Is NOD32 going to detect and stop this type of thing?

Discussion in 'NOD32 version 2 Forum' started by Elwood, Nov 2, 2005.

Thread Status:
Not open for further replies.
  1. Elwood

    Elwood Registered Member

    Joined:
    Sep 12, 2005
    Posts:
    205
    Location:
    Mis'sippi
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Hello,
    without analysing the relevant sample, it's almost impossible to tell. However, there is a bunch of rootkits detected by signatures so it's likely NOD32 would detect it.
     
  3. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    I think "rootkits" are being overhyped a bit, not unlike "cookies"...where there are many legitimate uses, and as always, many illegitimate uses which tend to take the spotlight. This Sony case that has been making it's rounds through forums lately seems borderline, because Sony didn't state so in the EULA, but it's not a malicious purpose like adware or anything, it's simply a copyright protection that Sony failed to properly identify in the EULA.
     
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    More info here.

    Cheers :D
     
  5. Happy Bytes

    Happy Bytes Guest

    Wrong! Such things can be easily "exploited" to hide real malware under the cover of Sony's Rootkit.
    Then we will have the first worms or Trojans written by some "smart" individuals with the slogan "powered by sony".
     
  6. deddard

    deddard Registered Member

    Joined:
    Oct 31, 2005
    Posts:
    2
    The above have beat me to it whilst typing! - rootkits are a nightmare waiting to happen.
    Blended attacks are difficult to diagnose and solve - if someone can create an exploit for this, they will.
    NOD 32 and other AVs have their work cut out as it is, separate Trojan Scanners are also required now, and Spyware is becoming a major concern and interest to most tech users.

    Is NOD32 going to bring something out similar to F-Secures Blacklight to specifically hunt and kill these things?
     
  7. Elwood

    Elwood Registered Member

    Joined:
    Sep 12, 2005
    Posts:
    205
    Location:
    Mis'sippi
    I wholeheartedly disagree and think this is a terrible practice that will make malware practically unremovable without a format unless new technology is developed to detect and prevent the installation of such insidious malware.
     
  8. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    I agree that rootkits are being somewhat overhyped, but like others I totally disagree about the "maliciousness" of such code. In my mind, use of rootkit techniques are virtually always wrong. A rootkit patches the operating system to purposely hide itself and it's processes from inspection. DRM can be implemented through legitimate drivers that don't hide themselves and their components. You might counter by saying that the DRM code has to be hidden in order to prevent people from uninstalling it, or something like that. But I would disagree with that premise also, because I believe users should always be afforded the ability to uninstall code at their request (the tradeoff in this case would simply be that if they did so they would no longer be able to play the DRM encoded music).
     
  9. Happy Bytes

    Happy Bytes Guest

    The question is not here is a rootkit legal for such purposes - the questions is here can it be exploited and "missused" for malware purpose. And the answer to this is definitive yes. I don't want to explain now more technical details, but it's "easily" possible to hide there _ANY_ malicious file within this "legal" rootkit. I "blame" here only sony for their "security concept" because normally they should be aware of such things. At least they should have included something with key-verification before they hide a file. Basicly you can hide every file just by renaming it - and THAT IS ridiculous.
     
  10. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Thank you HB for you input, it is greatly appreciated.

    Cheers :D
     
  11. kenw

    kenw Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    112
    Location:
    Brighton, Colorado
    According to Broadbandreports today, Sony issued a patch to make it visable.
     
  12. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    How is that statement wrong? Sony didn't mention the installation in the EULA, that was one of their mistakes. Just because some malware coder masks his pride and joy with some label "powered by Sony"...how does that make Sony liable? And how does it make my above statement wrong? It's not even remotely relevant to my point.

    That's easily done today already with other things. Rootkit is just another method, or means. Can be legitimate, can be misused. If rootkits follow some trickery such as "Powered by Sony"...how's that different from say some of todays socially engineered worms, masking themselves in an e-mail labeled "Critical Security Update from Microsoft"...hrrrrmmmm?

    Active X in IE started out with good intentions...but it got abused.
    IMO, Sony had decent intentions here...in attempting to make stop pirating by making their software more difficult to tamper with. It's just they chose a poor path in implementing it...failing to mention in the EULA, and apparently using poorly written software. However I don't support P2P/pirating/warez, so I don't see what's wrong with utilizing this method, they are here to stay. The sad fact is they can be abused, and will garner a bad reputation because of this. It's another potential area to be exploited by the bad guys. But I'll maintain my point...it's not true that 100% of all rootkits will be bad.

    This topic reminds me about the debate on the Registry when those who clung onto the bare sysedit files of DOS dreaded the registry when it came out.
     
  13. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Yeah I had read it a while ago, that link has been floating around forums for quite a while now.
     
  14. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Would you care to identify one possible legitimate use for a rootkit? The issue here is not Sony's DRM, but its concealment which comes down to deceiving customers and taking away their control over their systems.
     
  15. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    Precisely. AFAIK, a well coded DRM driver does not need to be hidden from the Windows API in order to be effective. There are sufficient security mechanisms that could be enforced without resorting to the active deception of users and the lack of a convenient means of removal. The fact that it was poorly coded and could be used to conceal any file with a simple name change just adds insult to injury; but even coded properly and with full disclosure in a EULA, I still believe the use of this technique is unwarranted.
     
  16. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    How about enforced censorship or net-filtering? Some parent (or government, or company) may wish to prevent its impressionable children (citizens, or employees) from visiting dangerous websites. Trouble is, the "children" have some smart friends that can find and disable these programs through the Task Manager and Windows Registry hacks.

    Enter the rootkit. Problem solved! :ninja:

    Just because it is illegitimate in your eyes does not make it illegitimate in theirs.
     
  17. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    I'm sure rootkits will be seen as "legitimate" to some, not least their writers. That does not make them legitimate in general - and censorware can have anti-termination features added without the need for a rootkit (see DiamondCS' Process Guard for an example).
     
  18. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Well, this attitude can go too far, though; creating a rootkit is not criminal, and you can't blame someone simply for writing code.

    The use can be illegitimate and, in almost every case, is (including the Sony example). But exploring what a rootkit can do through writing one is also a mean of exploring the system's weaknesses, and what a malware creator with criminal intentions can do by exploiting them. That doesn't mean I should go on and distribute a readily usable rootkit on the Internet to show this; that's irresponsible behavior, possibly borderline criminal, in my opinion (and yes, I do think that the creator of Hacker Defender is irresponsible in distributing it).
     
Thread Status:
Not open for further replies.