Slashdot Mirror
Real Story of the Rogue Rootkit
BokLM writes "Wired has an interesting article from Bruce Schneier about what's happening with the Sony Rootkit, and criticizing the anti-virus companies for not protecting its users. From the article: 'Much worse than not detecting it before Russinovich's discovery was the deafening silence that followed. When a new piece of malware is found, security companies fall over themselves to clean our computers and inoculate our networks. Not in this case.'"
... the malware was not made by the anti virus companies so how could we expect them to make the antidote?
Now don your tin foil hats!
The AV companies are just gunshy of Sony's squad of legal attack ninjas. Not surprising given that this is grey area. I think the author makes a decent point (that the AV companies moved slowly), but the real failing here is the draconian legislation that made this a grey area in the first place. Hopefully these wee little gaps in consumer protection get plugged as a result of this.
What happens when Sony's rootkit hides under the protection of Windows Vista's NGSCB? Will antivirus vendors be able to remove bad code that ends up in the NGSCB? Given that Window's kernel in insecure enough to allow itself to be rootkitted, what is the chance that NGSCB itself will be subverted? Doesn't the fact that NGSCB is designed to hide code from normal users and knowledgable debuggers alike mean that it's somewhat similar to what the Sony rootkit tries to do?
When news of the criminal root kit hit full blast, I figured it would immediately get nuked by the AV companies. As things progressed and no one but MSFT came to the rescue, it made wonder if there was fear or maybe even collusion.
Yet the bigger story here in the fact that a blogger was the breaking source.
My media is 75% blogs now. Many use links to back their opinions (I'd love to see a standard bibliogtaphical Wiki for referencing). They're faster than the daily news and less likely to be afraid of corporate threats.
BTW, anyone know a way for me to toggle link text format fron standard (blue w/ underline) to normal (black no underline) and back, quickly?
It was very hard, even for Microsoft to figure out how to remove the damn thing without disabling the CD/DVD drive entirely. The first anti-virus patches that thought they fixed this was actually disabling peoples drives without knowing it. Microsoft had to work with Sony to figure out what the hell they had actually done. It really sucks.
They don't exist to make gigantic corporate enemies.
Like it or not, detecting and removing Sony's malware puts them at series risk for DMCA lawsuits and the like and is thus a bad business decision. Anyone who thinks they're in it to actually better their customers and not their bottom line is living in fantasy land.
Man, all this just in time for Christmas. When I'm shopping this Holiday Season, I think I'll just run up to store clerks and ask them if they carry Sony products and if they say yes, ask "For the love of God, WHY???" and then run away laughing.
If the Antivirus companies start destroying Sony copy-protection technologies, they're almost certain to get in trouble. Surely they don't want to violate the DMCA.
Sony won't need to install a rootkit, because the Microsoft DRM will be designed specifically to help enforce things like Sony's EULA. Why should Sony bother with a rootkkit when the OS itself will impose the limits by design?
Because calling law enforcement would lead to a court case: YOU vs SONY. Guess who wins every time?
What are you talking about? Making a report to law enforcement is not going to get you into a civil suit. It will be the state vs. Sony in a criminal case should they pursue it. The trouble is getting them to do so. Try calling the FBI sometime. If it isn't easily demonstrable as several grand worth of damage they will just ignore you.
Companies are so worried about piracy that they go to these extremes. What they need to look at is why are people pirating. Many people pirate because the thought of spending $17 for a cd is rediculous considering that only a few songs are worth a damn. Secondly, DRM makes it worse because people can't rip the audio for their mp3 player. This drives people to piracy and the DRM makes it worse and drives the consumer away. Just lower the damn prices and let me burn it, rip, or do anything else I want with it because it's mine!
gasmonso http://religiousfreaks.com/Apparently:
To:all Slashdotters
From: The Big Penguin
Subject: Protective measures
We will be switching exclusively to the Linux operating system at 1200 hours effective Tuesday. This will ensure that we can run any music CD with impunity, be it ripped or legit.
Sincerly,
T.B.P.
The double standard of the security companies is troubling... If I released this application (sony's rootkit) it would be considered malware immediately. The fact that they only remove a portion of it is also strange. That is like removing the part of a spam generating worm that sends emails to others but leaving the rest of it to waste CPU time scavanging my address book. Also... What I wonder is, is what consequences will come from the alleged GPL violations? Is anyone suing Sony or first4Internet for copyright infringment? If not, does this send a signal to big corps that it's ok to steal code that is GPL'd because the parties that wrote it probably don't have the time/money to do anything about it anyway?
The biggest surprise for me was that Microsoft, who usually pisses me off, actually was the only company to step up to the plate in a meaningful way. I expected far, far better from the antivirus/spyware vendors. If you're going to tell me that you're going to protect my system, make me pay a subscription to keep my definitions current, and, on top of that, consume some of my system resources to do it, you'd damn well better step up to the plate when it comes to something as blatantly dangerous to my security as a rootkit.
What is a (better informed) user wants to play the CD despite the rootkit?
Rule #1: Disable Autorun.
If microsoft had disabled this action by default, it would have prevented this being a widespread problem in the firstplace.
AUdio CDs should be nothing more than data. A media player is installed on every single computer that can play audio CDs.
Sony should not have messed with that, and if MS had defaulted it then 1st$ wouldn't have exploited it.
liqbase
TFA points out that this has been out there for over a year, not just "a few days".
Just because the symptoms are barely noticeable does not make it acceptable.
Just because it comes from a CD does not make it acceptable, either.
If the "(cluelss) user" inserts the CD again, the AV software should do what it should have done the first time - issue a large warning and block the activity. If this had happened a year ago, there wouldn't be several hundred thousand machines with it installed today.
*Still* negative function...
one word:
Bhopal
.
music lover since 1969
Read http://www.groklaw.net/article.php?story=200511131 64717817
The creator of the rootkit (First 4 Internet) apparently worked with Symantec and other major antivirus companies to make sure that it would neither be detected nor removed by their software according to CNET.
This is a very damning accusation.
LedgerSMB: Open source Accounting/ERP
You did notice from '95 to '98 nearly every CD enabled application would annoy you with the "it is recommended to enable Autorun by going to the Control Panel... etc. etc. etc" Oh wait? You didn't notice that? Probably because you didn't think to disable autorun 'til now so that you could take part in the brow-beating.
:)
You did notice that, from '98-'02, nearly every CD burning application on Windows began to annoy you with the "It is required for this application to function properly that you enable the Autorun feature of the CD drive by going to the Control Panel... etc. etc. etc." Oh? What's that? You didn't notice these error boxes? Probably because you didn't think to disable autorun until now so that you could take part in the brow-beating.
I, on the other hand (am an arrogant prick), and I did spend all of those years turning off Autorun until it just became impossible to use any CDROM enabled Windows software without it.
By the way, I like most of your posts. I've just been waiting for the last two weeks to slam someone on the "just disable autorun" issue and you happened to be the poster of the day.
fast as fast can be. you'll never catch me.