funsec mailing list archives
Sony DRM Rootkit (again) and questions about its disclosure...
From: "Fergie" <fergdawg () netzero net>
Date: Thu, 17 Nov 2005 16:22:10 GMT
Okay, so Bruce Schneier has an article in Wired today where he say this: [snip] What do you think of your antivirus company, the one that didn't notice Sony's rootkit as it infected half a million computers? And this isn't one of those lightning-fast internet worms; this one has been spreading since mid-2004. Because it spread through infected CDs, not through internet connections, they didn't notice? This is exactly the kind of thing we're paying those companies to detect -- especially because the rootkit was phoning home. But much worse than not detecting it before Russinovich's discovery was the deafening silence that followed. When a new piece of malware is found, security companies fall over themselves to clean our computers and inoculate our networks. Not in this case. McAfee didn't add detection code until Nov. 9, and as of Nov. 15 it doesn't remove the rootkit, only the cloaking device. The company admits on its web page that this is a lousy compromise. "McAfee detects, removes and prevents reinstallation of XCP." That's the cloaking code. "Please note that removal will not impair the copyright-protection mechanisms installed from the CD. There have been reports of system crashes possibly resulting from uninstalling XCP." Thanks for the warning. Symantec's response to the rootkit has, to put it kindly, evolved. At first the company didn't consider XCP malware at all. It wasn't until Nov. 11 that Symantec posted a tool to remove the cloaking. As of Nov. 15, it is still wishy-washy about it, explaining that "this rootkit was designed to hide a legitimate application, but it can be used to hide other objects, including malicious software." The only thing that makes this rootkit legitimate is that a multinational corporation put it on your computer, not a criminal organization. [snip] http://wired.com/news/privacy/0,1848,69601,00.html I also recalled Nick mentioning bacl on Nov. 1st that: [snip] Some of us were alerted to this a week or so back, but were honour bound not to "go public", at least for a while. However, as Systernals has found and reported it independently that has changed... [snip] http://linuxbox.org/pipermail/funsec/2005-November/001138.html So, I guess my question is this: "Honour bound" by wnom, and for why? Not trying to intentionally cast aspersions, but I'd kind of like to know. Thanks, - ferg -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg () netzero net or fergdawg () sbcglobal net ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Sony DRM Rootkit (again) and questions about its disclosure... Fergie (Nov 17)
- And another Sony DRM Rootkit question Larry Seltzer (Nov 17)
- Re: And another Sony DRM Rootkit question Pierre Vandevenne (Nov 17)
- RE: And another Sony DRM Rootkit question Larry Seltzer (Nov 17)
- Re: And another Sony DRM Rootkit question Mary Landesman (Nov 17)
- Re: And another Sony DRM Rootkit question Pierre Vandevenne (Nov 17)
- Re: Sony DRM Rootkit (again) and questions about its disclosure... Pierre Vandevenne (Nov 17)
- Re: Sony DRM Rootkit (again) and questions about its disclosure... Blue Boar (Nov 17)
- Re[2]: Sony DRM Rootkit (again) and questions about its disclosure... Pierre Vandevenne (Nov 17)
- Sony DRM Rootkit samples Jochen (Nov 21)
- RE: Sony DRM Rootkit samples Larry Seltzer (Nov 21)
- Re: Sony DRM Rootkit samples Jeff Kell (Nov 21)
- Re: Sony DRM Rootkit (again) and questions about its disclosure... Blue Boar (Nov 17)
- And another Sony DRM Rootkit question Larry Seltzer (Nov 17)