Caution SONY Music CDs have trojan Malware

[Jeffrey A. Setaro]

I see Sony has offered a remover:

http://cp.sonybmg.com/xcp/english/updates.html

The other concern I've seen has been the security vulnerability
issue, which Sony, of course, disclaims. Also, I have no idea how real
or valid this might be, but the fear is that if a user is hit with
another root kit the resulting low level conflicts will render the PC
unuseable. If this is true, it would seem we're heading for eventual
legislation banning so-called cloaking technology.

Art; what Sony/BMG is offering is not an uninstaller... It's a
de-cloaker. The patch removes the rootkit driver but leaves the DRM
software behind.

Read Mark Russinovich latest blog entry for full details.

<http://www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html>

Cheers-

Jeff Setaro
jasetaro@SPAM_ME_NOT_mags.net
http://people.mags.net/jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99 New RSA: 0xA19EBD34

 

[Art]

Art; what Sony/BMG is offering is not an uninstaller... It's a
de-cloaker. The patch removes the rootkit driver but leaves the DRM
software behind.

You're right. Terminology twist. I was thinking of the "uninstall" of
the cloaking portion.

Read Mark Russinovich latest blog entry for full details.

<http://www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html>

Art

http://home.epix.net/~artnpeg

 

[Simon.]

And you would be willing to install MORE software that SAYS it will decloak the
old software?

What if this program simply replaced the old software with something even worse?

Are YOU going to trust SONY after the mess they made first time?

I think not ...

You're right. Terminology twist. I was thinking of the "uninstall" of
the cloaking portion.


Art

http://home.epix.net/~artnpeg

--
Simon.

'Be Seeing You.
Who is number one?
I will not be pushed, filed, stamped, indexed, briefed, de-briefed or numbered.
Registered Linux User #300464 Machine Id #188886
Linux Counter - http://counter.li.org/
Remove the s.p.a.m to reply

 

[Gabriele Neukam]

On that special day, Art, ([email protected]) said...

I suppose
one might consider root kits as a subset of stealth malware just as
some view worms as a subset of viruses. But that's just my impression.
I don't recall seeing a terminolgy discussion/debate on that subject
here.

Then it is bound to happen now. Few have an idea, what Stealth is, and
although I have been interested in virus question for nearly ten years,
I may be wrong.

I remember that stealth viruses would be sitting in the MBR, putting
the content of the original one into a different place, and when a
scanner would come along and try to read the MBR in order to check for
unwanted things, the (memory resident) virus would intercept this query
and present the scanner with the stored original MBR content as a
"result".

This is kind of hiding, too, although it isn't cloaking as in "run a
driver that makes everything that begins with $sys$ unnoticeable".

But the idea behind it is similar. Yet, the stealth virus would only
behave in one specific, determined way, while a driver allows for
interesting side effects, like the one that circumvents the Warden
memory scanning.


Gabriele Neukam

(e-mail address removed)

 

[Dustin Cook]

I remember that stealth viruses would be sitting in the MBR, putting
the content of the original one into a different place, and when a
scanner would come along and try to read the MBR in order to check for
unwanted things, the (memory resident) virus would intercept this query
and present the scanner with the stored original MBR content as a
"result".

Thats an MBR stealth infector.

This is kind of hiding, too, although it isn't cloaking as in "run a
driver that makes everything that begins with $sys$ unnoticeable".

No, but memory resident exe/com stealth infectors could.
They were able to prevent anything from noticing changes made to the
host executable, should something come along and want to scan it. It
did this by intercepting findfirst/findnextf routines. This is quiet
similiar to a windows system driver service.

But the idea behind it is similar. Yet, the stealth virus would only
behave in one specific, determined way, while a driver allows for
interesting side effects, like the one that circumvents the Warden
memory scanning.

The concept is close. The hidden driver sony installs is remapping a
few api calls to stealth items found during findfirst/findnextf
routines. It's filtering. And useful for things beside sony. heh.

Regards,
Dustin Cook

 

[Dustin Cook]

That's good. You'd be laughed out of town if you did.

Uh huh. So tell me something wiz, Why are you using such insecure
software for usenet? Incapable of installing better software?

"X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2670"

Entertaining. heh...

 

[Ken]

What if he turned off the dangerous services... that would take a few
seconds... to change news readers would take him seconds longer. Why
bother? People who know are safe. People who dont need to take the
longer road.

 

[relic]

What if he turned off the dangerous services... that would take a few
seconds... to change news readers would take him seconds longer. Why
bother? People who know are safe. People who dont need to take the
longer road.

Obviously dustbin hasn't a clue.

 

[Jeffrey A. Setaro]

And you would be willing to install MORE software that SAYS it will decloak the
old software?

Nope... I've got backup images of my system going back several weeks.
I can wipe my system and restore from a clean image if I need to. @#$%
Sony and their patch!

What if this program simply replaced the old software with something even worse?

Sony should review the federal trial courts ruling in the case of
Sotelo v. Direct Revenue. In its ruling, the court held that the
ancient legal doctrine of trespass to chattels (meaning trespass to
personal property) applies to the interference caused to home
computers by spyware.

See

Are YOU going to trust SONY after the mess they made first time?

Nope... But then I didn't trust Sony to begin with.

Cheers-

Jeff Setaro
jasetaro@SPAM_ME_NOT_mags.net
http://people.mags.net/jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99 New RSA: 0xA19EBD34

 

[Towelie]

Good try, Dustin, but about a million miles wide of the mark. The very
fact that you expected that to be my own UA speaks volumes.

 

[Dustin Cook]

What if he turned off the dangerous services... that would take a few
seconds... to change news readers would take him seconds longer. Why
bother? People who know are safe. People who dont need to take the
longer road.

What exactly do the system services he may or may not be running have
to do with the insecurity of the particular newsreader (Email client
actually, a very bad one at that) he's using?

Outlook Express has a long wonderful history of exploits... I don't
recall any of them requiring a particular service to be running.

You were saying something about a longer road? I suppose you have the
directions.

Regards,
Dustin Cook
http://bughunter.atspace.org

 

[kurt wismer]

Dustin Cook wrote:
[snip]

Art, refresh my memory if you don't mind. Didn't we used to call
applications that hid their presence, stealth? When did this rootkit
terminology replace that?

http://anti-virus-rants.blogspot.com/2005/03/rootkits-for-windows.html

it seems like you and i may be on the same page...

 

[Roger Wilco]

Dustin Cook wrote:
[snip]

Art, refresh my memory if you don't mind. Didn't we used to call
applications that hid their presence, stealth? When did this rootkit
terminology replace that?

http://anti-virus-rants.blogspot.com/2005/03/rootkits-for-windows.html

it seems like you and i may be on the same page...

This "rootkit" is a misnomer (should just call it stealthing), but what
you call a rootkit is no closer to the truth it seems to me. The rootkit
was a kit you could use once you already had sufficient privileges - to
replace commonly used utilities and such with versions modified to help
stealth whatever other activities you had in mind. Getting cpu access
and root privileges is not done with a kit, but with exploit code aimed
at a vulnerability (*possibly by flawed software) either running with
privilege or possibly leveraged from the lesser privilege via an
escalation vector (possibly more flawed software) to get root.

Filter driver stealthing of filesystem and process listing is no more
"rootkit" than is simple hiding of extensions for known filetypes -
although the 'stealthing' effect is similar.

* Could also be just poorly configured security

 

[James Egan]

This "rootkit" is a misnomer (should just call it stealthing), but what
you call a rootkit is no closer to the truth it seems to me. The rootkit
was a kit you could use once you already had sufficient privileges

That's my reading of it too. If the old unix version of a rootkit kept
hold of root rather than gaining access to it for the first time then
there's little difference between that and this.


Jim.

 

[Dustin Cook]

That's my reading of it too. If the old unix version of a rootkit kept
hold of root rather than gaining access to it for the first time then
there's little difference between that and this.

So were all in agreement then. It's nothing more then stealthing
technology. Just a new buzzword for it, apparently.

Sometimes, the more it changes, the more it really stays the same.

Regards,
Dustin Cook
http://bughunter.atspace.org

 

[Roger Wilco]

That's my reading of it too. If the old unix version of a rootkit kept
hold of root rather than gaining access to it for the first time then
there's little difference between that and this.

If a rootkit was to gain access to root, then a dictionary attack
against a weak password would be a rootkit - as would an injection
vector through some broken ring zero process. Any collection of software
used once root was attained (whether for stealthing or some other thing)
is where "kit" comes in imo.

The quoted material from Kurt's blog defining "rootkit"
seems...well...wrong - but it wouldn't be the first time that
terminology changed through common misuse. Here, instead of a kit of
replacement programs, they install a filter driver to filter information
returned by the OS which was requested by such programs - in effect
lying to the requesting utility. Not exactly a "kit" but the end result
is similar.

Still, they could have called it stealthing instead of rootkit - they
probably used the term rootkit because it sounded more ominous. )

 

[Dustin Cook]

Still, they could have called it stealthing instead of rootkit - they
probably used the term rootkit because it sounded more ominous. )

"they install a filter driver to filter information
returned by the OS which was requested by such programs - in effect
lying to the requesting utility. Not exactly a "kit" but the end result
is similar. "

It's glorified stealth. Being done with a driver instead of a program
that can be terminated normally.

 

[kurt wismer]

Dustin Cook wrote:
[snip]

Art, refresh my memory if you don't mind. Didn't we used to call
applications that hid their presence, stealth? When did this rootkit
terminology replace that?

http://anti-virus-rants.blogspot.com/2005/03/rootkits-for-windows.html

it seems like you and i may be on the same page...

This "rootkit" is a misnomer (should just call it stealthing), but what
you call a rootkit is no closer to the truth it seems to me. The rootkit
was a kit you could use once you already had sufficient privileges - to
replace commonly used utilities and such with versions modified to help
stealth whatever other activities you had in mind.

i'm familiar with that line of reasoning, however it fails to convince...

there are those who say rootkits are for maintaining root access, those
who say rootkits are for gaining root access, and those (like the
anti-spyware coalition) who sit on the fence and say it's either one...

from a functional definition standpoint, the 'maintain' camp are lost...
hiding unspecified 'other activities' makes the definition context
sensitive (does it stop being a rootkit if the other activities cannot
possibly be hidden?)...

Getting cpu access
and root privileges is not done with a kit, but with exploit code aimed
at a vulnerability (*possibly by flawed software) either running with
privilege or possibly leveraged from the lesser privilege via an
escalation vector (possibly more flawed software) to get root.

and that couldn't possibly be with a 'kit'...

further, gaining root is not always done by exploiting a vulnerability
unless you widen the scope of 'vulnerability' to include users - at
which point even your rootkit would be exploiting a vulnerability...

 

[kurt wismer]

Roger Wilco wrote:
[snip]

If a rootkit was to gain access to root, then a dictionary attack
against a weak password would be a rootkit - as would an injection
vector through some broken ring zero process.

or a keylogger, or a password stealing trojan, or . . .

Any collection of software
used once root was attained (whether for stealthing or some other thing)
is where "kit" comes in imo.

forgive me, but isn't "root" sort of the more important part of the
compound word in question?

The quoted material from Kurt's blog defining "rootkit"
seems...well...wrong - but it wouldn't be the first time that
terminology changed through common misuse.

it may seem wrong to you but it makes perfect sense to me...

the functional behaviour of what i call rootkits explicitly involves
root/administrative privileges...

the functional behaviour of what you call rootkits doesn't... their
function is to hide objects/activity...

maintaining root access is an intent, not a function, and we all know
how good a definition that involves intent is in the field of computer
science...

 

[Norman L. DeForest]

Roger Wilco wrote:
[snip]

If a rootkit was to gain access to root, then a dictionary attack
against a weak password would be a rootkit - as would an injection
vector through some broken ring zero process.

or a keylogger, or a password stealing trojan, or . . .

Any collection of software
used once root was attained (whether for stealthing or some other thing)
is where "kit" comes in imo.

forgive me, but isn't "root" sort of the more important part of the
compound word in question?

The quoted material from Kurt's blog defining "rootkit"
seems...well...wrong - but it wouldn't be the first time that
terminology changed through common misuse.

it may seem wrong to you but it makes perfect sense to me...

the functional behaviour of what i call rootkits explicitly involves
root/administrative privileges...

the functional behaviour of what you call rootkits doesn't... their
function is to hide objects/activity...

maintaining root access is an intent, not a function, and we all know
how good a definition that involves intent is in the field of computer
science...

All of this speculation on why this is called a "rootkit" and nobody
has mentioned the possibility that an Australian came up with that
name. Everybody knows what "root" means in Aussie slang, don't they?
<rot13> Vg'f pnyyrq n "ebbgxvg" orpnhfr bapr gur fbsgjner trgf vafgnyyrq
lbhe CP vf shpxrq. </rot13>

Links to some pages I have found with relevant information (and one
completely unrelated link that might give some people a laugh):
http://www.chebucto.ns.ca/~af380/Sony_bookmarks.html
(may contain duplicates, links to stuff visited by the 404 Fairy, and
sodium proprionate to retard spoilage).

On another note, it's interesting to note that Sony's site had a "Service
Pack update" for their DRM software (that allegedly disables the "stealth"
feature of their software) on their site on the 5th of this month,
Update031105.zip, that was 3645406 bytes in size. This morning I went to
the same site and their new "update", Update071105.zip has been reduced to
only 1396754 bytes. It's funny how something that complicated can be
reduced to 38% of its original size in a week -- unless Sony has started
backpedalling and removing some of the more malicious or privacy invading
components from the distribution in an attempt to avoid prosecution.