Real Story of the Rogue Rootkit

BokLM writes "Wired has an interesting article from Bruce Schneier about what's happening with the Sony Rootkit, and criticizing the anti-virus companies for not protecting its users. From the article: 'Much worse than not detecting it before Russinovich's discovery was the deafening silence that followed. When a new piece of malware is found, security companies fall over themselves to clean our computers and inoculate our networks. Not in this case.'"

Clearly

[Trails]

The AV companies are just gunshy of Sony's squad of legal attack ninjas. Not surprising given that this is grey area. I think the author makes a decent point (that the AV companies moved slowly), but the real failing here is the draconian legislation that made this a grey area in the first place. Hopefully these wee little gaps in consumer protection get plugged as a result of this.

Re:Clearly

[jcr]

Not surprising given that this is grey area.

Nope.

This is not a grey area, this is a crime, and it is also a civil tort. Sony will learn this at great expense over the next couple of years in litigation.

-jcr

Re:Clearly

[jcr]

It's a gray area because Sony claims it is DRM, which is illegal to remove.

Sony has damaged other people's property. I can chase a burglar, but if he hides in your house I'm not entitled to burn it down.

-jcr

Who Else Can We Blame

[moehoward]

I have to ask... If you were infected by this thing, then why not call law enforcement? You know it is malware of the worst kind and you know exactly who did it to you. Why not call the FBI or your Attorney General and file a criminal report? Couldn't you list Sony or the record store/online store you got it from as the source? I don't know. Seems like a good form of civil disobedience at the very least.

Isn't that what we're supposed to do?

Of course, all Slashdotters were not infected because we all boycott music companies anyway. Right?? Or did I miss a memo?

DMCA

[PacketScan]

No shit no one touched it..

They are Scared Shitless...

Until Now.

Re:DMCA

[Mundocani]

The article makes a big issue of painting this to be big corporations supporting big corporations, but I suspect you're right and that it's actually because of the DMCA. The anti-virus companies removed the cloaking code, nothing too risky about that as far as the DMCA goes. Removing the rest of the code however isn't nearly so clear cut. Personally, I'd love to see the DMCA gutted, but until it is this sort of issue is going to be there. When is it ok to remove a piece of software which is a combination of copyright protection AND spyware? Seems like a very fuzzy area in the DMCA indeed given that an anti-virus company can't exactly pick apart the software to leave the protection features in place while knocking out the spyware.

This issue isn't about big companies supporting big companies, it's about companies not knowing where the legal line is on what they can remove from your computer without being slapped with a DMCA lawsuit.

Thats because this virus was nasty as hell.

[Viewsonic]

It was very hard, even for Microsoft to figure out how to remove the damn thing without disabling the CD/DVD drive entirely. The first anti-virus patches that thought they fixed this was actually disabling peoples drives without knowing it. Microsoft had to work with Sony to figure out what the hell they had actually done. It really sucks.

Uh, antivirus companies are out to make money.

[Spazntwich]

They don't exist to make gigantic corporate enemies.

Like it or not, detecting and removing Sony's malware puts them at series risk for DMCA lawsuits and the like and is thus a bad business decision. Anyone who thinks they're in it to actually better their customers and not their bottom line is living in fantasy land.

Built-in DRM

[dereference]

That's a great point, although I suspect the reality will be even more bleak.

Sony won't need to install a rootkit, because the Microsoft DRM will be designed specifically to help enforce things like Sony's EULA. Why should Sony bother with a rootkkit when the OS itself will impose the limits by design?

Re:Built-in DRM

[interiot]

The rootkit wasn't necessarily the worst part of the problem though...

One issue was lack of disclosure. Parts of the program were uninstallable, staying in the background, constantly eating a little CPU. The program "phoned home", and neither the EULA or any normal documentation let the user know that would happen.

The other problem was stability. Because the program was meant to filter the audio CD driver information, and generally do low-level stuff, and it was poorly coded, it caused a computer system to be less stable.

These problems were only discovered because of skilled people at Sysinternals. In the future though, if programs can be more protected by the NGSCB, they will have greater free reign to do this type of activity without scrutiny. Certainly it will be easier if simply processes and files aren't hidden anymore, since that, combined with seeing TCP data being sent out whenever you play a CD, will be a large tip-off. However, we all benefit if skilled people can expose spyware wherever it occurs, and ultimately, if NGSCB helps cloak some activity, then that may ultimately make it harder for peoplpe like Mark Russinovich to do their work for the public good.

Re:Why not call law enforcement?

[99BottlesOfBeerInMyF]

Because calling law enforcement would lead to a court case: YOU vs SONY. Guess who wins every time?

What are you talking about? Making a report to law enforcement is not going to get you into a civil suit. It will be the state vs. Sony in a criminal case should they pursue it. The trouble is getting them to do so. Try calling the FBI sometime. If it isn't easily demonstrable as several grand worth of damage they will just ignore you.

Well, not really... (was:Bah...)

[Lead+Butthead]

It's their "rootkit," our "DRM enforcement agent." The same sort of nonsense about their "terrorist," our "freedom fighter." that were promoted by the whitehouse in 80's.

Never in my wildest dreams

[SlashAmpersand]

The biggest surprise for me was that Microsoft, who usually pisses me off, actually was the only company to step up to the plate in a meaningful way. I expected far, far better from the antivirus/spyware vendors. If you're going to tell me that you're going to protect my system, make me pay a subscription to keep my definitions current, and, on top of that, consume some of my system resources to do it, you'd damn well better step up to the plate when it comes to something as blatantly dangerous to my security as a rootkit.

Re:Bah...

[LiquidCoooled]

What is a (better informed) user wants to play the CD despite the rootkit?

Rule #1: Disable Autorun.

If microsoft had disabled this action by default, it would have prevented this being a widespread problem in the firstplace.

AUdio CDs should be nothing more than data. A media player is installed on every single computer that can play audio CDs.

Sony should not have messed with that, and if MS had defaulted it then 1st$ wouldn't have exploited it.

Re:sony

[Mattcelt]

I think you're forgetting that DVD Jon and the others don't have a team of lawyers at their immediate disposal like more companies do, so it takes time for them to seek legal counsel. It may be days or weeks before they announce an intention to sue Sony.

Re:Bah...

[eric76]

While this is a rootkit, "infected" systems don't display the normal symptoms: no (appreciable) slowdown, no annoying popups, no self-propagation or open ports.

Methinks thee art confusing rootkits with spyware.

The last thing a rootkit author would want in a rootkit would be for it to be noticeable to the average user. Or even to the expert user. If symptoms are noticed, it isn't a good rootkit.

Re:Bah...

[nigelo]

TFA points out that this has been out there for over a year, not just "a few days".

Just because the symptoms are barely noticeable does not make it acceptable.

Just because it comes from a CD does not make it acceptable, either.

If the "(cluelss) user" inserts the CD again, the AV software should do what it should have done the first time - issue a large warning and block the activity. If this had happened a year ago, there wouldn't be several hundred thousand machines with it installed today.

Re:Bah...

[drakaan]

I think's things are not so simple.

And then some...

While this is a rootkit, "infected" systems don't display the normal symptoms: no (appreciable) slowdown, no annoying popups, no self-propagation or open ports. Moreover, the "phone home" behaviour is very limited. Since the average user didn't notice, there were no complaints.

That's not the issue, really.

Do you expect the AV companies to buy and test music CDs for malware before this broke out (not in hindsight!). Since it took a Windows guru to figure out something was wrong, I'd expect these companies to take a few days. Several (including Microsoft, in fact) already classify it as malware and look for it.

It took somebody looking for evidence of rootkits on a well-maintained system that should have been rootkit free. I expect AV companies to do *that*, yes. You say "already" as if the rootkit had only been around for a few days. It's been around for many months, and the fact that we didn't know that before the guys at sysinternals noticed it is inexcusable.

Sony distributed software to millions of random people that installed half of itself silently, offered no option to not install, left machines vulnerable to infection by absolutely any wanna-be hacker that can spell "$sys$", has no uninstaller, leaves no indication that it *is* installed, makes the machines that it is installed on unstable if removed, and uses bandwidth and network connectivity without informing the owner of the computer.

If AV vendors can't protect against this type of threat, and cannot identify cloaked software when it has been distributed for a year, I don't exactly have a lot of faith in the security of any machines protected by their software (sadly, that seems to be every AV vendor). Maybe Mr. Russinovich could give a few paid talks at each of these companies about how to detect rootkits...

I'm off to go install SuSE on my desktop...cheers.

Re:Actually

[einhverfr]

You would have a point if Symantec didn't advertise the ability to remove trojans (which CDX certainly is) and adware (which MediaMax certainly is).

Re:Bah...

[SilverspurG]

You did notice from '95 to '98 nearly every CD enabled application would annoy you with the "it is recommended to enable Autorun by going to the Control Panel... etc. etc. etc" Oh wait? You didn't notice that? Probably because you didn't think to disable autorun 'til now so that you could take part in the brow-beating.

You did notice that, from '98-'02, nearly every CD burning application on Windows began to annoy you with the "It is required for this application to function properly that you enable the Autorun feature of the CD drive by going to the Control Panel... etc. etc. etc." Oh? What's that? You didn't notice these error boxes? Probably because you didn't think to disable autorun until now so that you could take part in the brow-beating.

I, on the other hand (am an arrogant prick), and I did spend all of those years turning off Autorun until it just became impossible to use any CDROM enabled Windows software without it.

By the way, I like most of your posts. I've just been waiting for the last two weeks to slam someone on the "just disable autorun" issue and you happened to be the poster of the day. :)

Re:Bah...

[SilverspurG]

So the burning question in my mind is... Didn't any of the Symantec or Norton of McAfee firewalls pick up the unwanted network activity?

Oh wait... "XCP media player wishes to access the internet. Would you like to allow this action?"

Some effing firewall...

Re:Actually

[E8086]

"The rootkit was spyware that came along with something the user installed by choice, no different from weatherbug or any of that other silly BS."

Ok, so was it really installed by choice? I have no desire to spend my money on one of those disks and risk the security of my PC to test it. Is the user given a choice do hit "I don't agree" to an EULA and then return it to where they purchased it or does it take advantage of Windows autoplay to install without asking or informing the user first with a description of what it will do.
An EFF explanation of the ELUA said if you no longer own the physical disk you must delete any and all copies of anything on the disk. Shouldn't it be the same for the rootkit? If someone no longer owns the CD, maybe they returned it for the recall/exchange offer, shouldn't any software installed by it also have to be removed? It claims the ability to do this unpunished with a legalese shrinkwrap ELUA and shrinkwrap ELUAs have never stood up in court. If a paying customer returns or resells or trashes a protected Sony disk, the rootkit and DRM should go with the disk, of it doesn't easily go away then it's unwanted spyware and the legal owner of the computer should have the right to remove it, other than having to try their luck with Windows system restore or reformat or reinstall.

Sony screwed up and it looks like the customers are going to have to pay for their mistake with decreased performance, system crashes, having to deal with malware specifically created to take advantage of security holes created by the rootkit, including purchasing additional security software to prevent infection and the time and effort to remove them and repair the damage and/or the monetary costs if they don't have the time or know enough and have to hire someone to do it for them.