Win32/Rootkit.XCP

Discussion in 'NOD32 version 2 Forum' started by izi, Nov 17, 2005.

Thread Status:
Not open for further replies.
  1. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    ESET add virus siganture for Sony's rootkit.

    NOD32 - 1.1290 (20051117) / posted 20:05)
    Virus signature database updates:
    IRC/SdBot, Win32/Delf.AHV, Win32/Hupigon (2), Win32/Julikz.A, Win32/Rbot, Win32/Rootkit.XCP, Win32/Soul (3), Win32/Spy.Banker, Win32/Spy.Banker.NDR, Win32/TrojanDownloader.Dadobra.IL, Win32/TrojanDownloader.Small.AVT, Win32/TrojanDownloader.VB.NBO (2), Win32/TrojanProxy.Agent.CR, Win32/TrojanProxy.Agent.FB, Win32/Tsipe.AA (2), Win32/VB.ANC (5), Win32/VB.AND (2)
     
  2. FanJ

    FanJ Guest

    Thanks izi for pointing to that one !

    Question for ESET:
    What exactly covers this Win32/Rootkit.XCP ?

    No intention to hurt you Eset guys, but there is too much confusion about what the AV's/AT's/AS's clean and/or protect against with respect to this whole issue....
     
  3. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Good to see!! :D :D

    Cheers,
     
  4. Ieyj

    Ieyj Guest

    Better late than never..
     
  5. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I would suspect that it is not easy to work out which way to step when a giant such as Sony has more Lawyers on their books, than you have employees :rolleyes: ;) :D

    Cheers :D
     
  6. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    See this http://www.eset.com/home/home.htm, click on Win32/Rootkit.XCP...
     
  7. FanJ

    FanJ Guest

  8. DonKid

    DonKid Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    566
    Location:
    S?o Paulo, Brazil
    Humm they could have more Lawyers, but will they have customers ?
     
  9. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    That what I was attempting to say back on Nov. 4th:

    https://www.wilderssecurity.com/showthread.php?t=105096#7

    A lot of the back-room lawyers seemed to think it a little more clear-cut - interesting that it takes until the 16th for Sony to be FORCED into withdrawing the software, the very NEXT same day Eset actually released the update containing the detection, AND the database information on the 'threat'....

    http://www.msnbc.msn.com/id/10069563/

    I suspect your take, and mine is a closer reason for the time it takes to get a threat added - if you're a small company with relatively decent cashflow, you're "fair game" - at least in the USA, for legions of lawyers on retainer for such a huge corporation - being "right" has nothing to do with it... having the legal terriers to bankrupt you in court is more the issue...
     
  10. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,728
    Location:
    localhost
    Well...I hope that the fear of lawyers action is not the only reason behind ESET late inclusion of the signature, otherwise my trust in ESET is somehow compromised...
    :mad: :mad: :mad:
     
  11. beetlejuice69

    beetlejuice69 Registered Member

    Joined:
    Mar 16, 2005
    Posts:
    780
    Yes, same here.
     
  12. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    I would hope so too... but I'm realist... if you're in business here in the USA, you can NOT make decisions blindly without considering the legal implications at every step... it's a minefield, and you can't go blindly plodding through it without regard for where you step... that's the REALITY of doing business, at least in the USA... some-one will READILY shout "law-suit" at you for something you KNOW you did "right"!
     
  13. TBR

    TBR Guest

    Im sorry but to be honest when i bough ESET NOD32 i was under the impression, given the fact that they boast about their 100% records on their web page, that ESET were on the ball to all types of Security threats.

    I personally couldnt care who makes it - a rootkit is a rootkit - and i DONT want it on my PC - i've paid for that level of protection.

    This has shaken my trust in ESET a bit - perhaps they should have taken a leaf out of F-Seures book and been proactive about it instead of reactive.

    This is an infection on par with worms like Blaster, Slammer, Code Red and Nimda in terms of number of infected machines, yet it takes until the 17th of this month for ESET to detect it, A FULL 17 DAYS AFTER IT WAS FIRST DETECTED even though this has been in the wild since mid-2004.

    McAfee had detection on the 9th and even the gods of bloatware Symantec had a removal tool posted by the 11th. So ESET took almost 3 weeks to get detection sorted.

    Sorry, not acceptable and i would appreciate an explanation here if possible and assurances that in future any rootkits will be detected irrespective of who makes them.

    Otherwise there is a company above who does what its supposed to - secure my machine.
     
  14. Itsme

    Itsme Registered Member

    Joined:
    Jan 31, 2004
    Posts:
    148
  15. DonKid

    DonKid Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    566
    Location:
    S?o Paulo, Brazil
    Me too.
     
  16. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    As mentioned by our Mr Happy Bytes in his write up:
    So with this being the case, I would refer you back to my first posting, does anyone here think they are brave enough to to poke a sleeping tiger without great caution. Come on now, surely not, not even our Crock Hunter would go and taunt such an animal...

    Cheers :D
     
  17. TBR

    TBR Guest

    Blackspear, thanks for the feedback, sorry for my ignorace though but are you connected with ESET?

    I ask because i wish to know if its OK in ESET's opinion for any software to install as a rootkit?

    Or more to the point, if a peice of software attempts to install itself on our machines as a rootkit - NOD will do nothing proactive about it - not even give a warning?

    I see this as akin to the whole boot sector virus trend - where eventually even the BIOS would warn you regarding changes to the boot sector of the disk. There were a few programs that modified this portion of the disk with legitamite reasons but at least we got a warning about it.

    With rootkits - there is none - but shouldnt this be viewed as suspicious activity by NOD?
     
  18. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I am a Reseller, you can see this within my profile under "Additional Information" This however has nothing to do with how I see their stance on this particular situation, as stated above, this is NOT a standard malware based Rootkit, it does however have flaws in it that would allow it to be modified, and given the size of the public company involved, I would rather Eset take a moment to decide how to address this situation in a sensible manner, than run head strong in, and not be around next year because they are now owned by Sony :rolleyes:

    Just my 2 cents

    Cheers :D
     
  19. J at A

    J at A Guest

    A rootkit is a rootkit is a rootkit

    What would Eset have done if Mark from Sysinternals and others wouldn't have posted about it, followed by "some" attention in the Media and the Internet?

    Ages ago I for myself came to the conclusion that you need BOClean while using NOD32 resident (and TDS-3 while it was still there...).
    Others might have a different opinion; no problem with me.
    Anyway, still friends !!! ;)

    Cheers, Jan.
     
  20. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    My sentiments EXACTLY - let some other company be the test case - or - as I'd call them, carrion to the legal vultures perched on the shoulder of their corporate masters!

    I too want my investment in learning and selling of Eset's products to CONTINUE to bear fruit. Does ANYONE think it a good idea that valuable research dollars/cents/pounds/crowns, whatevers... go to a legal defense cause, instead of product improvement?

    Restraint and discretion are both virtues ... not flaws...
     
  21. J at A

    J at A Guest

    webyourbusiness, have you any idea what Kevin (PSC) has done for the security-community?

    ? ? ?
     
  22. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland


    From Mark Russinovich at Sysinternals...

    Unfortunately, there has been some confusion with regard to the level of cleaning that antivirus (AV) companies are providing for the rootkit. Some articles imply that AV companies remove all of the Sony DRM software in the cleaning process, but they are in fact only disabling and removing the Aries.sys driver that implements the rootkit cloaking functionality. Unfortunately, all of the AV cleaners I’ve looked at disable it improperly by unloading it from memory - the same way Sony’s patch behaves - which as I noted previously, introduces the risk of a system crash. While they post disclaimers on their web sites to that effect, they should use the safe alternative that I described a couple of posts ago, which is to delete the rootkit’s registration from Windows so that it won’t activate when Windows boots.


    Now, I don't know if ESET have taken time to deal with the removal of this rootkit properly instead of rushing out a 'fix' to give people the false impression of proactivness and I doubt you know either.

    (Mark wrote the article that I quoted from before ESET released their fix)

    JJ :cool:
     
  23. que sera

    que sera Guest

    How about future issues? It's forseeable that many companies will be interested in using rootkit technology - having a Card Blanche to do what ever they like with a customer's pc is simply irresistible to them. Like other posters here I don't want any kind of rootkit on my computer for what reason soever! So, besides this Sony hassle - what is ESET going to do in the future? Can I expect protection only against some script kiddie badies and when it comes to small or big name companies' stuff I'm on my own? Without any warning at all?

    I understand that this is a difficult situation and dilemma not only for ESET but other vendors aswell. But they have to find a way to protect their customers or they will loose them.


    Regards,
    qs
     
  24. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    I think software companies will have had their eyes opened by the negative global response to Sony's disregard for it's customers.
     
  25. doug6949

    doug6949 Registered Member

    Joined:
    Nov 28, 2003
    Posts:
    110
    Even the best of corporate ethics must bow to the realities of economics. It is easy to look back with our own expert opinions now and see that a removal tool was defensible. But two weeks ago the CEO of any company worth millions would have been a fool to have challanged a company worth billions.

    It is instructive to remember that medals of honor are often awarded posthumous.
     
Thread Status:
Not open for further replies.