Sony DRM Rootkit

Discussion in 'Computer Security' started by nemo_outis, Nov 1, 2005.

  1. nemo_outis

    traveler Guest

    Re: Privacy.LIE scamming you again!

    On Sun, 06 Nov 2005 14:45:02 GMT, Jeffrey F. Bloss wrote:

    > traveler wrote:
    >
    >>> If *I* were ever to locate a rootkit on one of my PCs, then the first
    >>> stop would be my AV provider.. after all, removing nasties is what I pay
    >>> them for. And what they do for a living.
    >>>
    >>> Oh, and most vendors put out free worm removal tools, even to
    >>> non-subscribers. I daresay a bit of a rummage through the appropriate
    >>> web site would do the same for known rootkits.
    >>>
    >>> Not that I'm dissing a tool that I haven't even looked at, of course...

    >>
    >> The reason ant-virus products don't catch it is because it's not a virus,
    >> or a trojan. It's software of sorts

    >
    > There's no "of sorts" about it, they're software. Period. The reason
    > mainstream AV software doesn't detect them (some are) is probably more a
    > matter of money and politics than anything else. They're just recently
    > becoming "popular" in the world of Window$, and until recently the ROI
    > just wasn't there. No financial benefit for investing the time and effort
    > into designing ways to ferret out something that only had a one in a
    > billion chance of being a problem.
    >
    > Root kits aren't some mysterious magical incantation uttered by long
    > bearded mages who live under ancient trees. Viruses have been using
    > similar or identical "stealth" techniques for many years to hide their
    > presence from AV software and things like the task manager. Detecting
    > them isn't rocket surgery if you know what you're doing. The problem with
    > root kits is that they generally *replace* critical system files with
    > total rewrites. You can't typically "disinfect" a system that falls victim
    > to many/most root kits, and anyone or any software that claims to be able
    > to do so reliably is lying or severely misinformed. Thus the "political"
    > problem of detecting something and then telling the customer "nothing I
    > can do... sorry about you luck". ;)
    >
    >> designed to hide something like a
    >> trojan. Windows removal tool and even the best virus/trojan scanner
    >> wouldn't find it, you need a specialized product like the F- Secure to

    >
    > Think about what you're saying... "one piece of software can't find it but
    > another can". This is obviously nothing more than a matter of adding the
    > code and methods from one software to another, not some magical quality
    > that software assumes if it's given the "Anti Virus" moniker. Root kit
    > detection has been thus far left to specialized software because there was
    > no pressing reason to detect them. Although I know I've read through lists
    > of "trojans" that mainstream AV softwares detect and seen rot kit names.
    > So AV software peddlers obviously do add detection for such things if and
    > when they become a problem in the mind of the peddler.
    >
    >> detect it, and just as important to SAFELY remove it without any
    >> hassles,

    >
    > How do you remove something that replaces critical files with completely
    > different versions?
    >
    > Short answer... you can't. You're left restoring from backups or
    > reinstalling. No anti-rootkit software in the universe is going to be able
    > to do this alone.


    FLUSH
     
    traveler, Nov 6, 2005
    #41
    1. Advertising

  2. Re: Privacy.LIE scamming you again!

    On 06 Nov 2005 15:34:19 GMT, nemo_outis wrote:

    > FWIW programs like Slysoft's AnyDVD (v5.5.1.1) not only bypass Sony's
    > protection but *prevent* the rootkit being installed in the first place.


    As it did when I tested it with a Sony DVD.
    --
    Drop the alphabet for email
     
    Ari Silversteinn, Nov 6, 2005
    #42
    1. Advertising

  3. nemo_outis

    AZ Nomad Guest

    Re: Privacy.LIE scamming you again!

    On Sun, 6 Nov 2005 02:04:47 -0800, traveler <> wrote:

    >The reason ant-virus products don't catch it is because it's not a virus,
    >or a trojan. It's software of sorts designed to hide something like a


    It is a trojan by every definition of the word. The user insert a CD to
    play music, not to install software to limit the number of times he can
    copy a music file.
    Here's the analogy in case you can't fathom:
    trojan horse; desirable object == music CD
    greek army hidden inside trojan horse; malicious component == root kit


    >trojan. Windows removal tool and even the best virus/trojan scanner
    >wouldn't find it, you need a specialized product like the F- Secure to


    So fucking what? That just means that rootkits are a recent discovery and
    most virus/trojan scanners don't have the capability to handle rootkits yet.
     
    AZ Nomad, Nov 6, 2005
    #43
  4. nemo_outis

    Max Burke Guest

    Re: Privacy.LIE scamming you again!


    > Hairy One Kenobi scribbled:


    >> "traveler" <> wrote in message


    >> If you would like to try something that's more than a "revealer",
    >> that can safely remove the root kit for you, if in fact you want to
    >> remove it rather than keeping it, that's a safe product and produced
    >> by a leading computer security company, that's free to use until
    >> January 1st, 2006, then go to the general technology section at:
    >> www.privacy.li/forum
    >> Or just keep what you have, just don't delete anyhting.


    > ..or just go to Windows Update and run the Malicious Software Removal
    > Tool.


    Totally different situation, and the MSRT is incapable of finding let alone
    removing rootkits.....
    The reason for that is because Microsoft did NOT design/program the MSRT to
    find/deal with rootkits.

    --

    Replace the obvious with paradise.net to email me
    Found Images
    http://homepages.paradise.net.nz/~mlvburke
     
    Max Burke, Nov 7, 2005
    #44
  5. nemo_outis

    Jim Watt Guest

    Re: Privacy.LIE scamming you again!

    On Sun, 06 Nov 2005 23:22:36 GMT, AZ Nomad <>
    wrote:

    >It is a trojan by every definition of the word.


    no its not, the basis of a trojan is to insert enemy forces
    and in computer terms provide remote access.

    Its yet another threat, like diallers, spyware and the other
    malware.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Nov 7, 2005
    #45
  6. On 01 Nov 2005 18:44:38 GMT, "nemo_outis" <> wrote:

    >Here's a shocker: rootkit installed by Sony!
    >
    >Sony, Rootkits and Digital Rights Management Gone Too Far
    >http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-
    >rights.html
    >
    >Regards,


    LOL. Is that you, BigBrother ?

    Must be why they're so anxious to confiscate all the handguns and
    ammunition in San Francisco. The "vote" (cough hanging-chad cough)
    is tuesday.
     
    holierthanthou, Nov 7, 2005
    #46
  7. Re: Privacy.LIE scamming you again!

    "Max Burke" <> wrote in message
    news:...
    >
    > > Hairy One Kenobi scribbled:

    >
    > >> "traveler" <> wrote in message

    >
    > >> If you would like to try something that's more than a "revealer",
    > >> that can safely remove the root kit for you, if in fact you want to
    > >> remove it rather than keeping it, that's a safe product and produced
    > >> by a leading computer security company, that's free to use until
    > >> January 1st, 2006, then go to the general technology section at:
    > >> www.privacy.li/forum
    > >> Or just keep what you have, just don't delete anyhting.

    >
    > > ..or just go to Windows Update and run the Malicious Software Removal
    > > Tool.

    >
    > Totally different situation, and the MSRT is incapable of finding let

    alone
    > removing rootkits.....
    > The reason for that is because Microsoft did NOT design/program the MSRT

    to
    > find/deal with rootkits.


    Erm.. I believe that you snipped a little too much.

    I'd also suggest that you take-up the definition of "rootkit" with
    Microsoft - I stopped when I hit the first one listed as being handled by
    MSRT. In the KB article.

    "Not" is a very strong word to use, particularly since MS /did/ specifically
    design the MSRT to deal with malicious software. There's even a clue in the
    name ;o)

    As I said in the snipped portion, I personally prefer full-time AV vendor
    support - not just someone that MS happened to have borged.

    H1K
     
    Hairy One Kenobi, Nov 7, 2005
    #47
  8. nemo_outis

    AZ Nomad Guest

    Re: Privacy.LIE scamming you again!

    On Mon, 07 Nov 2005 09:38:34 +0100, Jim Watt <_way> wrote:


    >On Sun, 06 Nov 2005 23:22:36 GMT, AZ Nomad <>
    >wrote:


    >>It is a trojan by every definition of the word.


    >no its not, the basis of a trojan is to insert enemy forces
    >and in computer terms provide remote access.


    NO. A trojan is a friendly looking object with a hidden malicious component.
    It is shorthand for 'trojan horse'. Think about your history if you can.
    Remote access is irrelevent. The greeks during the trojan war, last time I
    checked, didn't have internet access.

    If I put a statement "If user == Jim Watt and date = 11/8/2005 then
    erase the hard drive" into a word processor and you get a copy and proceed to
    blow away your hard drive thinking you were just doing some word processing,
    it is a trojan. Remote access had nothing to do with it.



    >Its yet another threat, like diallers, spyware and the other
    >malware.

    and rootkits installed by audio CDs.

    >--
    >Jim Watt
    >http://www.gibnet.com
     
    AZ Nomad, Nov 7, 2005
    #48
  9. nemo_outis

    Jim Watt Guest

    Re: Privacy.LIE scamming you again!

    On Mon, 07 Nov 2005 20:34:21 GMT, AZ Nomad <>
    wrote:

    >>no its not, the basis of a trojan is to insert enemy forces
    >>and in computer terms provide remote access.

    >
    >NO. A trojan is a friendly looking object with a hidden malicious component.
    >It is shorthand for 'trojan horse'. Think about your history if you can.


    wheras thanking you for your advice, having had a classical education
    as a child and read the story in ins original form, your ill informed
    comments are inappropriate.

    >If I put a statement "If user == Jim Watt and date = 11/8/2005 then
    >erase the hard drive" into a word processor and you get a copy and proceed to
    >blow away your hard drive thinking you were just doing some word processing,
    >it is a trojan.


    No you are simply demonstrating that when clues were handed out you
    were at the back of the line, walking on all fours and drooling.

    >Remote access had nothing to do with it.


    Tell that to the Greeks.

    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Nov 7, 2005
    #49
  10. Re: Privacy.LIE scamming you again!

    "Jim Watt" <_way> wrote in message
    news:...
    > On Mon, 07 Nov 2005 20:34:21 GMT, AZ Nomad <>
    > wrote:
    >
    > >>no its not, the basis of a trojan is to insert enemy forces
    > >>and in computer terms provide remote access.

    > >
    > >NO. A trojan is a friendly looking object with a hidden malicious

    component.
    > >It is shorthand for 'trojan horse'. Think about your history if you can.

    >
    > wheras thanking you for your advice, having had a classical education
    > as a child and read the story in ins original form, your ill informed
    > comments are inappropriate.


    I'd say that you're both right - the original definition of a Trojan was the
    sort of thing described (if I'd ever have written one, it would have been
    something written at college to look like a fake login screen for the
    mainframe, used to collect a password couplet, to store it in another
    compromised account, and then logout in a way that was untraceable to anyone
    below middle-admin level. Lucky I never did it, then..)

    Anyway.

    The more modern (and, strictly speaking, inaccurate) term is to describe the
    payload, rather than the method used to deliver it.

    Personally, the "login to our website" crap that one gets on TV adverts is a
    damned sight (site?) more offensive to me, lexagrammatically. Ditto hacker
    vs. cracker.

    Wonder if there's an alt.pointless.semantics froup? ;o)

    H1K
     
    Hairy One Kenobi, Nov 8, 2005
    #50
  11. nemo_outis

    Jim Watt Guest

    Re: Privacy.LIE scamming you again!

    On Tue, 08 Nov 2005 00:08:01 GMT, "Hairy One Kenobi"
    <abuse@[127.0.0.1]> wrote:

    >The more modern (and, strictly speaking, inaccurate) term is to describe the
    >payload, rather than the method used to deliver it.


    The original story was about the introduction of a payload by
    stealthy means. The elements involved in the process are
    deception, acceptance, the hidden delivery of something
    unexpected which then compromises security.

    A few soldiers walking around the city themselves not a
    problem until they open the gates.

    Then the analogy is complete.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Nov 8, 2005
    #51
  12. nemo_outis

    Steve Welsh Guest

    Re: Privacy.LIE scamming you again!

    Hairy One Kenobi wrote:
    > Wonder if there's an alt.pointless.semantics group? ;o)
    >
    > H1K
    >
    >


    Go on, set one up - could be fun ;)
    Steve
     
    Steve Welsh, Nov 8, 2005
    #52
  13. nemo_outis

    AZ Nomad Guest

    Re: Privacy.LIE scamming you again!

    On Tue, 08 Nov 2005 01:35:10 +0100, Jim Watt <_way> wrote:


    >On Tue, 08 Nov 2005 00:08:01 GMT, "Hairy One Kenobi"
    ><abuse@[127.0.0.1]> wrote:


    >>The more modern (and, strictly speaking, inaccurate) term is to describe the
    >>payload, rather than the method used to deliver it.


    >The original story was about the introduction of a payload by
    >stealthy means. The elements involved in the process are
    >deception, acceptance, the hidden delivery of something
    >unexpected which then compromises security.


    >A few soldiers walking around the city themselves not a
    >problem until they open the gates.

    The key is that the soldiers wouldn't be in the city unless they were
    brought in when the trojan horse was taken into the city.

    >Then the analogy is complete.

    Funny. That part of the story is never told. We don't hear about what the
    soldiers had for lunch either.
     
    AZ Nomad, Nov 8, 2005
    #53
  14. nemo_outis

    Jim Watt Guest

    Re: Privacy.LIE scamming you again!

    On Tue, 08 Nov 2005 03:38:07 GMT, AZ Nomad <>
    wrote:

    >>A few soldiers walking around the city themselves not a
    >>problem until they open the gates.

    >The key is that the soldiers wouldn't be in the city unless they were
    >brought in when the trojan horse was taken into the city.
    >
    >>Then the analogy is complete.

    >Funny. That part of the story is never told.


    You must be thinking of the disney version.


    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Nov 8, 2005
    #54
  15. Re: Privacy.LIE scamming you again!

    "AZ Nomad" <> wrote in message
    news:...
    > On Tue, 08 Nov 2005 01:35:10 +0100, Jim Watt <_way> wrote:
    > >On Tue, 08 Nov 2005 00:08:01 GMT, "Hairy One Kenobi"
    > ><abuse@[127.0.0.1]> wrote:

    >
    > >>The more modern (and, strictly speaking, inaccurate) term is to describe

    the
    > >>payload, rather than the method used to deliver it.

    >
    > >The original story was about the introduction of a payload by
    > >stealthy means. The elements involved in the process are
    > >deception, acceptance, the hidden delivery of something
    > >unexpected which then compromises security.

    >
    > >A few soldiers walking around the city themselves not a
    > >problem until they open the gates.


    > The key is that the soldiers wouldn't be in the city unless they were
    > brought in when the trojan horse was taken into the city.


    Always a problem if you use rabbits instead of horses...

    H1K
     
    Hairy One Kenobi, Nov 8, 2005
    #55
  16. Re: Privacy.LIE scamming you again!

    Jeffrey F. Bloss wrote:

    > The problem with
    > root kits is that they generally *replace* critical system files with
    > total rewrites. You can't typically "disinfect" a system that falls victim
    > to many/most root kits, and anyone or any software that claims to be able
    > to do so reliably is lying or severely misinformed. Thus the "political"


    Isn't what you explained only one kind of root-kit? user-mode?

    Aren't there others (system-mode) that hook directly into the system APIs.

    >> detect it, and just as important to SAFELY remove it without any
    >> hassles,

    >
    > How do you remove something that replaces critical files with completely
    > different versions?
    >
    > Short answer... you can't. You're left restoring from backups or
    > reinstalling. No anti-rootkit software in the universe is going to be able
    > to do this alone.
    >


    I read somewhere that removing one can render your machine unusable. I
    think they said something about other processes hooking into a method in
    your process that no longer exists. But I haven't figured that out yet.

    Isn't Mark R. able to disinfect a machine? Do you know how he's doing
    this (complete restore or VM)?
     
    fluidly unsure, Nov 10, 2005
    #56
  17. nemo_outis

    thunderbird Guest

    nemo_outis wrote:
    > Here's a shocker: rootkit installed by Sony!
    >
    > Sony, Rootkits and Digital Rights Management Gone Too Far
    > http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-
    > rights.html
    >
    > Regards,


    "The Register reports on the first trojan using Sony's DRM rootkit. A
    newly
    discovered variant of the Breplibot trojan makes use of the way Sony's
    rootkit masks files whose filenames begin with '$sys$'. This means that
    any
    files renamed this way by the trojan are effectively invisible to the
    average user. The malware is distributed via an email supposedly from a
    reputable business magazing requesting that the businessperson verify
    his/her attached 'picture' to be used for an upcoming issue. Once the
    payload is executed, the trojan then installs an IRC backdoor on
    affected
    Windows systems."
     
    thunderbird, Nov 11, 2005
    #57
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Goro
    Replies:
    1
    Views:
    550
  2. Goro
    Replies:
    0
    Views:
    515
  3. Imhotep

    Trojan Using Sony DRM Rootkit Spotted

    Imhotep, Nov 10, 2005, in forum: Computer Security
    Replies:
    2
    Views:
    540
    Imhotep
    Nov 11, 2005
  4. Imhotep
    Replies:
    0
    Views:
    442
    Imhotep
    Nov 19, 2005
  5. =?Utf-8?B?V2lsbCBCaWVybWFu?=

    Can Sony's DRM rootkit be installed on x64?

    =?Utf-8?B?V2lsbCBCaWVybWFu?=, Nov 21, 2005, in forum: Windows 64bit
    Replies:
    6
    Views:
    396
    Piers James
    Nov 22, 2005
Loading...

Share This Page