Mark's Sysinternals Blog: Sony, Rootkits and Digital Rights Management Gone Too Far (http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html)

I doubt that once installed it could be detected, but could NOD32 warn the user and prevent installation of the malicious software or does it already?

Thanks for any comments and replies.

Hello,
without analysing the relevant sample, it's almost impossible to tell. However, there is a bunch of rootkits detected by signatures so it's likely NOD32 would detect it.

-{ Quote: "

I doubt that once installed it could be detected, but could NOD32 warn the user and prevent installation of the malicious software or does it already?

Thanks for any comments and replies." }-

I think "rootkits" are being overhyped a bit, not unlike "cookies"...where there are many legitimate uses, and as always, many illegitimate uses which tend to take the spotlight. This Sony case that has been making it's rounds through forums lately seems borderline, because Sony didn't state so in the EULA, but it's not a malicious purpose like adware or anything, it's simply a copyright protection that Sony failed to properly identify in the EULA.

-{ Quote: "...This Sony case... ... it's simply a copyright protection that Sony failed to properly identify in the EULA." }-More info here. (http://www.wilderssecurity.com/showthread.php?t=104457)

Cheers ;D

-{ Quote: "but it's not a malicious purpose like adware or anything, it's simply a copyright protection that Sony failed to properly identify in the EULA." }-

Wrong! Such things can be easily "exploited" to hide real malware under the cover of Sony's Rootkit.
Then we will have the first worms or Trojans written by some "smart" individuals with the slogan "powered by sony".

The above have beat me to it whilst typing! - rootkits are a nightmare waiting to happen.
Blended attacks are difficult to diagnose and solve - if someone can create an exploit for this, they will.
NOD 32 and other AVs have their work cut out as it is, separate Trojan Scanners are also required now, and Spyware is becoming a major concern and interest to most tech users.

Is NOD32 going to bring something out similar to F-Secures Blacklight to specifically hunt and kill these things?

-{ Quote: "I think "rootkits" are being overhyped a bit, not unlike "cookies"...where there are many legitimate uses, and as always, many illegitimate uses which tend to take the spotlight. This Sony case that has been making it's rounds through forums lately seems borderline, because Sony didn't state so in the EULA, but it's not a malicious purpose like adware or anything, it's simply a copyright protection that Sony failed to properly identify in the EULA." }-

I wholeheartedly disagree and think this is a terrible practice that will make malware practically unremovable without a format unless new technology is developed to detect and prevent the installation of such insidious malware.

-{ Quote: "I think "rootkits" are being overhyped a bit, not unlike "cookies"...where there are many legitimate uses, and as always, many illegitimate uses which tend to take the spotlight. This Sony case that has been making it's rounds through forums lately seems borderline, because Sony didn't state so in the EULA, but it's not a malicious purpose like adware or anything, it's simply a copyright protection that Sony failed to properly identify in the EULA." }-I agree that rootkits are being somewhat overhyped, but like others I totally disagree about the "maliciousness" of such code. In my mind, use of rootkit techniques are virtually always wrong. A rootkit patches the operating system to purposely hide itself and it's processes from inspection. DRM can be implemented through legitimate drivers that don't hide themselves and their components. You might counter by saying that the DRM code has to be hidden in order to prevent people from uninstalling it, or something like that. But I would disagree with that premise also, because I believe users should always be afforded the ability to uninstall code at their request (the tradeoff in this case would simply be that if they did so they would no longer be able to play the DRM encoded music).

The question is not here is a rootkit legal for such purposes - the questions is here can it be exploited and "missused" for malware purpose. And the answer to this is definitive yes. I don't want to explain now more technical details, but it's "easily" possible to hide there _ANY_ malicious file within this "legal" rootkit. I "blame" here only sony for their "security concept" because normally they should be aware of such things. At least they should have included something with key-verification before they hide a file. Basicly you can hide every file just by renaming it - and THAT IS ridiculous.

Thank you HB for you input, it is greatly appreciated.

Cheers ;D

According to Broadbandreports today, Sony issued a patch to make it visable.

-{ Quote: "Wrong! Such things can be easily "exploited" to hide real malware under the cover of Sony's Rootkit.
Then we will have the first worms or Trojans written by some "smart" individuals with the slogan "powered by sony"." }-

How is that statement wrong? Sony didn't mention the installation in the EULA, that was one of their mistakes. Just because some malware coder masks his pride and joy with some label "powered by Sony"...how does that make Sony liable? And how does it make my above statement wrong? It's not even remotely relevant to my point.

That's easily done today already with other things. Rootkit is just another method, or means. Can be legitimate, can be misused. If rootkits follow some trickery such as "Powered by Sony"...how's that different from say some of todays socially engineered worms, masking themselves in an e-mail labeled "Critical Security Update from Microsoft"...hrrrrmmmm?

Active X in IE started out with good intentions...but it got abused.
IMO, Sony had decent intentions here...in attempting to make stop pirating by making their software more difficult to tamper with. It's just they chose a poor path in implementing it...failing to mention in the EULA, and apparently using poorly written software. However I don't support P2P/pirating/warez, so I don't see what's wrong with utilizing this method, they are here to stay. The sad fact is they can be abused, and will garner a bad reputation because of this. It's another potential area to be exploited by the bad guys. But I'll maintain my point...it's not true that 100% of all rootkits will be bad.

This topic reminds me about the debate on the Registry when those who clung onto the bare sysedit files of DOS dreaded the registry when it came out.

-{ Quote: "More info here. (http://www.wilderssecurity.com/showthread.php?t=104457)

Cheers ;D" }-

Yeah I had read it a while ago, that link has been floating around forums for quite a while now.

-{ Quote: "Rootkit is just another method, or means. Can be legitimate, can be misused." }-Would you care to identify one possible legitimate use for a rootkit? The issue here is not Sony's DRM, but its concealment which comes down to deceiving customers and taking away their control over their systems.

-{ Quote: "Would you care to identify one possible legitimate use for a rootkit? The issue here is not Sony's DRM, but its concealment which comes down to deceiving customers and taking away their control over their systems." }-Precisely. AFAIK, a well coded DRM driver does not need to be hidden from the Windows API in order to be effective. There are sufficient security mechanisms that could be enforced without resorting to the active deception of users and the lack of a convenient means of removal. The fact that it was poorly coded and could be used to conceal any file with a simple name change just adds insult to injury; but even coded properly and with full disclosure in a EULA, I still believe the use of this technique is unwarranted.

-{ Quote: "Would you care to identify one possible legitimate use for a rootkit? The issue here is not Sony's DRM, but its concealment which comes down to deceiving customers and taking away their control over their systems." }-
How about enforced censorship or net-filtering? Some parent (or government, or company) may wish to prevent its impressionable children (citizens, or employees) from visiting dangerous websites. Trouble is, the "children" have some smart friends that can find and disable these programs through the Task Manager and Windows Registry hacks.

Enter the rootkit. Problem solved! :lurking:

Just because it is illegitimate in your eyes does not make it illegitimate in theirs.

-{ Quote: "Just because it is illegitimate in your eyes does not make it illegitimate in theirs." }-I'm sure rootkits will be seen as "legitimate" to some, not least their writers. That does not make them legitimate in general - and censorware can have anti-termination features added without the need for a rootkit (see DiamondCS' Process Guard for an example).

-{ Quote: "I'm sure rootkits will be seen as "legitimate" to some, not least their writers. That does not make them legitimate in general - and censorware can have anti-termination features added without the need for a rootkit (see DiamondCS' Process Guard for an example)." }-Well, this attitude can go too far, though; creating a rootkit is not criminal, and you can't blame someone simply for writing code.

The use can be illegitimate and, in almost every case, is (including the Sony example). But exploring what a rootkit can do through writing one is also a mean of exploring the system's weaknesses, and what a malware creator with criminal intentions can do by exploiting them. That doesn't mean I should go on and distribute a readily usable rootkit on the Internet to show this; that's irresponsible behavior, possibly borderline criminal, in my opinion (and yes, I do think that the creator of Hacker Defender is irresponsible in distributing it).