did a criminal offense?
The biggest surprise for me was that Microsoft, who usually pisses me off, actually was the only company to step up to the plate in a meaningful way. I expected far, far better from the antivirus/spyware vendors. If you're going to tell me that you're going to protect my system, make me pay a subscription to keep my definitions current, and, on top of that, consume some of my system resources to do it, you'd damn well better step up to the plate when it comes to something as blatantly dangerous to my security as a rootkit.
What is a (better informed) user wants to play the CD despite the rootkit?
Rule #1: Disable Autorun.
If microsoft had disabled this action by default, it would have prevented this being a widespread problem in the firstplace.
AUdio CDs should be nothing more than data. A media player is installed on every single computer that can play audio CDs.
Sony should not have messed with that, and if MS had defaulted it then 1st$ wouldn't have exploited it.
liqbase
I suspect that the security companies don't fear lawsuits from spammers. On the other hand, one can easily imagine a company like Sony threatening lawsuits for having their DRM labelled a "virus" even if it damn-well is.
The cake is a pie
Methinks thee art confusing rootkits with spyware.
The last thing a rootkit author would want in a rootkit would be for it to be noticeable to the average user. Or even to the expert user. If symptoms are noticed, it isn't a good rootkit.
TFA points out that this has been out there for over a year, not just "a few days".
Just because the symptoms are barely noticeable does not make it acceptable.
Just because it comes from a CD does not make it acceptable, either.
If the "(cluelss) user" inserts the CD again, the AV software should do what it should have done the first time - issue a large warning and block the activity. If this had happened a year ago, there wouldn't be several hundred thousand machines with it installed today.
*Still* negative function...
I think's things are not so simple.
And then some...
While this is a rootkit, "infected" systems don't display the normal symptoms: no (appreciable) slowdown, no annoying popups, no self-propagation or open ports. Moreover, the "phone home" behaviour is very limited. Since the average user didn't notice, there were no complaints.
That's not the issue, really.
Do you expect the AV companies to buy and test music CDs for malware before this broke out (not in hindsight!). Since it took a Windows guru to figure out something was wrong, I'd expect these companies to take a few days. Several (including Microsoft, in fact) already classify it as malware and look for it.
It took somebody looking for evidence of rootkits on a well-maintained system that should have been rootkit free. I expect AV companies to do *that*, yes. You say "already" as if the rootkit had only been around for a few days. It's been around for many months, and the fact that we didn't know that before the guys at sysinternals noticed it is inexcusable.
Sony distributed software to millions of random people that installed half of itself silently, offered no option to not install, left machines vulnerable to infection by absolutely any wanna-be hacker that can spell "$sys$", has no uninstaller, leaves no indication that it *is* installed, makes the machines that it is installed on unstable if removed, and uses bandwidth and network connectivity without informing the owner of the computer.
If AV vendors can't protect against this type of threat, and cannot identify cloaked software when it has been distributed for a year, I don't exactly have a lot of faith in the security of any machines protected by their software (sadly, that seems to be every AV vendor). Maybe Mr. Russinovich could give a few paid talks at each of these companies about how to detect rootkits...
I'm off to go install SuSE on my desktop...cheers.
"Murphy was an optimist" - O'Toole's commentary on Murphy's Law
After seeing this story all week, I still can't get past the most basic question in my head: Why the hell is Windows executing software from an audio CD?
A Government Is a Body of People, Usually Notably Ungoverned
because all the music I download comes from DRM-free, regular MP3 files using bittorrent and the like. In other word, pirating music. What a strange circle this story has completed...the only way to know for sure what you are getting when you download DRM-free
And I can't afford to consider recommending them lightly.
I'm not claiming that they are a *part* of a criminal conspiracy. But they were aware of it and did NOTHING to alert their customers. I.e., they intentionally did not perform the service that they were being paid money to perform. That looks to me like malfeasance, but perhaps only government employees can commit malfeasance. IANAL.
It certainly looks like fraud. They claimed and received money to provide a service that they intentionally did not perform.
I think we've pushed this "anyone can grow up to be president" thing too far.
I'll say... so much for Symantec protecting your PC. Wow... this little rootkit debacle is really flushing out the nasty secrets, isn't it?
Anyone plan to interview Symantec's CEO about this? It'd be nice to see him put on the spot -- why are your customers paying you money when you are deliberately letting Sony install malware on your "protected PC" on the quiet? Let's hope this also wakes up the media to the fact that your DRM "rootkits" will come pre-installed with Mac OSX and Windows Vista in future.
I'll say... so much for Symantec protecting your PC.
Symantec might have been the only one mentioned by name in the CNET article but it seemed to indicate that the other AV companies were in the loop. This means that I am no longer comfortable recommending AV software solutions without providing some fairly in-depth warnings about this little episode.
LedgerSMB: Open source Accounting/ERP
Well.....
Microsoft only announced that they would remove it after Symantec et al made similar announcements.
This is not about the DMCA. It is about the fact that it was made in partnership with the AV companies. It is not about SONY either, but about the manufacturer (First4 Internet) working with these companies to ensure that they would not out the dirty little secret.
LedgerSMB: Open source Accounting/ERP
Quite, but Symantec happen to be the biggest. So I'd like to see the CEO answer a few questions:
What was the agreement between Symantec and Sony?
Were you paid money for it?
You didn't just take their word on what the "rootkit" did, surely? Did you do an investigation, or did Sony tell you what it did? Either way, you decided to overlook software that obviously made serious changes to a PC... not to mention "phoned home" like a piece of obnoxious spyware.
How many other companies do you have "agreements" with; who are they and what pieces of software do you "overlook"?
What's the going rate for fucking over your paying customers... you know, those people who paid money for your software to protect their PC from being undermined by malicious software installing itself?
No, MS has only claimed their spyware removal tool is going to remove the part that hides the crapware. It they decided to do what was right and got sue by Sony, they have hordes of their own lawyers. This is an unfortunate case where doing what is right is not what is legal, no thanks to the DMCA. If MS removed all of it and fixed the holes and got sued they should have some leverage considering Windows IS their product and they should be allowed to defend/fix it. If Sony tries using the DMCA card, they could try claiming the Sony DRM virus bypassed some Window encryption and Sony is in violation of the DMCA. Or claim Sony's abomination makes their product look like it has more bigger security holes than it really has, defimation of character if it were a person. Sony needs to be punished for this. Customers vote with their cash, if I bought Sony products, I'd stop, but I don't, so I don't plan on ever buying anything Sony.
F7 doesn't work, ignore spelling and grammar
Of course, since 1st4$ is located in the UK, the possibility exists that they may be UK 'major Record Labels' which are smaller than their North American equivalents.
I mean, it's not like Virgin has massive stores all over North America or anything...
Quidquid latine dictum sit, altum sonatur. . . . . . . .
You would have a point if Symantec didn't advertise the ability to remove trojans (which CDX certainly is) and adware (which MediaMax certainly is).
LedgerSMB: Open source Accounting/ERP
Don't put this on MS in any way. Autorun is a feature that the users want to see.
Just because a user want's a Program to intall automaticaly, doesn't mean they deserve a root kit install. It is not an exploit becasue auotrun works as designed.
I am not a MS apologist, but don't blame MS for this, it is SONYs doing, and SONY bears 100% of the blame.
If I thought a brick through your window, is it the home builders fault for putting windows in your home? Is it your fault because you use glass windows? No.
The Kruger Dunning explains most post on
You did notice from '95 to '98 nearly every CD enabled application would annoy you with the "it is recommended to enable Autorun by going to the Control Panel... etc. etc. etc" Oh wait? You didn't notice that? Probably because you didn't think to disable autorun 'til now so that you could take part in the brow-beating.
:)
You did notice that, from '98-'02, nearly every CD burning application on Windows began to annoy you with the "It is required for this application to function properly that you enable the Autorun feature of the CD drive by going to the Control Panel... etc. etc. etc." Oh? What's that? You didn't notice these error boxes? Probably because you didn't think to disable autorun until now so that you could take part in the brow-beating.
I, on the other hand (am an arrogant prick), and I did spend all of those years turning off Autorun until it just became impossible to use any CDROM enabled Windows software without it.
By the way, I like most of your posts. I've just been waiting for the last two weeks to slam someone on the "just disable autorun" issue and you happened to be the poster of the day.
fast as fast can be. you'll never catch me.
So the burning question in my mind is... Didn't any of the Symantec or Norton of McAfee firewalls pick up the unwanted network activity?
Oh wait... "XCP media player wishes to access the internet. Would you like to allow this action?"
Some effing firewall...
fast as fast can be. you'll never catch me.
"The rootkit was spyware that came along with something the user installed by choice, no different from weatherbug or any of that other silly BS."
Ok, so was it really installed by choice? I have no desire to spend my money on one of those disks and risk the security of my PC to test it. Is the user given a choice do hit "I don't agree" to an EULA and then return it to where they purchased it or does it take advantage of Windows autoplay to install without asking or informing the user first with a description of what it will do.
An EFF explanation of the ELUA said if you no longer own the physical disk you must delete any and all copies of anything on the disk. Shouldn't it be the same for the rootkit? If someone no longer owns the CD, maybe they returned it for the recall/exchange offer, shouldn't any software installed by it also have to be removed? It claims the ability to do this unpunished with a legalese shrinkwrap ELUA and shrinkwrap ELUAs have never stood up in court. If a paying customer returns or resells or trashes a protected Sony disk, the rootkit and DRM should go with the disk, of it doesn't easily go away then it's unwanted spyware and the legal owner of the computer should have the right to remove it, other than having to try their luck with Windows system restore or reformat or reinstall.
Sony screwed up and it looks like the customers are going to have to pay for their mistake with decreased performance, system crashes, having to deal with malware specifically created to take advantage of security holes created by the rootkit, including purchasing additional security software to prevent infection and the time and effort to remove them and repair the damage and/or the monetary costs if they don't have the time or know enough and have to hire someone to do it for them.
F7 doesn't work, ignore spelling and grammar
Your point is well observed and noted. I also agree. Leaving autorun off for all but the most introlerable applications had really, in the end, no effect. To which my response is:
If it's not necessary then why the hell did the software keep bringing up error boxes for all those years asserting that it was? Are you disputing the error boxes with the Autorun admonishments? It's called boiling a frog and social engineering. These companies knew that they were engineering the userbase to accept what would eventually be software automatically installed upon the insertion of a CDROM. Go ahead. Deny the facts. People always fsckin' do.
If ever tinfoil had a legitimate reason it's in this situation.
fast as fast can be. you'll never catch me.
The U.S. Attorney apparently does not think that it is "worthwhile" case and will not extradite him. See: http://www.bhopal.com/opinion.htm
I guess it's a different story when the shoe is on the other foot, then the US just kidnaps the suspect (from another country), exports them for torture and then puts them in prison for years and denies them the right to a fair trial etc.
It doesn't matter if it is Sony or Union Carbide, if it's a company it's OK in the USA.
I don't have one of these odious Sony CD's but I think you are missing the obvious. If the CD is playable in the hundreds of millions of standard CD players then it contains Red Book audio tracks. PC's don't need no stinkin' rootkit installed in order to play Red Book audio tracks. You have to install Sony's nasty software to break your computer to the point that it cannot play the standard audio. That would imply that successfully removing Sony's criminally illegal software from your computer should allow it to play that standard audio.
The continuing unfolding of this case is showing the extent to which laws about computer crime are cynically dishonest. The executives involved should be facing criminal trials and, if convicted, incarceration. Is anyone holding his breath waiting for that to happen?