Phone Home Software and Hardware

[SCDVD]

The recent debacle with Sony’s Rootkit software makes me wonder how much of this is going on. Does anyone know of any software or hardware that “phones home” with snooped information that the manufacturer has no business knowing? This is too easy for a snooping manufacturer to do. If it is buried deep enough in a system, it is very difficult to detect. It’s easy for these guys to rationalize that they are “protecting themselves”. Once in that frame of mind, there is no limit to the things they can do. After all, they are “protecting” themselves – right?

[gll99]

I have found a lot of software phone's home but most are not malicious. Most of them are just checking for updates. Many will ask you if you want the option but quite a few were only caught when my firewall warned me. I usually let the well known companies through but some of the lesser known freeware and trialware I always block unless I know what they are doing. The only one's you can't really stop are the one's that require internet access to work or are internet access related (like the google browser toolbar which integrate into the browser). Even my MS XP update is set to let me know about any updates but let me choose to install so I know it calls to see what I need and also knows the status of my version of XP. My separate virus checker is set the same way. You have to trust someone a bit to operate on the internet. Just choose who you trust. If you check your cookies and scan for trojans you might be surprised how quickly others latch on to your computer and phone home information about you every day. It's a constant struggle with regular scanning to keep them at bay.

[thecoalman]

You best defense against phone home software is a firewall like Zone alarm which by the way is free. www.zonelabs.com Granted from what I have read it would not have been much use against the Sony software but it will pick up any regular application/process tying to access the internet.

I've even spotted a malicious program with it, My GF's daughter used my comp and infected it with a spyware app. My firewall immediately picked it up the next day when I went to use it. Essentially when you first set it up it grants access to a few neccesaary programs to access the net. the rest have to given access by you. MOST software attempts to connect to the internet, there's very few programs I've installed that haven't tried.

The add-on crap you don't need that comes with scanners and printers seems to be the worse.

[Noahtuck]

Yep, what those 2 guys said!!

I have always ran antivirus for years and years but just started using firewalls about 2 years ago, and i was AMAZED at all the crap that is trying to connect going out, checking for updates, verifying searial #'s, and who know's what the hell else they are sending out!!!! and these are legitimate app's, god forbid you get something else you don't know about!!

I also run software firewalls (norton/internet security pro) on my server and was amazed at how many attacks come in to it, i have my routers firewall open just to my server, and i get tons of random attacks looking for a way in!!

Firewalls are at least, if not more important than antivirus!!!
But having one without the other is like having a car & filling up the tank when it does not have any wheels can't have one without the other!!

Edit:
I even recall on certain instances where i have visited web pages and got an alert that there was malicous script & even trying to intall a trojan, so even surfing you are never safe!!

FIREWALL's all the way!!!!!!!!

[SCDVD]

Granted from what I have read it would not have been much use against the Sony software

I understand what you are saying, but it's the Sony style ultra sneaky stuff that I am worried about. These guys are pretty creative with seemingly endless money to develop their latest and greatest snoopware. There are low level ways to sneak around the OS and do direct hardware Comm connections. With the size of the development budgets that some of these companies have, I'm concerned about this. Their inclination to do so has already been demonstrated. What's to stop an installed piece of hardware from doing a direct hardware Comm connection and fly right under the OS? Or how about a piece of hardware that decides that it's time to "rearrange" your system or delete something from your hard disc that THEY decide shouldn't be there?

[thecoalman]

What's to stop an installed piece of hardware from doing a direct hardware Comm connection and fly right under the OS? Or how about a piece of hardware that decides that it's time to "rearrange" your system or delete something from your hard disc that THEY decide shouldn't be there?

Sony didn't get very far with it, I don't think there's many legitimate companies that would be willing to take that risk considering the huge pile of shit Sony is sitting in. They would have to out of their minds.....

[Dragonsf]

But who's to blame for, that $sys$ entries ar hidden? MS, regedit, what else?

[SCDVD]

I hope that is true. The risk of the story getting out is a big deterrent. The adverse publicity should make other think twice -- for a while anyway unless a company thinks of something they think is a "new and improved" way to be sneaky..

[Noahtuck]

Okay,
I read though some of the stuff and did a search and found nothing.

Now it states that the rootkit is allowing things to be hidden from "ANTIVIRUS"
software & which will allow other malicous software to hide the same way,
But just because it's hidden from Antivirus, does not mean it can still be transmitted out through a Firewall.

Has anyone else seen where it state's one way or the other if it can also sneak out through firewalls ?

[Wile_E]

It is not just software that phones home. Even DLL files, windows media, etc...These all can phone home. Windows media can have embedded scripts that run everytime you play the file. I just block Media Player completely from access to the internet.

I use a hardware firewall appliance in addition to Outpost Firewall and Avast Antivirus. Outpost is very customizable and the logs are very detailed. You would be suprised at what all is trying to access your internet connection and all the ports being probed. Tons of windows systems files request access to internet, even though they don't need for anything official. They all request access, but obviously I block almost everything. Just because software have an "update" option, what makes you so sure it is just updating itself? If it has internet access, it could also be sending out other information as well as updating itself.

[gll99]

Sony was trying to stop copying of their music but went too far by infecting the computers.
In Canada at least, their permission to install and purpose for doing so wasn't clear enough according to legal experts plus newpaper articles indicated that they actually broke the law by preventing rights granted under Canadian copyright law that allows us to make unlimited copies of our purchased music for personal use. We are allowed to transcode our music to wma mp3 or whatever format we want and make copies to play in our car cd players, mp3 players, ipods etc... as long as it is for our own personal use. An article in today's local paper, states that Sony Canada admitted as much but blamed it on their American cousins.

[gll99]

Okay,
I read though some of the stuff and did a search and found nothing.

Now it states that the rootkit is allowing things to be hidden from "ANTIVIRUS"
software & which will allow other malicous software to hide the same way,
But just because it's hidden from Antivirus, does not mean it can still be transmitted out through a Firewall.

Has anyone else seen where it state's one way or the other if it can also sneak out through firewalls ?

The problem is that their software disguises itself as a necessary windows service. It may replace some files needed to access your dvd/cd drive. What would you do if your firewall says that Generic Host Service asks to use the internet. Many valid apps can use that service the only message you might find is that svchost.exe or alg.exe is the calling app. Now what? If you say no your browser might not be able to resolve name addresses or some p2p app you have may not work at all. On the other hand it may just be some hidden crappy service like Sony's. Worse still if you kill it it may take down another service with it. When services are stopped there is code built-in that allows for the automatic execution of more code. So now this bad service kills a good service and your connection won't work so you reboot. This time you say this service must be important so when it asks again you say yes. They now got past your firewall because you were stuck and had no other choice but you don't realize they got you. To me that is a weakness in MS services. Necessary Ms Services should have been kept completely separate. The idea was I guess that you could order the service to restart itself or do some other housecleaning but it's also an opportunity to do other things. So how do you know when it looks like a valid service? I removed a few like that but only by trial and error.
I have been on vb programming forums where you can learn to easily register your application as a service instead of a program. So when someone searches the task manager it won't show up as a program but a service. If they name it well like "Microsoft Windows system cache support" (a made up name) who is likely to kill this service. Worse still what if they just call it by some valid name like alg.exe but store it in a dir like winxp\sysfiles instead of the real app in winxp\system32
I'm no expert either and I may be off a bit but I'm pretty close and what little I have learned is scary enough.

[BobK]

Sony didn't get very far with it, I don't think there's many legitimate companies that would be willing to take that risk considering the huge pile of shit Sony is sitting in. They would have to out of their minds.....

But a few million (or a few hundred million) dollars paid out in lawsuits, and maybe even some criminal charges (perhaps in Italy) would be an even bigger deterent.

[VegasBud]

It would be very difficult, if not impossible to prevent software installed on your computer from phoning home, even if you are using a firewall. Some firewalls don't even attempt to block outgoing traffic, and the ones that do attempt it can be silently bypassed. If you just put "bypass firewall" into google, and browse a few of the 1.4 million hits, you'll quickly see that firewalls are no where near as secure as most people believe. And that's just the information openly available on the web.

General George Patton said "..fortifications are monuments to the stupidity of man", which is as true when applied to firewalls as when applied to war. No matter how ingenious the defense, someone will always find a way around it.

As to the repercussions of getting caught, Sony had been distributing the rootkit system on their CDs for eight months before they got caught. Even then, it was just bad luck for them that Mark Russinovich was playing around with the RootkitRevealer program on a computer he had used to listen to music on one of their "protected" CDs. They may never have been exposed otherwise.

I think the whole "Sony Rootkit" story is more an indicator of the current state of their "war on piracy" than a turning point against them.

I think SCDVD is exactly right:

It’s easy for these guys to rationalize that they are “protecting themselves”. Once in that frame of mind, there is no limit to the things they can do. After all, they are “protecting” themselves – right?

[ROF]

I have active firewall software which informs me anytime an unauthorized breech is requested. I have at least a dozen programs some with multiple nodes that require calling home. Some of them are always allowed to connect while others must ask permission. If you are not using firewall software today on your windows system you should really download XP SP2 or 2K SP4.

[Mister Flonk-Flonk]

It would be very difficult, if not impossible to prevent software installed on your computer from phoning home, even if you are using a firewall. Some firewalls don't even attempt to block outgoing traffic, and the ones that do attempt it can be silently bypassed. If you just put "bypass firewall" into google, and browse a few of the 1.4 million hits, you'll quickly see that firewalls are no where near as secure as most people believe. And that's just the information openly available on the web.

In addition to firewalls, people should use a custom HOSTS file and update it periodically. Customized HOSTS files are also great for getting rid of all those annoying banner ads that litter a lot of sites.

Here's a good place for info on stuff like that:

http://www.bluetack.co.uk/modules.php?name=Content&pa=showpage&pid=7

They also have an online blocklist editor that formats your custom blocklists to fit a number of leading firewall apps that let you run a customized blocklist, like peerguardian's.

[SCDVD]

For those with bad intentions, getting into a computer is one thing; getting out is another. For those with devious purposes in mind, communicating out of a computer is easier than getting in even with all the latest OS upgrades, firewalls etc. Self-anointed "experts" proudly proclaim they have the latest Mega Mother Mark IX Extreme Ultra Edition firewall or some such. They further describe all of the "bad stuff" they blocked from web pages, emails, attempted port exploits et al. This is supposed to impress you. The bad guys really like these “experts” doing their impression of Don Knotts on an old Andy Griffiths show.

The reality is another matter. Consider just a couple of possibilities.

1. You buy a nice new piece of software and register it online after you install it. But instead of the usual way of linking to the manufacturer’s web page, the manufacturer has a “nice” little registration utility built in to the software. So you dutifully fill out the information they request and click the submit button. You thought little about it because they asked for only the typical information and offered you a free newsletter if you check the box. But what you didn’t know is this “helpful” little utility did a complete inventory of your system and sent this information as well when you clicked the “register” button. They can help themselves to as much information as they wish – doc files, email folders, you name it. All the firewalls, virus and spyware checkers won’t catch this because you chose to allow this connection. You would be completely unaware that some of your personal and private information had just been taken. You smugly sit back reveling in your firewall etc. that is “guaranteed” to stop Trojan Horses etc. but you installed one with your own hand when you installed your nice new piece of software! And you were clueless that it even happened. But you say, “No reputable manufacturer would do this.” Really? Can you think of a warmer or fuzzier name than Sony!? If you played one of their CDs with the Root Kit Trojan in it, Sony knows right now that you have DVD Shrink and DVD Encrypter installed on your system. Nice huh!

2. You buy a slick add-in board that plugs into your PCI Bus. This board does some really nice function that you really like – and a couple of more that you don’t know about. That “nice” processor that is on your new board has a few additional functions running in its firmware than you thought you were buying. It runs right under your OS and connects to your Ethernet connection and sends “home” some of your private information. Since your new board has its own processor and kernel, it doesn’t need to even “bother” Windows with its little nefarious deed. It has its own little OS!

This was just a couple of examples; there are many more. My point is this: If you have a system that you don’t want spyed on, don’t connect it to any form of network or Internet connection – ever. If a hardware or software manufacturer wants to suck information out of your system, they will especially when your “invite” them in by installing their product. The “experts” are the real suckers here because they think they have all of the bases covered when they actually don’t. If you’re connected, you are exposed to intrusion. Someone will always be able to devise a new way to do it if you are connected. One way to cope with this is to have two computers: One that you have connected to the Internet for your normal use and one that is connected to NOTHING for things that you want to keep private. This isn’t some wild paranoid notion. Sony just did it! Stay tuned, it’s coming to your neighborhood soon!

[robertazimmerman]

I would love to see someone develop a program that prevents ANY writing to a hard drive without expressed permission - no cookies, no hidden files, no nuttin'! It would be a royal pain to operate one's computer for the first while, as permissions would have to be given/denied. But ulitmately it would stop this sort of crap.

Roberta

[gll99]

I would love to see someone develop a program that prevents ANY writing to a hard drive without expressed permission - no cookies, no hidden files, no nuttin'! It would be a royal pain to operate one's computer for the first while, as permissions would have to be given/denied. But ulitmately it would stop this sort of crap.
Roberta

That's exactly what firewall programs like zonealarm do but.....
Remember without cookies many sites will not let you in or will limit features. You can set your browser to allow cookies only for trusted sites but you have to manually put each site in. Plus you have to be 100% sure that it is a trusted site.
The problem with permissions is that you have to trust the question.
ie... Do you want to install this yes or no.... the code behind the answer is the same YES. How would you know until it's too late?
Or do you want to check for updates yes or no? Clicking yes also passes a bunch of stored info saved by the program in a hidden file.

As I said in a previous post the firewall does it's job it's just too easy to disguise the question, purpose or even the program within windows so it's the user who gets tricked into letting things pass the firewall.

Locking writes to your hdd for every process would be nearly impossible many are needed to keep windows working.

To minimize the possibily you can go in the computer management component and disable unneeded services. This is a trial and error method and you may remove something you need later. I don't recommend it for the inexperienced users.
There is no guarantee this will do much because many trojans use necessary valid services that have to stay active as portal.
The safest thing I guess is a minimally loaded computer for internet access and your good machine safely networked with the least traffic between the two.

This part edited in:

(I hadn't read SCDVD's comments but agree)

btw) Everyone who installs software agrees to terms of use but few read or understand them. The clauses are so broad that many times you basically agree to let them trick you so may have little or no legal recourse.

[Sabro]

From some of the posts I've read, I think some have a misunderstanding of the rootkit technology.

The rootkit itself is not a 'trojan' or 'virus'. It is merely code that allows other applications to be hidden from the operating system and the higher level applications (task man, etc).

Just as the viruses from years past used polymorphic encryption routines to hide from detection, malware today is using rootkits to elude detection.

I've done some research with various rootkits (not with the Sony versions yet) and their malware counterparts, although tricky to detect and remove
I've had about 100% success rate detecting the initial 'call home' with Zone Alarm.

After locating the actual suspect files (top secret methods :P) which under the rootkits protection are normally invisible to the operating system, I've found that simply booting to safe mode (under XPro atleast) allows you to manipulate the suspect files anyway you want which you normally wouldn't be able to do with the rootkit active.

Whew....

What gets me is Sony was the first to be caught and the normal media frenzy starts....but Sony, with all their resources only target a limited audience (since there was no Apple, etc versions) ?? Odd...it's like saying if you own a different machine or OS your free to do whatever you wish, other then copy right laws themself.



Sabro

[Sabro]

Opps, one thing I did forget to mention is the nasty side of the rootkit itself.

Depending on how the rootkit itself is coded, removal could be very destructive to the operating system.

Prolly another reason why the media is hounding Sony because even if you get rid of the unlying 'malware' the rootkit remains and can be used by other applications....But hey, even Sony can't remove it themself

Sabro

[TBoneit]

It would be very difficult, if not impossible to prevent software installed on your computer from phoning home, even if you are using a firewall. Some firewalls don't even attempt to block outgoing traffic, and the ones that do attempt it can be silently bypassed. If you just put "bypass firewall" into google, and browse a few of the 1.4 million hits, you'll quickly see that firewalls are no where near as secure as most people believe. And that's just the information openly available on the web.

In addition to firewalls, people should use a custom HOSTS file and update it periodically. Customized HOSTS files are also great for getting rid of all those annoying banner ads that litter a lot of sites.

Here's a good place for info on stuff like that:

http://www.bluetack.co.uk/modules.php?name=Content&pa=showpage&pid=7

They also have an online blocklist editor that formats your custom blocklists to fit a number of leading firewall apps that let you run a customized blocklist, like peerguardian's.

Those cuistomized Hosts are fine, as is the protection in Spy Sweeper...

However on some sites I now find I have to hit back several times, how many depends on how many blocked banners there are. When I hit back on those sites I see the local host address each time I hit back until I've gone through all the blocked banners, a real PITA, I would almost rather see the adverts.

Cheers

[SCDVD]

Many of the above comments are well informed and correct. But with a relentless army of people/companies who work late at night to develop ways to intrude into people's computers, it's a safe bet to believe that some will succeed. Using two computers, one of which is never connected online or to a network, is the only truly secure way to fully protect yourself.

[Mister Flonk-Flonk]

It would be very difficult, if not impossible to prevent software installed on your computer from phoning home, even if you are using a firewall. Some firewalls don't even attempt to block outgoing traffic, and the ones that do attempt it can be silently bypassed. If you just put "bypass firewall" into google, and browse a few of the 1.4 million hits, you'll quickly see that firewalls are no where near as secure as most people believe. And that's just the information openly available on the web.

In addition to firewalls, people should use a custom HOSTS file and update it periodically. Customized HOSTS files are also great for getting rid of all those annoying banner ads that litter a lot of sites.

Here's a good place for info on stuff like that:

http://www.bluetack.co.uk/modules.php?name=Content&pa=showpage&pid=7

They also have an online blocklist editor that formats your custom blocklists to fit a number of leading firewall apps that let you run a customized blocklist, like peerguardian's.

Those cuistomized Hosts are fine, as is the protection in Spy Sweeper...

However on some sites I now find I have to hit back several times, how many depends on how many blocked banners there are. When I hit back on those sites I see the local host address each time I hit back until I've gone through all the blocked banners, a real PITA, I would almost rather see the adverts.

Cheers

They have a few there people can download and use that are updated periodically, but the real value there is the info. It will show you how the hosts file works, what it does, etc, and tell you how to modify or create your own custom hosts file.

I'm a bit of a creature of habit, my time spent surfing the net doesn't vary a whole lot. I have my sites I regularly visit and spend probably 90 percent or more of my time there at those sites. What I do is I check the traffic logs in my firewall for recurring sites that are usually banner ads and popups and such and I add their root domains to my own custom hosts file.

The ones available at that site are very well researched and compiled lists but they are huge. There are literally thousands of domains blocked, which would be great for say, your children's PC, as most of the known porn and nasty stuff sites are redirected, but someone like me, I don't need all of that so I just make my own and whenever I start seeing banner ads or popups on my regular sites, I just check my log files for new entries & add them.

Sometimes they only appear as an IP address, but you can use a reverse lookup to find any domains associated with the addresses, or if your firewall software permits you can just filter them out via your blocklist. Just add the address, or a range of addresses.

It's a little meticulous going about things this way, sure, perhaps a little too much for some folks, but I have more faith in my own ability to control what goes in or out of my computer's lan port by using a configurable firewall with a blocklist and a custom hosts file than I do by simply installing one of the many freely available programs out there that will "do it all for you" and the only thing needed by the user is a bit of blind faith.

But that's just me

[VegasBud]

Here's a measure of how much Sony has damaged their image.

Follow this link to a satirical article about how Sony is cracking down on copyright by making one of their cameras so you can't share or print any pictures you take with the camera. It's kind of funny. If you're bored, you might want to read it.

However, I found several places on the web that are now referencing the article not as a satirical piece, but appear to think it's actual news. I guess no one is quite sure just how crazy Sony is.

Here's a couple of highlights from the article (don't take it serious, it's just a joke):

"Just the other day I saw a Halloween photo of a kid dressed up like Yoda. Don't they know that Yoda's image is wholly owned by Lucasarts? That behavior needs to be stopped," said Sony Vice president of Copyright Protection Clay Wilkerson.

Wilkerson doesn't think the lack of photo sharing capabilities will hurt the sales of their digital cameras. "We've hidden the protection so the consumers won't notice it when they buy it, and our draconian return policy will prevent any returns. Problem solved."

[robertazimmerman]

<Remember without cookies many sites will not let you in or will limit features. You can set your browser to allow cookies only for trusted sites but you have to manually put each site in. Plus you have to be 100% sure that it is a trusted site.>

I realize that, but I mean more than just cookies. I understand that there are sites tha can d/l stuff to my computer if I simply "drive by" the site. That should be illegal! You throw your trash thru my open kitchen window and I'll make you come clean up or sue you.

<The problem with permissions is that you have to trust the question.
ie... Do you want to install this yes or no.... the code behind the answer is the same YES. How would you know until it's too late?
Or do you want to check for updates yes or no? Clicking yes also passes a bunch of stored info saved by the program in a hidden file.>

Yup. But assuming that we want to take control of our PCs, we should have that option and the means to assign these permissions/denials. A good example is a program like P2P Guardian. For those who trade files using P2P, this software blocks access by any sites on master lists. Similarly, if someone made software that would block all file transfers, HDD writing, cookies, etc. from such a list, I'd be happy to buy it! Sites that are known not to employ malware would be exempt. Users could add or delete sites as needed.

<As I said in a previous post the firewall does it's job it's just too easy to disguise the question, purpose or even the program within windows so it's the user who gets tricked into letting things pass the firewall.>

I can paraphrase "caveat emptor" by saying "user beware". Ultimately users have to decide how much risk they are ready to entertain.

<Locking writes to your hdd for every process would be nearly impossible many are needed to keep windows working.>

I meant writing that is initiated from a Web source, i.e., cookies, spyware, viruses, etc.

<The safest thing I guess is a minimally loaded computer for internet access and your good machine safely networked with the least traffic between the two.>

Yup. Or laws that throw these gangsters into the slammer, or at least force them out of business. How many of these puppies would be ready to pick up shop and move offshore? If other countries would join in, I'd hazard a guess and say that 90% of this junk would cease. Imagine if there was a law that said if Company "A" employs malware or spies on users, then that company's products could not be sold in or imported into abiding countries! If they are promoting a website, then that website is banned from entering cyberspace. I'm drooling thinking about it!

Illegal activities should not be tolerated on the Net. Period.

robertazimmerman

[Sabro]

Not to thread jack, but I also found it interesting that one of MS's solutions was to migrate to 64bit as that kernal is 'suppostly' proven to be immune to these types of malware where it is 'TOTALLY' impossible with the current 32bit ark-a-tech-tures.

Remember kiddies, always practice safe hex

PS... Excellent info over at http://www.securityfocus.com/infocus/1850
and http://www.securityfocus.com/infocus/1851

Sabro