Win32/Rootkit.XCP

Excellent point. If ESET seemed slow to include this rootkit it was in consideration of many issues, not all of them crystal clear. I, for one, want to see them stay in business.

John S., doubting he would ever click "accept" on a EULA to listen to a music CD

 

yes - but it's not relevant to my Eset comments - I'm not vested in PSC/Kevin's future, lack of, or reputation. He has his own future in his hands - I honestly don't want to see someone taken down by massive lawsuits, but more importantly, I don't want a company I have an interest in going that way!

 

Bruce Schneier has written the following article criticising the delay by anti-virus firms in reporting or removing this malware:

Wired: Real Story of the Rogue Rootkit

One valid concern that subscribers should have, is if fears of a legal backlash by Sony caused this delay (and this rootkit was in the valid for a good few months before Mark's blog), then this can - and will - recur in the future with other sufficiently well-financed sleazeware companies. Parallels can also be seen in adware with WhenU being downgraded (or removed) by Lavasoft and Microsoft.

AV vendors need to draw a line in the sand and stick to it.

 

Very true!!

And I see that there was to me an Update to this Rootkit Today!!

NOD32 - 1.1292 (20051119) / posted 15:17)
Virus signature database updates:
IRC/SdBot, Win32/Kelvir.GS (2), Win32/Kelvir.GT (2), Win32/Rootkit.XCP, Win32/Spy.Bancos.U (2), Win32/VB.NDS

Cheers,

 

Im sorry but your missing my point - a rootkit should be warned about proactively.

There is a program which is attempting to install itself on our systems and hide itself which by anybodys book, irrespective of who wrote it, is suspicious activity and should at the very least be identified by our virus progs and indicated to the end user by, for example, a warning popup.

What you are currently doing is ignoring the threat posed by an suspisious program.

This is like allowing your boot sector be overwritten unless the program thats doing it has been identifed as a virus.

Surely - this is the wrong way to approach it.

The lawers cant get involved in this because its only a warning - do you want to let this happnen - y/n - the choice is yours - there is no bias regarding who wrote the program, only a choice made by the owner of the machine in question.

Do lawers get involved if you choose to block a program accessing the internet from you firewall - not that i've heard.

Why should a virus checker be any different - the choice should be with the owner of the machine?

Unless its impossible to identify a program thats trying to hide itself in this manner?

 

Those of us who have tried cases in U.S. civil courts know that lawyers make their living crossing lines in the sand.

Cognitive dissonance takes over as soon as you give me a choice between doing the right thing and preserving my company.

I note that neither Bruce Schneier nor his fellow critics have offered to distribute a complete removal tool yet.

 

What does that have to do with anything? We're not paying Schneier to take care of this issue. We are paying the virus and trojan securities companies to proactively take care of these issues.

 

http://eset.sk/en/comapny/nod32-protects-also-against-the-sony-rootkit

Can you see that date?

18-11-2004

 

Does this mean Blackspear's settings which does periodic scans and then tries automatically to clean followed by delete, if clean fails, can screw things up since the scans are not done in safe mode?

 

I'm saying that perhaps the critics would be willing to show the AV's they have nothing to fear.

 

Typo?

 

I'm very happy with NOD32 and Eset.
NOD32 detected heuristically the backdoors that used this rootkit.
Also important, Eset added the rootkit to standard database unlike many others AVs that added this malicious code to extended database.

 

3 Weeks after it was detected.

 

Hope you're on every other anti-virus/anti-malware forum banging on about the same thing.
Fact is this rootkit has been out there since 2004.
Fact is a great many of the anti-virus companies that rushed out a 'fix' didn't do the job properly, (according to Mark Russinovich)...

"Unfortunately, there has been some confusion with regard to the level of cleaning that antivirus (AV) companies are providing for the rootkit. Some articles imply that AV companies remove all of the Sony DRM software in the cleaning process, but they are in fact only disabling and removing the Aries.sys driver that implements the rootkit cloaking functionality. Unfortunately, all of the AV cleaners I’ve looked at disable it improperly by unloading it from memory - the same way Sony’s patch behaves - which as I noted previously, introduces the risk of a system crash. While they post disclaimers on their web sites to that effect, they should use the safe alternative that I described a couple of posts ago, which is to delete the rootkit’s registration from Windows so that it won’t activate when Windows boots:"


So the question should not be about how quickly the 'fix' came out, instead the question should be "did they do it right"

 

Actually, there are lots of people paying Schneier, via Counterpane, far larger sums of money for managed security services than you and I are paying these shrink-wrapped AV software companies. I sure hope that everyone who subscribes to Counterpane's managed security service was aware of this XCP rootkit issue and that no instance of this DRM product was ever installed on one of their client's networks. Schneier should have been out there scrubbing these systems... yet somehow I suspect he was as clueless as the rest of us until the real detectives and investigators of the likes of Mark Russinovich and a few others first discovered it.

I'm sorry but I see Schneier as someone who makes his living being a firebrand more than anything else. No doubt the guy is very intelligent, but sometimes I suspect that we might all be slightly better served if he was more frequently devising and coding solutions rather then so frequently condemning and criticizing the work and practices of others. And in this particular case, at least, his words begin to smack a bit of hypocrisy.

On the matter at hand, I have absolutely no problems if Eset took the deliberate and financially prudent path rather than the immediate and aggressive path. Yes, theoretically I would prefer zero day protection... however I'm firmly in the economic realist camp. In any event, I don't honestly expect 100%, fool-proof, zero day coverage for every strain and variant of computer malware out there from my AV companies. That is the ideal, of course; however I am not believer in, nor am I reliant upon, the existance of such a computer security "magic bullet".

 

From Nancy McAleavey in this thread....

https://www.wilderssecurity.com/showthread.php?t=107012

"Having found some time to go back and play with the SONY rootkit has been difficult to come by, and our attorneys have been unable to obtain a definitive answer from the justice department as to our creating a specific solution to the SONY "rootkit" problem. However, I have been told that I have a right to my opinion, and as long as I express this as "my opinion" and not that of our company, (I did this on my own time) I should be free to share a chuckle with folks as to the pathetic nature of this "rootkit." And in doing so, I can explain WHY I think it's pathetic as well! So let's have at it, folks can learn from my rant to follow how to take care of this all by themselves!"

---------------------------------------------------------------------------------------------------------------------

So there are legalities to overcome before any security company jumps in with their fixes.
As far as I know, Sony still have not been found guilty in any court over this rootkit so it's prudent for security companies to get as solid legal guidance as possible.

 

Europeans use "day/month/year" as opposed to the "month/day/year we use in the States.

 

And the rest of the world, a simple and logical display of dates; small, medium, large.

Hmmmm medium, small, large. Now where's the logic in that one

 

USA have no history as such and have tried, desperately, with nearly everything to go their own way.
Even the UK have gone metric

 

OMG where the world is heading ....

 

I had a discussion about this with a Berkeley professor on a trans-atlantic flight - he was trying to tell me that it was to make sorting of dates more "logical" - so I pointed out that the adoption of:

YY/MM/DD or YYYY/MM/DD would make date sorting MUCH more logical - the current method of year being last was an abomination for sorting... eventually he admitted that he didn't know why it was so...

 

Now the states will all wade in...

http://www.chron.com/disp/story.mpl/front/3476945.html

 

Wow, we all know the amounts of damages American courts can levy, this could cost Sony dearly.