Posted on 10/31/2005 7:59:57 PM PST by zeugma
From slashdot.org article:
"SysInternals.com guru Mark Russinovich has a detailed investigation of a rootkit from Sony Music. It's installed with a DRM-encumbered music CD, Van Zant's "Get Right with the Man". (Mmmm, delicious irony!) The rootkit introduces several security holes into the system that could be exploited by others, such as hiding any executable file that starts with '$sys$'. Russinovich also identifies several programming bugs in the method it uses to hook system calls, and chronicles the painful steps he had to take to 'exorcise the daemon' from his system."
Last week when I was testing the latest version of RootkitRevealer (RKR) I ran a scan on one of my systems and was shocked to see evidence of a rootkit. Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, and they are usually employed by malware attempting to keep their implementation hidden (see my “Unearthing Rootkits” article from the June issue of Windows IT Pro Magazine for more information on rootkits). The RKR results window reported a hidden directory, several hidden device drivers, and a hidden application:
Nope. No "standardized" system for committing computer crime.
Mark
This is quite an eye-opening link. Even for those not intimately aware of your OS's inner workings (98% of us, I'd guess)it is absolutely fascinating....and something someone posted below the tech jargon and screengrabs is also quite interesting. Seems it is a UK firm that came up with this particular DRM scheme and from what a friend in the UK tells me, it is quite illegal....
"First4Internet, eh?... let's see... according to public records, they were incorporated 24/11/1999. In 2004 they had a turnover of £709,941 and operating expenses of £1,301,546 -- meaning an operating loss of £591,605. In the last five years they have, on average, lost £541,067 a year. For 2004, their credit rating is "HIGH RISK" (complete with capitalisation). Meanwhile, the four directors share annual renumeration of £224,413 between them (average £56,103 each).
One of the directors, Nicholas Bingham, (appointed in 2002) was director of "Sony pictures home entertainment Ltd." from 1989 to 1997, and director of "Sony pictures television production UK Ltd." from 1996 to 2000, and director of "Sony digital radio europe Ltd." from 1994 to 2000.
A cynic might say Sony selected this inept copy protection technology because it was supplied by one of thier cronies. The reason this is a bad business practice can be seen by the software's many failings.
# posted by Michael Tandy : 3:20 AM, November 01, 2005
Sysinternals is a magnificent site. I love their free utilities.
This is a great catch by Russinovich. Having just installed a Sony version of Nero for a DVD burner, I wonder if I also installed this spyware. Probably not, but I'll check.
This seems similar to the recent discovery that many color laser printer manufacturers covertly install software that prints tiny yellow dots on every printout, that can be used to identify the exact printer used.
I'm not big on government regulation, but maybe this sort of thing should be illegal, if it is not already.
I should not have said "install software" above. The code is in the printer firmware.
bump
Question: How can I look at any given person's machine and know if this rootkit is loaded.
Without running Rootkit Revealer that is.
The yellow dots are there at the request of the government.
Really, some Sony executives need to join Billy Bob's cellblock harem for this.
Of course, now that he has told us what to look for, it makes things a lot easier for us. I'd strongly recommend getting a knoppix boot disk and use that to look for directories or files that start with “$sys$”. That's the easiest thing you can do IMO, though I can't really call myself any kind of windows guru anymore because I avoid it like the plague.
Automated tools to find this particular corporate back door are going to be moderately problematic, as the rootkit hides itself by modifying windows APIs. You have to be able to boot from a known good kernel to check things out. Virus scanners aren't going to be able to do this unless they load before the targeted APIs.
Simple solution: dump windows. Unfortunately, that's the only way to be reasonably safe from this stuff.
echo "test" > $sys$test dir
Download the same MP3's from Usenet after they've been unDRM'd, your PC stays safe.
Ever heard of the concept of "negative reinforcement?"
I saw the file. If I hide the file and make it read-only, does that protect me from this infestation? That works pretty well with most virus files.
I don't believe so. The solution at the moment, is to just not purchase or play any CD from Sony/BMG. That's my recommendation anyway.
It's a little bit more obvious to the user when a program to be installed requires the root password to install than it is on windows, which will happily run off and do any and all kinds of hidden and potentially nasty things on your PC when you select "yes" to install.
I wouldn't have much of a problem installing most software in user-space as it couldn't make changes to the base operating system. About the worst thing it could do to me is trash my files. I do regular backups so I am less concerned about that. I have a bunch of programs here that I installed as a local user because I wanted to see if they are worthwhile.
The problem in windows land is that there are too many programs out there written in such a (stooopid) way that they require Admin privs to run. This causes many, if not the vast majority of windows users (especially on home boxes) to run with administrative priviledges. Bad idea, but most are blissfully unaware of the danger.
OTOH, with Linux, I have a few programs that give really bold warnings every time you start them if you are running as root, and point out what a stupid idea it is to do it. Very few user programs need to run as root, thankfully, because unix developers have always known it is a bad idea.
Windows allows non-administrator accounts. This will become more user friendly in the next version of Windows, which will allow non-administrators to install programs for their own use, without touching the main registry. Non-admins who install programs will get a private programs folder and a private copy of the registry.
Perhaps something like this should have been done years ago, but MS has been obsessed with making Windows work with legacy programs. I have programs from 1982 that still run on XP.
Right. The code was installed by private companies in their products at the request of the government, without disclosure to their customers. So what is hidden in Windows at the request of the government? What is hidden in applications? These no longer sound like paranoid questions.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.