The Sony Rootkit - screenshots

Thanks for the shots, Wayne, and congrats for the way PG does stop this rootkit dead!

It's very weird to blame him in such circumstances for an eventual "cryptic" aspect of PG use , when the shots he posted are speaking for themselves: come on, let's be serious, there are so much different .exeS following autorun to support the opinion that common users could let this rootkit install with PG...

Cheers
nicM

 

Well, it is not a question of blame, and it most certainly is not about anything 'cryptic' - the issue is about how security software should or should not support and work with the user.

Obviously (and, I guess, understandably) given the baggage that people carry here it is not possible to address this subject here in an objective fashion. I'll look to have this discussion in a more independent forum at another time.

PS: Gavin - Yes, I do use/have used a variety of different security apps to help monitor and guard against what is installed on and/or runs on my computers (I also own PG licences, but haven't made use of them for a long time). I am an expert user and developer, and as such I am not typical of the majority of computer users, so what I use for my own purposes isn't what I have been addressing in this thread.

 

For once I agree with mele! (twice if you count the thing about new color schemes for the forum HINT HINT ) I would be very put off if a music cd wanted to install a driver. I've dealt with DRM protected media before without having to install drivers.. I certainly would be suspicious if they looked like they were named to be inconspicuous like this was.

Keep in mind that these are actual PG users speaking here. You're making a case for something that you aren't in much of a position to know about. If there were a lot of PG users that ended up with the rootkit, don't you also think that there would be users "trumpeting to high heaven" that PG didn't work? There's going to be some users both ways, but think about the type of people that get PG in the first place.. they're getting it because they're worried about just this kind of activity.. they're not just piling on another scanner.

 

spm,

So you agree your opinion is somewhat bias and not that of a regular ProcessGuard user.

You're quick to criticise, yet like you say you don't even use ProcessGuard. Seeing as you're a developer yourself and you don't think ProcessGuard is a good enough solution to the rootkit/driver problem even though screenshots prove how easy it is, would you be kind enough to elaborate to us all on what you think is a better solution?

 

back down guys or I'm calling Jooske

 

Exactly - that is why I made my observation about it being impossible to address the subject objectively. I have not apportioned 'blame', and I have made it clear that my comments apply to software other than PG as well. Indeed, if you read my post above you will see that I admitted it was understandable that people here will be unable to be objective.

Ah, now that is not correct. Gavin posted screen shots to show how PG stops the Sony rootkit. What they in fact show is a couple of screen shots that illustrate how PG would alert the user that certain elements (including a driver) are being installed. I don't dispute that, but it is an entirely different thing to extrapolate that such screen shots illustrate that PG did, for any user, actually stop the installation of the rootkit. I have contended that no users were saved from the rootkit by PG, and in your heart and your head you know I am correct about that. For otherwise, this whole sorry business with Sony would have been exposed earlier, and by different people.

It is very likely, in fact, that none of the 500,000 users who have inadvertently installed the Sony rootkit are using PG - mostly, I suspect, for the reasons I have expanded on in this thread.

 

SPM ... as long as the "Global Protections" are active as the should be... no user intervention is required -> No Driver/Service installed = No Rootkit. Regardless if the user allows the installation of the other aspects of Sony's DRM software.

 

Not at all. You obviously have not taken the time to understand what I have written. I have not positioned myself as a PG user, but rather as an IT expert who works with users every day, and understands their needs, especially in the field of security. The bottom line is that PG does not fit well with the great majority, and never will with its current approach. The Sony fiasco should be a lesson for everyone to learn from. That you can't see that - as a security software vendor - does not speak well of you. The bias is not on my side - I don't have an axe to grind about any one product.

Ah, now that is very ungracious of you. You should know better. Yes, I have said that I don't use PG - you will also note that as I said, I do have licences for PG, but don't use them. I did once, but I don't use them any longer because PG misses the mark in my estimation.

If you took more kindly to criticism, you would be in a better position to improve your products for real world usage. But hey, that's your choice.

 

They actually use the software in question - you don't. That doesn't mean they can't be objective, it just means they know what they're talking about. Your opinion as a developer who doesn't use the program is much more bias than their opinion as an end user, and I listen to my customers who use my software, not other developers who don't.

No, in my head I know that you don't know what you're talking about. Who are you to say what PG has or hasn't done on other users machines? Do you have a remote access trojan installed on everyones machine who has PG? Again like you said you don't even use PG. You're just a developer criticising another for the sake of it, and it's not even productive criticism. That's not exactly very professional coming from an "expert user and developer" like yourself.

Wrong, again. For your information we were first made aware that ProcessGuard stopped the rootkit by a customer in the USA who had his ProcessGuard block the installation of the driver on a content-protected CD - we didn't receive our own content-protected CD until nearly a week later so if it wasn't for ProcessGuard blocking the rootkit on one of our customers machines we wouldn't have been able to confirm until a week later if it was successful or not.

In other words, ProcessGuard saved our customer from the Sony rootkit before we even had our own copy of the rootkit!

So why are you ignoring what ProcessGuard users are telling you? They (actual users in this thread at this forum) are telling you that they would be suspicious if drivers were trying to install when a music CD was inserted, yet you're still trying to insist otherwise?

 

Well, there are probably a number of your other customers choking on reading this claim. But this isn't about the PR disaster of your TDS-3 fiasco ...

Wrong again. You can try to turn this around as much as you like, and attribute motives which just aren't there, but all you are doing is to illustrate your inability to accept criticism or learn from real-world events. That hardly qualifies you to rubbish someone else's professionalism. Fine. It's your funeral.

Why am I not surprised by this revelation at this time So, now you are claiming that you knew about the rootkit, but failed to notify anyone about it. This isn't getting any better, Wayne.

 

Well if it wasn't clear to readers before that you're simply here to attack me then at least it is now. I'd probably try to change the thread topic too if everyone else was telling me that I was wrong.

We haven't notified users about ANY specific rootkits because there is no need - ProcessGuard is a proactive solution that intercepts the installation of ALL drivers/rootkits, as proven by the customer who notified us of the rootkit before we got our own sample, so our customers were already protected against the rootkit, therefore there is no need to email them just to tell them that another rootkit has been released which they're already protected against - they'd quickly get annoyed of that as if it were spam.

Anyway your motives are quite clear now and I have work to do so I won't waste any more time replying to you.

PS. Why does your website try to start an ActiveX object on the main page? Afterall, if you're that concerned about the security of my customers surely you'd be just as concerned about your own customers having to download and execute an ActiveX control on their system?

 

So, what you are saying is ...

1. You - DiamondCS - knew about the presence of the Sony rootkit (indeed, you now claim you made specific efforts to obtain a CD that installed the rootkit one of your customers told you about), but felt it was best to keep quiet about it publicly, rather than show a sense of professionalism or ethics and make the portentous event public?

... and ...

2. You - DiamondCS - knew about the presence of the Sony rootkit, but decided not to publicly champion your product's ability to defend against it, despite all the revelations that have been around for some time now, and despite the dire need you have for a PR success given your recent disastrous history??

That's what you want people to accept?

 

Ha. Cheap shot, Wayne. Was it your software that got this wrong? Or was it your own deficiency? I presume you are referring to www.coco.co.uk - this site has nothing to do with security (that is a different business altogether), and it uses no ActiveX controls. It does use a Java applet to display some dynamic text. Do you know the difference between the two? You're not exactly enhancing your reputation here. Perhaps you should stop.

 

Yes, just as we "know about the presence" of dozens of other rootkits out there in the wild, nearly all of which are more dangerous than the Sony one. What's your point?

Yes, just as all the other anti-virus companies have. Again, what's your point?

Errr, no. There have been many threads over the last couple of weeks asking "does ProcessGuard block this?", to which we have responded. What do you want us to do, drop flyers from the sky over major cities so that everybody in the world knows that ProcessGuard blocks it?

Just as we haven't "publicly championed" against every other rootkit that has come out, so how is Sony's any different? Apart from being less dangerous than others. Again you're making no sense.

This is absolutely ridiculous, all you're criticising us for now is not marketing enough the fact that our program protects users against this. What is the point of that and how does that effect you? It's the PROTECTION that is important, not telling people that they're protected - they already know that.

But again you dont even use the program so you wouldn't know.

Tell me what is more important - having a program that protects users, or emailing users everytime a rootkit is released to tell them (again) that they're already protected?

It was a simple test to see if you could cop criticism like you dish it out. You failed.

Anyway you've posted enough here for people to understand what sort of person you are and what your motives are so thanks for that, I don't need to say anything more now.

 

Fact is - PG recognises the individual events and notifies the user. As I've already pointed out - the user's first question is 'is this a trusted source'.

This is where the trust was abused. The anger and disappointment should be focussed entirely on Sony.

 

It has. I'll close it for now as it's clear our friend spm here is on a one-way spiral downhill - there's only so much you can allow a thread to be hijacked by people who don't even have anything to do with the issue at hand.

I'll be making a much more comprehensive analysis with more screenshots soon so I'll post when that's done. Nobody has ever released any other screenshots of any programs blocking the installation of the Sony rootkit so there's room for more analysis and explanations. The Sony rootkit is certainly not as dangerous as any of the existing Windows kernel rootkits out there (such as Hacker Defender, fu etc), but due to the enormous media interest it's important to clarify the situation for the benefit of all parties so as to prevent misinformation and unnecessary fear.

Best regards,
Wayne