The Sony Rootkit - screenshots

Discussion in 'ProcessGuard' started by Wayne - DiamondCS, Nov 22, 2005.

Thread Status:
Not open for further replies.
  1. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Several people have asked at various forums about whether ProcessGuard can stop the Sony rootkit. The answer is: Yes! Of course it can, and it has been able to do this for well over a year so if you have ProcessGuard then you can already defeat the installation of this rootkit.

    This afternoon I decided to take some screenshots, as most people wouldn't have seen this, so here goes ... :)
     
  2. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    This first screenshot is what you see when you first put the CD in your machine, when autorun is enabled. Autorun.exe is launched, and ProcessGuard asks you if you want to allow it.

    At this stage you could simply click No, and ProcessGuard would block it from running and that's that - the installation process has been blocked, so even at that early stage it's easy to block it. However for this demo we'll say Yes to everything, to essentially allow the full installation so that we can monitor everything that happens when the rootkit is allowed to install.
     

    Attached Files:

  3. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    This image shows one of the popup balloon windows you'll see when a program attempts to install a driver.
     

    Attached Files:

  4. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    The third image is a composite of two images that were taken after allowing everything to install - you can see that the installation is quite vigorous, and we had to say Yes (Permit execution/installation) a lot of times.
     

    Attached Files:

  5. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    If you do permit everything to install then you will have installed the rootkit. This fourth image shows some of these files - files you don't want on your system. :)

    That's all for now, we'll probably release more information about this on the ProcessGuard website soon pending further analysis.

    Best regards,
    Wayne
     

    Attached Files:

  6. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    5,590
    Location:
    USA still the best. But barely.
    Thanks Wayne. It was interesting to see the process (no pun intended).
     
  7. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    440
    Location:
    U.K.
    While it is understandable that Wayne wants to give himself and his product a pat on the back, this misses the point IMO. It may be that PG requires user permission to install a driver (and other executables), but it in no way alerts the user to the fact that the driver is part of a rootkit.

    It is hardly surprising that a DRM solution installs a driver, and most people installing a copy-protected music CD will expect this to be the case and thereby decide to permit its installation. It's the nature of the driver in this case that is the problem, not the fact that there is a driver. PG (and other similar security apps) provides no protection against this kind of situation, and that IMO serves to illustrate a great weakness that PG (and the other software) suffers from.

    What is really needed here is the security app to identify rootkits through generic means ('heuristics', if you like), and then alert the user appropriately. It seems other apps are beginning to emerge that operate just this way, and my money's on them to win the market battle in the long term. Is this also part of the DiamondCS mindset? It doesn't look like it currently.
     
  8. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    hi spm,
    A lot of people have been asking at various forums as to whether ProcessGuard can block it, so in response here are some screenshots to demonstrate that.

    You've basically just described an anti-virus scanner ... :), which ProcessGuard is not. We may add some rootkit-specific driver analysis in the future - never rule anything out, but I won't elaborate on that for now.
     
    Last edited: Nov 22, 2005
  9. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    440
    Location:
    U.K.
    No, I have not just described an anti-virus scanner - and it is very disingenuous of you to make such a claim. By your own words, it seems that I may have just described the PG of the future. So, by conclusion, maybe PG will become just an anti-virus scanner (then again, what PG may or may not be in the future is an irrelevance for now).

    Don't get me wrong, I am not knocking PG as such, as my comments apply equally well to some other products. However, there has been such a lot of nonsense talked about the Sony DRM rootkit, and it hasn't all come from Sony (or First4Internet) itself. As Mark Russonovich has already pointed out, the claims that many anti-malware companies have made re their handling of the rootkit have been misleading, and I also contend that the approach taken by PG and some other security apps provides only illusory protection to the user. This whole (Sony) situation has brought that into clear perspective.

    The real issue for DiamondCS and the other security software companies is to start designing their apps in the context of their use. What's the point in asking a user to decide on an action which they (or the software) don't understand? What's the point of bombarding the user with alerts about actions of which 99.9% are perfectly legitimate? The end result will always be the opposite of what is intended, as human nature, and ways of working, are ignored.
     
  10. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    spm, Why do you say everyone would install a DRM driver in order to play a music CD? I certainly wouldn't and it wouldn't matter whether it was a rootkit driver or what. A music CD doesn't install anything! Or it shouldn't! If I knew before I bought it that it would install anything, I wouldn't buy the CD. Who would?! If I didn't know before I bought it, and it tried to install anything, I would pull it out and return it and raise hell if the store didn't want to take it back. A music CD that is OK does not install anything.
     
  11. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    spm,
    ProcessGuard gives the user the choice of whether or not to allow an execution/installation by design. Without ProcessGuard they don't really have a choice - programs will execute and drivers will install without their knowledge. When you put a music CD in your machine you dont expect any alarms from security programs, and if you put a normal (non-protected) music CD in your computer then PG won't blink, but when you put this CD in youre confronted with autorun.exe then a variety of other programs and the installation of drivers! This is very suspicious behaviour for a music CD, and most ProcessGuard users, especially those who've read the information in the helpfile or on the website, will be quite aware of the security implications of drivers. Even if a ProcessGuard user does click Permit to all the alerts from the protected CD then theyll still have a log of all those files courtesy of ProcessGuard. Sure we could try to 'dumb' ProcessGuard down so that it makes more choices on the users behalf, but that type of automation generally comes at the cost of security - its often easy to bypass automated security. An educated user is the best defense against rootkits, and ProcessGuard helps the user make those educated decisions. Please keep in mind that ProcessGuard is not recommended for novice users as the program is designed for use by more experienced users.
    Best regards,
    Wayne
     
  12. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    440
    Location:
    U.K.
    Good for you, but this would not be typical behaviour. DRM technology uses all sorts of techniques - there will be many more new ones to come - and installing a driver (or any other executable for that matter) is not/will not be unusual. If you accept that music CDs you want to play may be copy-protected - and that's what most people do, clearly - then you will want to install it. The same applies to CD-based games, most of which use a form of DRM or copy-protection.

    If you don't know that the (DRM) software is dangerous, you're not in a position to decide. What PG effectively does is to say to the user - "Hey, do you know you are trying to install software?" Tge user thinks - "Well, yes, I am. So don't bug me."

    What Sony did was a form of 'social engineering' - a term with mostly negative connotations applied to the phenomenon of phishing. What is needeed, if you like, is a positive form of 'social engineering' to be implemented in security products that works to protect and guide the user.
     
  13. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    440
    Location:
    U.K.
    Wayne, by your admission, then, PG is and will always remain the preserve of the geek clique. If only those people who know better will be able to make use of PG, then fine. At least you're realistic about your market.

    I work with customers every day who need better guidance on what is safe to install and what is not. Some are knowledgeable about the architecture of Windows, and the role of each of its components, but the great majority are not (anyway, why should they be?). These people will have no use for PG or similar.

    Before the Sony fiasco broke, I wonder how many PG users actually saved themselves from installing the Sony XCP software? None, I say - if any had, I'm damned sure it would have been trumpeted here and elsewhere to the heavens.
     
  14. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Actually I think a ProcessGuard user (remembering that ProcessGuard users are generally not novice users as that is not the target audience for ProcessGuard) is more likely to think "Hang on, I'm just trying to listen to a music CD - why are these programs and drivers trying to run?"

    Not all of our software is for everyone. Some of our software is, and most of it is free, but ProcessGuard is an advanced security system designed for medium-to-advanced users. ProcessGuard isn't the only program in the world that isn't aimed at novice users :)

    Btw, our newly designed website (which we'll be launching in the next week or so hopefully) has user recommendation images with every single program, so for example you'll see this one on the ProcessGuard download page:
    http://www.diamondcs.com.au/images2/userlevel/23.gif

    Again ProcessGuard users generally aren't novice users, and you would think that most would probably be extremely surprised if a music CD tried to run a program let alone install a driver. You aren't giving them much credit!
     
    Last edited: Nov 22, 2005
  15. xmen

    xmen Guest

    I agree 100%. Unless you are REALLY advanced, how the heck would you know the driver being installed is objectionable?

    The easy answer of course is to never allow driver installs, but that's not really realistic.
     
  16. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    When you put a music CD in and you get alerts from a security program telling you that it's trying to run various programs and install drivers, you don't need to be too advanced to realise that it's doing something that no other music CD does ... :)

    Without ProcessGuard you won't know that programs are executing, nor will you know that drivers are being installed, and again, even if you do allow every execution and installation from the music CD then youll still have a complete log of everything that was installed.
     
  17. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    440
    Location:
    U.K.
    It's just this kind of observation, I'm afraid, that leads me to believe products such as PG will be unsustainable in the long term, or remain restricted to a tiny market. You accused me above of not giving credit to users. At least I respect them.
     
  18. eyes-open

    eyes-open Registered Member

    Joined:
    May 13, 2005
    Posts:
    721
    There are 2 opposing forces at work here.

    Rule No.1: Is it a trusted source ?

    If we are to believe Mr Russinovich - this is how he was caught out - he trusted Sony.

    The trouble with this rule, is if you accept it is a trusted source then you are in a dilemma when faced with warnings about files you cannot succesfully check out on Google - cos they aren't published at the time.

    Common sense tells you that the publisher is trying to own you somehow and you may well want to clean up afterwards, but you have to take one hell of a leap to imagine just how disrespectfully they intended to treat you and your machine.

    For my money tho, I'm happy as long as PG rings alarms and indicates the intentions of a new script changes that will be initiated if allowed. Now the day it doesn't and something gets on - I'll complain.

    Edited by eyes-open
     
    Last edited: Nov 22, 2005
  19. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Unsustainable how, and upon what market research do you base this claim? What markets we choose to target with each program is based on the features we can give the user in each program - some features are advanced and powerful but may need a little knowledge on the part of the user, such is the nature of the feature. Not every program can be made to cater for everyone, and again we don't claim that ProcessGuard is for everyone - it is for medium-to-advanced users.

    Sir can I ask what program you use to intercept file executions and driver installations if not ProcessGuard? Or are you currently allowing all programs to execute and drivers to install without your knowledge?

    Can I ask what I said that would ever give you the idea that I don't respect ProcessGuard userso_O If I didn't respect your opinion I wouldn't have spent the last hour replying to your questions and points. :) I have devoted my life to my software and my customers. I'm only a small company so if I didn't put my customers first I wouldn't have survived this long! But as they say - you can't please everyone, especially when your software isn't targeted at everyone.

    But I appreciate your feedback, and I hope you understand some of the points I've made, even if you don't agree with all of them. You're entitled to your opinion. So please tell me what it is that I can do to make you happy?

    Best regards,
    Wayne
     
    Last edited: Nov 22, 2005
  20. richo

    richo Registered Member

    Joined:
    Jul 15, 2005
    Posts:
    76
    I completely disagree. As a PG user, if I get a pop up warning me about a process or driver installation... I look at it critically.... & unless I know for sure it's safe I deny it. Common sense doesn't make a geek. Seems some people want their security software to do more than is realistic. After a good learing period... all warnings should be viewed with utmost suspicion.
     
  21. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    richo well said. To add to that it's also worth noting that driver installations are not a very common occurance, so whenever ProcessGuard alerts the user to a driver installation then things should be scrutinised intensely. :)
     
  22. richo

    richo Registered Member

    Joined:
    Jul 15, 2005
    Posts:
    76
    It's a pleasure to use quality software made by a fellow Aussie. BTW... I was in Perth in May... beautiful city. Congrats on taking on the big guys & coming out on top.
     

    Attached Files:

  23. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    Off topic but congrats on your rugby team for winning a game :)
     
  24. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
  25. richo

    richo Registered Member

    Joined:
    Jul 15, 2005
    Posts:
    76
    I did see us play Scotland last year in Sydney... even off form it was an easy win for us.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.