Win32/Rootkit.XCP

Discussion in 'NOD32 version 2 Forum' started by izi, Nov 17, 2005.

Thread Status:
Not open for further replies.
  1. john smith

    john smith Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    59
    Excellent point. If ESET seemed slow to include this rootkit it was in consideration of many issues, not all of them crystal clear. I, for one, want to see them stay in business.

    John S., doubting he would ever click "accept" on a EULA to listen to a music CD
     
  2. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,662
    Location:
    Throughout the USA and Canada
    yes - but it's not relevant to my Eset comments - I'm not vested in PSC/Kevin's future, lack of, or reputation. He has his own future in his hands - I honestly don't want to see someone taken down by massive lawsuits, but more importantly, I don't want a company I have an interest in going that way!
     
  3. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Bruce Schneier has written the following article criticising the delay by anti-virus firms in reporting or removing this malware:

    Wired: Real Story of the Rogue Rootkit

    One valid concern that subscribers should have, is if fears of a legal backlash by Sony caused this delay (and this rootkit was in the valid for a good few months before Mark's blog), then this can - and will - recur in the future with other sufficiently well-financed sleazeware companies. Parallels can also be seen in adware with WhenU being downgraded (or removed) by Lavasoft and Microsoft.

    AV vendors need to draw a line in the sand and stick to it.
     
  4. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    12,803
    Location:
    Ontario, Canada

    Very true!!

    And I see that there was to me an Update to this Rootkit Today!!

    NOD32 - 1.1292 (20051119) / posted 15:17)
    Virus signature database updates:
    IRC/SdBot, Win32/Kelvir.GS (2), Win32/Kelvir.GT (2), Win32/Rootkit.XCP, Win32/Spy.Bancos.U (2), Win32/VB.NDS

    Cheers,
     
  5. TBR

    TBR Guest

    Im sorry but your missing my point - a rootkit should be warned about proactively.

    There is a program which is attempting to install itself on our systems and hide itself which by anybodys book, irrespective of who wrote it, is suspicious activity and should at the very least be identified by our virus progs and indicated to the end user by, for example, a warning popup.

    What you are currently doing is ignoring the threat posed by an suspisious program.

    This is like allowing your boot sector be overwritten unless the program thats doing it has been identifed as a virus.

    Surely - this is the wrong way to approach it.

    The lawers cant get involved in this because its only a warning - do you want to let this happnen - y/n - the choice is yours - there is no bias regarding who wrote the program, only a choice made by the owner of the machine in question.

    Do lawers get involved if you choose to block a program accessing the internet from you firewall - not that i've heard.

    Why should a virus checker be any different - the choice should be with the owner of the machine?

    Unless its impossible to identify a program thats trying to hide itself in this manner?
     
  6. doug6949

    doug6949 Registered Member

    Joined:
    Nov 28, 2003
    Posts:
    110
    Those of us who have tried cases in U.S. civil courts know that lawyers make their living crossing lines in the sand.

    Cognitive dissonance takes over as soon as you give me a choice between doing the right thing and preserving my company.

    I note that neither Bruce Schneier nor his fellow critics have offered to distribute a complete removal tool yet.
     
  7. berng

    berng Registered Member

    Joined:
    Sep 11, 2005
    Posts:
    252
    Location:
    NJ, USA
    What does that have to do with anything? We're not paying Schneier to take care of this issue. We are paying the virus and trojan securities companies to proactively take care of these issues.
     
  8. Logyn

    Logyn Guest

  9. berng

    berng Registered Member

    Joined:
    Sep 11, 2005
    Posts:
    252
    Location:
    NJ, USA
  10. doug6949

    doug6949 Registered Member

    Joined:
    Nov 28, 2003
    Posts:
    110
    I'm saying that perhaps the critics would be willing to show the AV's they have nothing to fear.
     
  11. doug6949

    doug6949 Registered Member

    Joined:
    Nov 28, 2003
    Posts:
    110
    Typo?
     
  12. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    I'm very happy with NOD32 and Eset.
    NOD32 detected heuristically the backdoors that used this rootkit.
    Also important, Eset added the rootkit to standard database unlike many others AVs that added this malicious code to extended database.
     
  13. TBR

    TBR Guest

    3 Weeks after it was detected.
     
  14. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    Hope you're on every other anti-virus/anti-malware forum banging on about the same thing.
    Fact is this rootkit has been out there since 2004.
    Fact is a great many of the anti-virus companies that rushed out a 'fix' didn't do the job properly, (according to Mark Russinovich)...

    "Unfortunately, there has been some confusion with regard to the level of cleaning that antivirus (AV) companies are providing for the rootkit. Some articles imply that AV companies remove all of the Sony DRM software in the cleaning process, but they are in fact only disabling and removing the Aries.sys driver that implements the rootkit cloaking functionality. Unfortunately, all of the AV cleaners I’ve looked at disable it improperly by unloading it from memory - the same way Sony’s patch behaves - which as I noted previously, introduces the risk of a system crash. While they post disclaimers on their web sites to that effect, they should use the safe alternative that I described a couple of posts ago, which is to delete the rootkit’s registration from Windows so that it won’t activate when Windows boots:"


    So the question should not be about how quickly the 'fix' came out, instead the question should be "did they do it right"
     
  15. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    419
    Location:
    Dallas, TX
    Actually, there are lots of people paying Schneier, via Counterpane, far larger sums of money for managed security services than you and I are paying these shrink-wrapped AV software companies. I sure hope that everyone who subscribes to Counterpane's managed security service was aware of this XCP rootkit issue and that no instance of this DRM product was ever installed on one of their client's networks. Schneier should have been out there scrubbing these systems... yet somehow I suspect he was as clueless as the rest of us until the real detectives and investigators of the likes of Mark Russinovich and a few others first discovered it.

    I'm sorry but I see Schneier as someone who makes his living being a firebrand more than anything else. No doubt the guy is very intelligent, but sometimes I suspect that we might all be slightly better served if he was more frequently devising and coding solutions rather then so frequently condemning and criticizing the work and practices of others. And in this particular case, at least, his words begin to smack a bit of hypocrisy.

    On the matter at hand, I have absolutely no problems if Eset took the deliberate and financially prudent path rather than the immediate and aggressive path. Yes, theoretically I would prefer zero day protection... however I'm firmly in the economic realist camp. In any event, I don't honestly expect 100%, fool-proof, zero day coverage for every strain and variant of computer malware out there from my AV companies. That is the ideal, of course; however I am not believer in, nor am I reliant upon, the existance of such a computer security "magic bullet".
     
    Last edited: Nov 21, 2005
  16. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    From Nancy McAleavey in this thread....

    https://www.wilderssecurity.com/showthread.php?t=107012

    "Having found some time to go back and play with the SONY rootkit has been difficult to come by, and our attorneys have been unable to obtain a definitive answer from the justice department as to our creating a specific solution to the SONY "rootkit" problem. However, I have been told that I have a right to my opinion, and as long as I express this as "my opinion" and not that of our company, (I did this on my own time) I should be free to share a chuckle with folks as to the pathetic nature of this "rootkit." And in doing so, I can explain WHY I think it's pathetic as well! So let's have at it, folks can learn from my rant to follow how to take care of this all by themselves!"

    ---------------------------------------------------------------------------------------------------------------------

    So there are legalities to overcome before any security company jumps in with their fixes.
    As far as I know, Sony still have not been found guilty in any court over this rootkit so it's prudent for security companies to get as solid legal guidance as possible.
     
  17. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Europeans use "day/month/year" as opposed to the "month/day/year we use in the States.
     
  18. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    And the rest of the world, a simple and logical display of dates; small, medium, large.

    Hmmmm medium, small, large. Now where's the logic in that one :rolleyes: ;) :D

    :D :D :D
     
  19. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland

    USA have no history as such and have tried, desperately, with nearly everything to go their own way.
    Even the UK have gone metric:eek:
     
  20. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    OMG where the world is heading ....
     
  21. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,662
    Location:
    Throughout the USA and Canada
    I had a discussion about this with a Berkeley professor on a trans-atlantic flight - he was trying to tell me that it was to make sorting of dates more "logical" - so I pointed out that the adoption of:

    YY/MM/DD or YYYY/MM/DD would make date sorting MUCH more logical - the current method of year being last was an abomination for sorting... eventually he admitted that he didn't know why it was so... ;)
     
  22. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,662
    Location:
    Throughout the USA and Canada
  23. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.