Sony DRM Rootkit

Discussion in 'Computer Security' started by nemo_outis, Nov 1, 2005.

  1. nemo_outis

    traveler Guest

    Thanks for the info, the only thing is that it dosen't look like it
    can remove the actual root kit. You can get the F-Secure detector for
    free here, in the general technology section:

    http://www.privacy.li/forum/

    This version will work for free until Jan 1st, 2006
    privacy.li link posted for Mr. Bloss and his favorite
    puppets of the day.
     
    traveler, Nov 4, 2005
    #21
    1. Advertisements

  2. Ray Vingnutte, Nov 4, 2005
    #22
    1. Advertisements

  3. nemo_outis

    A.Melon Guest

    snip
    Shut up Adminus, you're not so high and mighty yourself.
    noticing a bad link, the *considerate* thing to do would be to
    post the correct link:

    RootkitRevealer v1.56
    Scan your system for rootkit-based malware
    http://www.sysinternals.com/Utilities/RootkitRevealer.html

    ~~~~~~~~~~~~~~~~~~~~~
    This message was posted via one or more anonymous remailing services.
    The original sender is unknown. Any address shown in the From header
    is unverified. You need a valid hashcash token to post to groups other
    than alt.test and alt.anonymous.messages. Visit www.panta-rhei.dyndns.org
    for abuse and hashcash info.
     
    A.Melon, Nov 4, 2005
    #23
  4. nemo_outis

    Management Guest

    I've been following this for a few day - we need to let these money
    grubbers know that we won't be buying their CDs, DVDs, Hifis,
    electronics & TVs.


    Send your protest here:

    Sony Music USA
    http://www.sonymusic.com/about/feedback.cgi

    Sony Music UK
    [email protected]@com

    Australia
    http://www.sonymusic.com.au/misc/contact.do

    Lots of Countries worldwide:
    http://www.sonybmg.com/internationalsites.html

    Tell Sony how you feel!

    Charlie.
     
    Management, Nov 4, 2005
    #24
  5. nemo_outis

    Steve Welsh Guest

    There has to be a way for us to get to these big corporations trying to
    impose their wants on us.

    Just a thought: if we can find some various items of technological merit
    in Sony kit (whatever), if enough of us go into our local Sony retailer,
    and propose to buy that piece of kit, and then prevaricate to the tune
    of a couple of hours, exploring any alternatives to the particular piece
    of Sony kit (well, doesn't the Ghmx-x-100 from xxx do that?)

    Then when we have wasted a couple of hours of a sales assistant's time,
    tell them EXACTLY why we won't touch Sony with a barge-pole.

    Perhaps Sony would get the message when it starts to come back loud and
    clear from their retailers.

    My 2p worth.

    Steve
     
    Steve Welsh, Nov 4, 2005
    #25
  6. nemo_outis

    traveler Guest

    I don't have the correct link to what you mention in your post.

    Calling me Adminus is a really stupid troll on your part, I think you
    probably call anyone who posts something here contrary to your beliefs
    one thing or another? Anyway, your a waste of time.
     
    traveler, Nov 5, 2005
    #26
  7. Yeah, hit them where it hurts most, don't give them your money ;-)
     
    Ray Vingnutte, Nov 5, 2005
    #27
  8. nemo_outis

    Max Burke Guest

    traveler scribbled:
    That's why it's called Rootkit *Revealer,* which is understandable given the
    damage an 'un-informed' user could do to their OS if they ran it then
    deleted everything the scan showed....

    Like all software it's not foolproof and is simply a tool to show *possible*
    anomolies that might need further investigation.
    For example whenever I run it, I get a prefetch entry everytime for cmd.exe
    that Rootkit Revealer says is hidden from the Windows API.
    It's a false positive for cmd.exe and nothing that I need to be concerned
    about.
     
    Max Burke, Nov 5, 2005
    #28

  9. That's ok, it's better than being a waste of skin.
     
    Thrasher Remailer, Nov 5, 2005
    #29
  10. nemo_outis

    traveler Guest

    Don't be so hard on yourself, they have help for people like you now!
     
    traveler, Nov 5, 2005
    #30
  11. nemo_outis

    traveler Guest

    If you would like to try something that's more than a "revealer",
    that can safely remove the root kit for you, if in fact you want to
    remove it rather than keeping it, that's a safe product and produced
    by a leading computer security company, that's free to use until
    January 1st, 2006, then go to the general technology section at:
    www.privacy.li/forum

    Or just keep what you have, just don't delete anyhting.
     
    traveler, Nov 6, 2005
    #31
  12. ...or just go to Windows Update and run the Malicious Software Removal Tool.

    Limited, and less capable than (say) a typical 3rd-party AV (which is why I
    don't personally use it). But utterly free.

    If *I* were ever to locate a rootkit on one of my PCs, then the first stop
    would be my AV provider.. after all, removing nasties is what I pay them
    for. And what they do for a living.

    Oh, and most vendors put out free worm removal tools, even to
    non-subscribers. I daresay a bit of a rummage through the appropriate web
    site would do the same for known rootkits.

    Not that I'm dissing a tool that I haven't even looked at, of course...

    --

    Hairy One Kenobi

    Disclaimer: the opinions expressed in this opinion do not necessarily
    reflect the opinions of the highly-opinionated person expressing the opinion
    in the first place. So there!
     
    Hairy One Kenobi, Nov 6, 2005
    #32
  13. nemo_outis

    traveler Guest

    The reason ant-virus products don't catch it is because it's not a virus,
    or a trojan. It's software of sorts designed to hide something like a
    trojan. Windows removal tool and even the best virus/trojan scanner
    wouldn't find it, you need a specialized product like the F- Secure to
    detect it, and just as important to SAFELY remove it without any hassles,

    Regards,
     
    traveler, Nov 6, 2005
    #33
  14. nemo_outis

    Jim Watt Guest

    AV products these days do a lot more than look for boot sector virus's

    If I wanted something to remove this shit, not that it would have been
    installed i nthe first place, I'd expect to get it from Sony.
     
    Jim Watt, Nov 6, 2005
    #34
  15. There's no "of sorts" about it, they're software. Period. The reason
    mainstream AV software doesn't detect them (some are) is probably more a
    matter of money and politics than anything else. They're just recently
    becoming "popular" in the world of Window$, and until recently the ROI
    just wasn't there. No financial benefit for investing the time and effort
    into designing ways to ferret out something that only had a one in a
    billion chance of being a problem.

    Root kits aren't some mysterious magical incantation uttered by long
    bearded mages who live under ancient trees. Viruses have been using
    similar or identical "stealth" techniques for many years to hide their
    presence from AV software and things like the task manager. Detecting
    them isn't rocket surgery if you know what you're doing. The problem with
    root kits is that they generally *replace* critical system files with
    total rewrites. You can't typically "disinfect" a system that falls victim
    to many/most root kits, and anyone or any software that claims to be able
    to do so reliably is lying or severely misinformed. Thus the "political"
    problem of detecting something and then telling the customer "nothing I
    can do... sorry about you luck". ;)
    Think about what you're saying... "one piece of software can't find it but
    another can". This is obviously nothing more than a matter of adding the
    code and methods from one software to another, not some magical quality
    that software assumes if it's given the "Anti Virus" moniker. Root kit
    detection has been thus far left to specialized software because there was
    no pressing reason to detect them. Although I know I've read through lists
    of "trojans" that mainstream AV softwares detect and seen rot kit names.
    So AV software peddlers obviously do add detection for such things if and
    when they become a problem in the mind of the peddler.
    How do you remove something that replaces critical files with completely
    different versions?

    Short answer... you can't. You're left restoring from backups or
    reinstalling. No anti-rootkit software in the universe is going to be able
    to do this alone.
     
    Jeffrey F. Bloss, Nov 6, 2005
    #35
  16. nemo_outis

    Jim Watt Guest

    Fine; if the original is digitally signed its a simple matter of
    identifying those that are not and replacing them with
    the genuine system components.
     
    Jim Watt, Nov 6, 2005
    #36
  17. nemo_outis

    nemo_outis Guest


    FWIW programs like Slysoft's AnyDVD (v5.5.1.1) not only bypass Sony's
    protection but *prevent* the rootkit being installed in the first place.

    Regards,
     
    nemo_outis, Nov 6, 2005
    #37
  18. nemo_outis

    Management Guest

    Management, Nov 6, 2005
    #38
  19. They're generally not. Unless you've signed them yourself. There's
    always generic detection, which falls under "signed" I suppose, but that's
    just detection and not "cleaning".
    Simple? For a piece of software to do this it would be necessary to know
    precisely what software, version, and updates have been installed, where
    the archive media or site is located, and how to install/register each and
    every changed file, registry key, yadda... yadda... yadda.

    Not quite so simple I'd think. ;)
     
    Jeffrey F. Bloss, Nov 6, 2005
    #39
  20. I don't recall saying that AV products don't catch this; instead I have a
    vague recollection of saying the exact opposite ;o)

    Assuming that this software doesn't install via Voodoo (not the graphics
    card), then one can catch it.

    I even went as far as checking MS's site to make sure that I wasn't
    misremembering. As I said, no idea as to the relative effectiveness of
    whichever snake^H^H^Hsoftware you're peddling/advocating.

    But. I doubt that it involves requiring Harry Potter as sysadmin - software
    is software[1], no matter what the intent. It's no easier or more difficult
    to detect sol.exe than leet-root-kitzzz!1!!1.exe (I'm possibly cheating a
    little, in that this particular example formed part of the standard
    Unicenter demo, back in '97. Forget the automated trouble-tickets,
    supervisor email, removal, and reboot: the flashing red light was [cough]
    kewl)

    Point taken about "progressive" kits that replace multiple files. Sounds
    like a damned stupid idea, though, as it's more likely to be detected IMHO.

    H1K

    [1] Originally misytped that as "siftware". Have I invented a new software
    term..? Shame I'm not American - I'd rush out to patent it.. :eek:D
     
    Hairy One Kenobi, Nov 6, 2005
    #40
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.