Sony DRM Rootkit (again) and questions about its disclosure...

["Fergie" <fergdawg () netzero net>]

Okay, so Bruce Schneier has an article in Wired today where he
say this:

[snip]

What do you think of your antivirus company, the one that didn't notice Sony's rootkit as it infected half a million 
computers? And this isn't one of those lightning-fast internet worms; this one has been spreading since mid-2004. 
Because it spread through infected CDs, not through internet connections, they didn't notice? This is exactly the kind 
of thing we're paying those companies to detect -- especially because the rootkit was phoning home.

But much worse than not detecting it before Russinovich's discovery was the deafening silence that followed. When a new 
piece of malware is found, security companies fall over themselves to clean our computers and inoculate our networks. 
Not in this case.

McAfee didn't add detection code until Nov. 9, and as of Nov. 15 it doesn't remove the rootkit, only the cloaking 
device. The company admits on its web page that this is a lousy compromise. "McAfee detects, removes and prevents 
reinstallation of XCP." That's the cloaking code. "Please note that removal will not impair the copyright-protection 
mechanisms installed from the CD. There have been reports of system crashes possibly resulting from uninstalling XCP." 
Thanks for the warning.

Symantec's response to the rootkit has, to put it kindly, evolved. At first the company didn't consider XCP malware at 
all. It wasn't until Nov. 11 that Symantec posted a tool to remove the cloaking. As of Nov. 15, it is still wishy-washy 
about it, explaining that "this rootkit was designed to hide a legitimate application, but it can be used to hide other 
objects, including malicious software." 

The only thing that makes this rootkit legitimate is that a multinational corporation put it on your computer, not a 
criminal organization.

[snip]

http://wired.com/news/privacy/0,1848,69601,00.html

I also recalled Nick mentioning bacl on Nov. 1st that:

[snip]

Some of us were alerted to this a week or so back, but were honour 
bound not to "go public", at least for a while.  However, as Systernals 
has found and reported it independently that has changed...

[snip]

http://linuxbox.org/pipermail/funsec/2005-November/001138.html

So, I guess my question is this: "Honour bound" by wnom, and for
why?

Not trying to intentionally cast aspersions, but I'd kind of
like to know.

Thanks,

- ferg


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg () netzero net or fergdawg () sbcglobal net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.