Microsoft Released Windows Patch for Sony Rootkit

[gadgetguy]

@gadgetguy

Was I speaking to you? Unless you have something constructive to add please move along and allow constructive discussions to continue. Thank you.

When you speak on a public forum then you are indeed speaking to everyone in that forum.
Your continued defense of the sony rootkit as being "benign" using your flawed test method is not constructive discussion, it is misleading and dangerous to those that don't know better.

[ROF]

@gadgetguy

OMG, are you really that blind? Look at my post. I am not defending it. I'm criticizing it. If you wish to continue this line of off topic discussion please PM me so as to not continually disrupt others.

[smearbrick1]

The Sony rootkit does exactly what was intended. I don't think that's the issue. What is the issue is that the rootkit installs in such a way that it can't be detected. It wasn't even mentioned that anything would be installed on your pc if you played the disc in your machine. I think that is the problem right there.

Also, network security is one thing, but in the event network security fails, it's nice to know that your PC is locked down also and not open to an attack from some outsider through a program that was installed without your knowledge by a supposedly reputable company.

Copy protect all you want. Keep your crap software off my machine!

[ROF]

The Sony rootkit does exactly what was intended. I don't think that's the issue. What is the issue is that the rootkit installs in such a way that it can't be detected. It wasn't even mentioned that anything would be installed on your pc if you played the disc in your machine. I think that is the problem right there.

There is no denying that it installs in an undetectable manner but there is a clear warning on the package that software will be installed if the CD is used on a computer system. It doesn't specify what type of software though which I believe Sony will use in their defense of the lawsuits. I'd recommend that if you have a CD which is infected with this that you take advantage of Sony's consumer exchange policy for a CD and have them send you a CD that doesn't include this type of protection.

[adam]

ROF all of what you say may be true, but the same can be said of any security flaw. With enough other protection you can prevent its exploitation. But that's no excuse for the flaw, especially in this case since the rootkit was intentionally hidden.

I'd wager to guess that the vast majority of networks and computers maintained by home users are in fact pretty unsecure, and then there is always the possiblity that malicious code can be manually installed on accident, even on the most secure computer. Installing a virus onto your computer can be bad. Having that virus spread to code contained on the root of your os can be catastrophic. Its the duty of manufacturers to ensure that we aren't exposed to such unnecessary security risks. Considering the rights of the copyright holder (and yes the law does recognize their right to use copy protection notwithstanding our rights to play and copy music on our computers) versus the rights of consumers to know and control what is installed on their computers, I think the vast majority of individuals feel very betrayed by the use of a rootkit for something trivial like a music CD.

All software is a potential security risk. But putting that software at the root means that the entire contents of your computer now depend on the security of that single program. There's just no excusable reason for manufacturers to take that kind of risk with our computers.

[gadgetguy]

ROF

Your post comes accross as reluctantly admitting that removing the rootkit will cause a problem, but that it won't cause any problems if you don't try to remove it. Your test method was and is flawed, the Sony rootkit is a danger.
PM would be useless because I'm not trying to change your mind, I'm trying to warn anyone that would accept you're "conclusions" from the results of your "test".

[thecoalman]

First the code would have to get through security in my case that wasn't possible.

And the people of Troy just thought it was a nice wooden horse. I certainly hope you're not as naive to think your network cannot be compromised.

[ROF]

@gadgetguy

You're warning them to install the rootkit? or like my conclusions that you are warning them to not install it?

If my test method was flawed how did I come to the conclusion that it was dangerous and detrimental to any system it's installed on? Are you saying it's not detrimental?

I think you need to re-read my post. I highlighted the most important part so as to make sure others were warned by someone(a member of videohelp) who actually took time out and a system out to actually see what all the hoopla about this dangerous rootkit was.

From what I was reading it didn't seem to bad. My tests proved otherwise.

If you are trying to warn others to not accept my conclusions from my test results, maybe you could perform your own tests? I'd recommend against this though unless you really want to destroy your entire windows based system.

[ROF]

ROF all of what you say may be true, but the same can be said of any security flaw. With enough other protection you can prevent its exploitation. But that's no excuse for the flaw, especially in this case since the rootkit was intentionally hidden.

There's no denying that. I don't like to have any system processes running that I do not know about. That's why I discussed that I had to uncloak the rootkit in order to view it. My testing was done for the benefit of those who may have felt like I did. The key here is "did". I feel sorry for those who blindly accept the opinions of others but when it comes to computers and technology I'm more of a "show me" type of person. I no longer feel it is a benign rootkit. I just hope someone is able to read through all the name calling and member bashing to actually listen to my conclusions.

[thecoalman]

My final determination is that the rootkit by itself and left to it's own devices without uninstallation on a secure network does nothing but what it's supposed to.

I believe that is what everyone is taking issue with ROF, that you fail to see that the presence of the rootkit alone is an issue.

[gadgetguy]

Now who's being thick?
I think I'm being pretty clear that it should never be installed, and this whole thing should never have been perpetrated by Sony. I'm warning people that your attempts to soften the danger presented in the initial warning with your own flawed tests should be ignored.

[ROF]

I still agree with that opinion because with a secure system the rootkit can not be effective. I tried several of the macros for Worlds of Warcraft and they failed to function because of my firewall failing to allow the rootkit functionality to work through it. I've always added information that your system must be secured behind a firewall to prevent the exploits under this rootkit. Dis I ever recommend anyone allow the rootkit to be installed? Did I ever tell anyone it was safe without additional security? My testing and security proved it to be effective against the rootkit. I'm currently writing a nice long letter to Sony telling them my conclusions and my disgust at their blatant disregard for safe networked computing.

[ROF]

Now who's being thick?
I think I'm being pretty clear that it should never be installed, and this whole thing should never have been perpetrated by Sony. I'm warning people that your attempts to soften the danger presented in the initial warning with your own flawed tests should be ignored.

If it's flawed? How could I do a test and make it so it's not flawed? I still have my rootkit CD? I'd be willing to test anything (within reason) to make this not flawed? I tried using the rootkit to exploit Worlds of Warcraft. It failed. I tried surfing shady portions of the net. Nothing to report. I downloaded several files with known viruses on P2P. Nothing to report except that my AV software quarantined and eventually deleted them. What should I have done that I didn't in order to appease you?

[Rich86]

So - it sounds like -

Sony's rootkit installs itself on your machine without warning. It hides itself pretty well. It causes security opportunities severe enough for virus software companies to protect against it and Microsoft to issue a hot-fix to attempt to close the security breech. Sony still defends its use of this stuff, but has reluctantly offered to exchange infected cd products for non-infected cd's. Removing this piece of malicious, invasive rootkit software causes major system issues, including potentially having to reformat your system and reload. Even ROF has turned full circle in his opinion of these actions Sony has inflicted on their customer's computers. Sony hasn't addressed the issue of the computers that need to rid themselves of this rootkit infection other than with removal software steps that don't do the job - and actually makes matters worse at times.

So - what to do.
Everyone is best advised to make sure this software does not install itself on your computers.
How best to accomplish that?
Stop buying Sony/Columbia/BMG, etc. music cd products.
It seems Sony's attempts at copy prevention have only impacted their actual paying customers - and potentially impacted them pretty severely.
Those who obtain their music from other sources are just fine.
What an impressive strategy to increase sales of music cd's.

[ROF]

So - what to do.
Everyone is best advised to make sure this software does not install itself on your computers.
How best to accomplish that?
Stop buying Sony/Columbia/BMG, etc. music cd products.

Remember though it's not just CDs.
All companies that release DVD Movies make your player
jump all over the place which is a flaw under your standards.

Click Here.

[gadgetguy]

My final determination is that the rootkit by itself and left to it's own devices without uninstallation on a secure network does nothing but what it's supposed to.

That is the dangerous assertion that I am warning people about.

Your test is flawed because you don't know enough about the rootkit. We have been warned about various actions written into the code that can cause undesired consequences. We have not been told what conditions are required for those sections of code to be executed. If you don't know what those conditions are, then you have no way of knowing if your test included those conditions, and that means that your test method is flawed.

[ROF]

My final determination is that the rootkit by itself and left to it's own devices without uninstallation on a secure network does nothing but what it's supposed to.

That is the dangerous assertion that I am warning people about.

Your test is flawed because you don't know enough about the rootkit. We have been warned about various actions written into the code that can cause undesired consequences. We have not been told what conditions are required for those sections of code to be executed. If you don't know what those conditions are, then you have no way of knowing if your test included those conditions, and that means that your test method is flawed.

Did you examine the code? I have. It contains similiar copy protection used in previous releases and a possible transmission code. Some of it I didn't understand but for the most part that was internal stuff that some made sense to me and that which didn't I asked for more info. The conditions are listed by Mark Russinovich and are also some are listed in the bulletin posted by Microsoft. I tested those. The test was as much for my benefit as it was for others. Most people only care about the results while some care about the methods used. I've listed both for all to benefit from it. My results from the conditions I knew about and even those I didn't that I wanted to try anyway just in case was that despite any misgivings I may have had the Sony Rootkit is detrimental to system integrity.

[gadgetguy]

Did you examine the code?

No, because I know that I'm not qualified to do so.

I have not seen the information that you site about the conditions under which the rootkit will manifest itself. I've only seen lists of potential actions. It appears from your response that you are still unclear on some of the inner workings of the rootkit. This, IMO, continues to make your test method flawed.

[ROF]

As always, you are entitled to your opinion. But remember Einsteins theory of relativity is still being called flawed too. If you understand potential actions caused by code and you examine the code itself and understand what you are reading in both cases you can be pretty safe that those are the conditions. There will always be somebody who disagrees and that's fine but I'd certainly listen to someone who is personally involved in the user group and take their testing as good if they provide details about how they are testing, methods used for testings, references to tests performed by others, and the results of both people outside the user group and within agree.

Let me just re-quote my results since it's probably now muddled in your arguementative discussion of my results being flawed:

Interesting stuff.

First off the Microsoft patch does not prevent the initial infection. The rootkit still installs itself in cloaked mode when using a Sony rootkit audio CD.

After a full week of testing I have removed the rootkit. Let me tell you first hand that the rootkit is much easier to install and decloak then it is to remove. I used Sony's procedure for removal and it's effect was detrimental to the entire system. After initial removal my browser locked up and my net security closed the system from the rest of the network. i opened windows explorer and both my optical drives were missing. When I clicked on the drive that contained the rootkit explorer locked up. So I thought I'd perform a restart and see what would happen. Well, after I restarted windows failed to load due to several corrupted or missing files. So I tried using the restore via windows setup. It failed to work too.

My final determination is that the rootkit by itself and left to it's own devices without uninstallation on a secure network does nothing but what it's supposed to. Removing it is detrimental to the system and requires a complete restructuring of windows (ie. Reinstallation or format). For my own piece of mind I peformed a format of the drive it was on and copied the drive image back to it. I had to do this procedure twice as I just had to test Microsofts latest security patch to see if it prevented installation. It doesn't. What it does do I guess is prevent the nastiness which can occur after you've installed the rootkit. I was never able to fully test this as I do not know if I ever visited any websites that were exploiting it.

I hope my testing of this rootkit and the results I've posted helps others.



I do truely hope that others heed my advice. You may disagree with other opinions of mine but I did this test for the benefit of others.

[Rich86]

Remember though it's not just CDs.
All companies that release DVD Movies make your player
jump all over the place which is a flaw under your standards.

Click Here.

Yep - dvd's that have unreadable cells are basically defective - even though intentionally so. But at least they do not try to install malicious rootkit software if you try to use the dvd on a computer. Yet.

[Dv8ted2]

Rof,

It is truly sad that you are a show me person. Did it occur to you that Mark Russinovich had done his testing before he stated his findings. That was not his opinion, that was fact. There are already viruses that exploit this rootkit.

I will now go over this one more time.....

Anything that operates at the operating system level will easily go through a firewall. A firewall is a deterrent. It is not a foolproof measure.

[ROF]

I will now go over this one more time.....

Anything that operates at the operating system level will easily go through a firewall. A firewall is a deterrent. It is not a foolproof measure.

really? even a firewall not located on the system containing the operating system? Read my postings. My firewall is external to my systems. I do use Microsofts firewall, but that's not the firewall I was referring to.

It is truly sad that you are a show me person. Did it occur to you that Mark Russinovich had done his testing before he stated his findings. That was not his opinion, that was fact. There are already viruses that exploit this rootkit.

Did it occur to you that my findings here are reported after I did my testing? How can you show your findings before you perform tests? I thought those were called theories or hypothetical guesses? My findings listed above were reported several hours after I completed my testing. Mark Russinovich did it the same way. I just took it about 6 steps further and continued with the testing to include testing Microsofts current patch.

Again for those who may have missed it, Sony's Rootkit is detrimental to any system it's installed upon. Furthermore, Microsofts patch doesn't prevent the rootkit from being installed nor will it remove it.

BTW, which virus exploits this rootkit? I only know of one, but it's payload failed on loading. I tested it to make sure too and it fails to function as was reported by Symantec.

[offline]

The OP has requested that this be closed.