Slashdot Mirror
Real Story of the Rogue Rootkit
BokLM writes "Wired has an interesting article from Bruce Schneier about what's happening with the Sony Rootkit, and criticizing the anti-virus companies for not protecting its users. From the article: 'Much worse than not detecting it before Russinovich's discovery was the deafening silence that followed. When a new piece of malware is found, security companies fall over themselves to clean our computers and inoculate our networks. Not in this case.'"
The AV companies are just gunshy of Sony's squad of legal attack ninjas. Not surprising given that this is grey area. I think the author makes a decent point (that the AV companies moved slowly), but the real failing here is the draconian legislation that made this a grey area in the first place. Hopefully these wee little gaps in consumer protection get plugged as a result of this.
I have to ask... If you were infected by this thing, then why not call law enforcement? You know it is malware of the worst kind and you know exactly who did it to you. Why not call the FBI or your Attorney General and file a criminal report? Couldn't you list Sony or the record store/online store you got it from as the source? I don't know. Seems like a good form of civil disobedience at the very least.
Isn't that what we're supposed to do?
Of course, all Slashdotters were not infected because we all boycott music companies anyway. Right?? Or did I miss a memo?
"If you want to improve, be content to be thought foolish and stupid." - Epictetus
No shit no one touched it..
They are Scared Shitless...
Until Now.
i'm still shocked that a "legitimate" company that's widely purchased from, and is a household name, would distribute software that anti-virus companies would consider to be malware. i'm still shocked that sony let this kind of thing slide, it's so obvious that they didn't even check to see what they were doing before they did it.
It was very hard, even for Microsoft to figure out how to remove the damn thing without disabling the CD/DVD drive entirely. The first anti-virus patches that thought they fixed this was actually disabling peoples drives without knowing it. Microsoft had to work with Sony to figure out what the hell they had actually done. It really sucks.
They don't exist to make gigantic corporate enemies.
Like it or not, detecting and removing Sony's malware puts them at series risk for DMCA lawsuits and the like and is thus a bad business decision. Anyone who thinks they're in it to actually better their customers and not their bottom line is living in fantasy land.
Sony won't need to install a rootkit, because the Microsoft DRM will be designed specifically to help enforce things like Sony's EULA. Why should Sony bother with a rootkkit when the OS itself will impose the limits by design?
Because calling law enforcement would lead to a court case: YOU vs SONY. Guess who wins every time?
What are you talking about? Making a report to law enforcement is not going to get you into a civil suit. It will be the state vs. Sony in a criminal case should they pursue it. The trouble is getting them to do so. Try calling the FBI sometime. If it isn't easily demonstrable as several grand worth of damage they will just ignore you.
It's their "rootkit," our "DRM enforcement agent." The same sort of nonsense about their "terrorist," our "freedom fighter." that were promoted by the whitehouse in 80's.
ELOI, ELOI, LAMA SABACHTHANI!?
The biggest surprise for me was that Microsoft, who usually pisses me off, actually was the only company to step up to the plate in a meaningful way. I expected far, far better from the antivirus/spyware vendors. If you're going to tell me that you're going to protect my system, make me pay a subscription to keep my definitions current, and, on top of that, consume some of my system resources to do it, you'd damn well better step up to the plate when it comes to something as blatantly dangerous to my security as a rootkit.
What is a (better informed) user wants to play the CD despite the rootkit?
Rule #1: Disable Autorun.
If microsoft had disabled this action by default, it would have prevented this being a widespread problem in the firstplace.
AUdio CDs should be nothing more than data. A media player is installed on every single computer that can play audio CDs.
Sony should not have messed with that, and if MS had defaulted it then 1st$ wouldn't have exploited it.
liqbase
Methinks thee art confusing rootkits with spyware.
The last thing a rootkit author would want in a rootkit would be for it to be noticeable to the average user. Or even to the expert user. If symptoms are noticed, it isn't a good rootkit.
TFA points out that this has been out there for over a year, not just "a few days".
Just because the symptoms are barely noticeable does not make it acceptable.
Just because it comes from a CD does not make it acceptable, either.
If the "(cluelss) user" inserts the CD again, the AV software should do what it should have done the first time - issue a large warning and block the activity. If this had happened a year ago, there wouldn't be several hundred thousand machines with it installed today.
*Still* negative function...
I think's things are not so simple.
And then some...
While this is a rootkit, "infected" systems don't display the normal symptoms: no (appreciable) slowdown, no annoying popups, no self-propagation or open ports. Moreover, the "phone home" behaviour is very limited. Since the average user didn't notice, there were no complaints.
That's not the issue, really.
Do you expect the AV companies to buy and test music CDs for malware before this broke out (not in hindsight!). Since it took a Windows guru to figure out something was wrong, I'd expect these companies to take a few days. Several (including Microsoft, in fact) already classify it as malware and look for it.
It took somebody looking for evidence of rootkits on a well-maintained system that should have been rootkit free. I expect AV companies to do *that*, yes. You say "already" as if the rootkit had only been around for a few days. It's been around for many months, and the fact that we didn't know that before the guys at sysinternals noticed it is inexcusable.
Sony distributed software to millions of random people that installed half of itself silently, offered no option to not install, left machines vulnerable to infection by absolutely any wanna-be hacker that can spell "$sys$", has no uninstaller, leaves no indication that it *is* installed, makes the machines that it is installed on unstable if removed, and uses bandwidth and network connectivity without informing the owner of the computer.
If AV vendors can't protect against this type of threat, and cannot identify cloaked software when it has been distributed for a year, I don't exactly have a lot of faith in the security of any machines protected by their software (sadly, that seems to be every AV vendor). Maybe Mr. Russinovich could give a few paid talks at each of these companies about how to detect rootkits...
I'm off to go install SuSE on my desktop...cheers.
"Murphy was an optimist" - O'Toole's commentary on Murphy's Law
After seeing this story all week, I still can't get past the most basic question in my head: Why the hell is Windows executing software from an audio CD?
A Government Is a Body of People, Usually Notably Ungoverned
I'll say... so much for Symantec protecting your PC.
Symantec might have been the only one mentioned by name in the CNET article but it seemed to indicate that the other AV companies were in the loop. This means that I am no longer comfortable recommending AV software solutions without providing some fairly in-depth warnings about this little episode.
LedgerSMB: Open source Accounting/ERP
You would have a point if Symantec didn't advertise the ability to remove trojans (which CDX certainly is) and adware (which MediaMax certainly is).
LedgerSMB: Open source Accounting/ERP
Don't put this on MS in any way. Autorun is a feature that the users want to see.
Just because a user want's a Program to intall automaticaly, doesn't mean they deserve a root kit install. It is not an exploit becasue auotrun works as designed.
I am not a MS apologist, but don't blame MS for this, it is SONYs doing, and SONY bears 100% of the blame.
If I thought a brick through your window, is it the home builders fault for putting windows in your home? Is it your fault because you use glass windows? No.
The Kruger Dunning explains most post on
You did notice from '95 to '98 nearly every CD enabled application would annoy you with the "it is recommended to enable Autorun by going to the Control Panel... etc. etc. etc" Oh wait? You didn't notice that? Probably because you didn't think to disable autorun 'til now so that you could take part in the brow-beating.
:)
You did notice that, from '98-'02, nearly every CD burning application on Windows began to annoy you with the "It is required for this application to function properly that you enable the Autorun feature of the CD drive by going to the Control Panel... etc. etc. etc." Oh? What's that? You didn't notice these error boxes? Probably because you didn't think to disable autorun until now so that you could take part in the brow-beating.
I, on the other hand (am an arrogant prick), and I did spend all of those years turning off Autorun until it just became impossible to use any CDROM enabled Windows software without it.
By the way, I like most of your posts. I've just been waiting for the last two weeks to slam someone on the "just disable autorun" issue and you happened to be the poster of the day.
fast as fast can be. you'll never catch me.
So the burning question in my mind is... Didn't any of the Symantec or Norton of McAfee firewalls pick up the unwanted network activity?
Oh wait... "XCP media player wishes to access the internet. Would you like to allow this action?"
Some effing firewall...
fast as fast can be. you'll never catch me.
"The rootkit was spyware that came along with something the user installed by choice, no different from weatherbug or any of that other silly BS."
Ok, so was it really installed by choice? I have no desire to spend my money on one of those disks and risk the security of my PC to test it. Is the user given a choice do hit "I don't agree" to an EULA and then return it to where they purchased it or does it take advantage of Windows autoplay to install without asking or informing the user first with a description of what it will do.
An EFF explanation of the ELUA said if you no longer own the physical disk you must delete any and all copies of anything on the disk. Shouldn't it be the same for the rootkit? If someone no longer owns the CD, maybe they returned it for the recall/exchange offer, shouldn't any software installed by it also have to be removed? It claims the ability to do this unpunished with a legalese shrinkwrap ELUA and shrinkwrap ELUAs have never stood up in court. If a paying customer returns or resells or trashes a protected Sony disk, the rootkit and DRM should go with the disk, of it doesn't easily go away then it's unwanted spyware and the legal owner of the computer should have the right to remove it, other than having to try their luck with Windows system restore or reformat or reinstall.
Sony screwed up and it looks like the customers are going to have to pay for their mistake with decreased performance, system crashes, having to deal with malware specifically created to take advantage of security holes created by the rootkit, including purchasing additional security software to prevent infection and the time and effort to remove them and repair the damage and/or the monetary costs if they don't have the time or know enough and have to hire someone to do it for them.
F7 doesn't work, ignore spelling and grammar