Wasn't sure whether to put this here or in the beta section of the forum.
I just read this blog
http://www.sysinternals.com/blog/
which says that the Sony DRM protection inserts a rootkit into a users machine without specific permission.
My worry, which is covered in the blog, is that this could open a trapdoor for all sorts of nasties to hide in.
See this quote

Any idea if KAV/KIS will stop or affect this.

in progress...

I'm getting tired of these malicious protections. First a StarForce with it's drivers that noone mentions anywhere and now Sony with it's own RootKit like protection crap!?

YOu are rights. All protections are crack in short time

a bit more on this isue http://www.f-secure.com/weblog/#00000691 and http://www.europe.f-secure.com/v-descs/xcp_drm.shtml

I own a MD from Sony and never installed their software in my PC.
If they want to make more money (after all unfortunatelly we live in a capitalist planet), they could low their prices and maybe can sell more.
If depends on me, they will broke and close doors.

Oldjim,

that's outrageous!

That means: any script-kiddie can now download and use a virus-construction kit from the internet, name the product "$sys$virus.exe" - and Sony Inc. will take care of stealthing it.

According to that blog, there's a simple test to see if you have that rootkit: make a copy of e.g. Notepad and rename it "$sys$Notepad.exe". If it disappears upon that - you have that rootkit.

Fortunately for Sony, both my home-partition and my test-partition passed that test. Had I found something, I would have acquainted Sony to these guys: http://bskp.de/index2.php . That's a law firm... and they are VERY good.

bugbuster


P.S.: If you have it, just let it live for now. You can loose contact to your CD/DVD if you just start deleting stuff.

Guess that means that in a few days, KAV, KIS or the Kaspersky Online Scanner can remove that parasite, safely.

Gee, how long does it take to decide this malicious?! Kaspersky has classified Sony' rootkit as spyware but still doesn't detect it or prevent its installation!!


"Kaspersky uses the term "riskware" to define programs that behave like malicious software but may not have malicious intent behind them. Although it attempts to detect riskware, so that users can be asked what they would like to do with it and so that policies can be created, it does not currently detect the rootkit used by Sony's DRM. "At the moment this is still under discussion and no final decision has been made," Emm added."

http://news.zdnet.com/Sony's+antipirac...=feed&subj=zdnn

Sony has shown no repentance....just further arrogance. The tool to remove this from Sony is dangerous and now there is the phone home issue also. Kaspersky should have already made this detectable and removeable. I expect nothing else from what I THOUGHT was the best AV out there.
http://www.sysinternals.com/blog/2005/11/m...decloaking.html

It may not be that easy. Kaspersky should get the benefit of doubt here. If another week passes, it's adifferent story. I haven't heard of any other malware vendor with a fix at this time either. If anything it will probably be a race between Kaspersky and Counterspy. Hopefully we'll see a solution sooner rather than later.

I think you are missing the point. Kaspersky has not yet decided whether or not to detect this much less work on a removal tool. It appears from the ZDNet article that Kaspersky and other AV vendors don't want to get into this other than saying it was a bad idea for Sony to use a rootkit. I think the issue here is not how difficult it may be to make detection or removal tool but that this is political. The AV companies don't want to offend Sony (maybe get sued) and would prefer to put pressure perhaps on Sony to fix this as they don't seem to want to have to declare such a major player as Sony as being a bad guy that their AV software will target. Alex has not addressed this directly in his blogs so I'm not sure Counter Spy will do anything either.

http://www.ghacks.net/:

It has come to our attention that World of Warcraft Hackers already are using Sonys Rootkit Software to hide their hacking from Blizzards Warden Client.
We reported earlier this week that some Music Cds by Sony labeled “Content enhanced & protected” would bring up an installation program when the music cd was put into a personal computer.

This program once installed could not be uninstalled by normal means. Hackers could use the software to hide their hacking attemps from antivirus tools and the like. Who would have thought that the first available use would be using this for hacking the online game World of Warcraft ?

Blizzards Warden Client checks every 15 seconds if the computer playing Word of Warcraft runs programs or scripts in its background that would illegaly help players cheat in the game. Take a look at the related thread to recieve more information.

Kaspersky is mainly an Anti-Virus software vendor.
The "thing" in question is NOT a virus.
If people do install <whatever>-software in order to watch movies or play CDs and do agree (mostly without much reading) to them things poping up, then clicking on "OK" it is their own will.
Of course, rootkit-like techniques like used by Sony are VERY questionable (unacceptable IMHO) but you have to give it some time to be completely decided WHAT level of threat it is.
Greetings

i very much agree with micha but if there is a potential that an malware can missuse it, and if there are allredy suspucions that there is some malware that missuse it then i am sorry for sony but its tools should be classified as riskware.

It seems as tho Sony have issued a patch for the software to enable users to remove this "cloaking technology" from their computers.

See: http://cp.sonybmg.com/xcp/english/updates.html

That is OK if it is known. However if the patch isn't applied will KIS pick up problems hiding using the cloak prefix

If you read Mark Russovich's blog closely, you can see that there is NO indication of that rootkit at all in their EULA:

My response was based on the 2nd post by grnic in this thread that implied detection and removal were forthcoming. Hopefully it is.

I can't find the link at the moment, but it's my understanding that Kaspersky has already classified this as malware.

Kaspersky has declared this as "riskware" not malware. But the ZDNet article went on the quote Kaspersky as saying that NO decision has yet been made on whether or not to detect it or remove it. It is the latter comment by Kaspersky that concerns me and that prompted my original post. This is the full quote from the ZDNet article:

http://news.zdnet.co.uk/software/0,3902038...235702-2,00.htm

"At Kaspersky Labs, senior technology consultant David Emm said he was also dismayed to see Sony using rootkits. "We don't have an issue with Sony taking steps to protect its legal rights and licensing," he said. "But given that over the past 12 to 18 months we have seen an increasing use of rootkits (by criminals), to see similar technology being implemented from someone supposedly on the good side is particularly worrying."

Use of techniques that are usually the preserve of criminals by companies such as Sony are causing problems to antivirus and security companies. "Previously it has been possible to say a rootkit equals a bad thing, but now we're having to deal with things that are not so clear cut," he said.

Kaspersky uses the term riskware to define programs that behave like malware but may not have malicious intent behind them. Although it attempts to detect riskware, so that users can be asked what they would like to do with it and so that policies can be created, it does not currently detect the rootkit used by Sony's DRM. "At the moment this is still under discussion and no final decision has been made," he added. "

It is the final sentence above that concerns me. Why is taking so long for Kaspersky to even make the decision to detect it? It sounds like they may decide NOT to detect it. That sounds like politics and the desire to not offend Sony.

Hi All Got this from langalist also on the sony issue makes for interesting reading

7) Sony's Baloney

Hi Fred, Are you aware of this. Sounds liked a good idea gone
really bad. Thanks, Wayne

FYI, the newest Sony "Digital Rights Management"
system on audio CDs apparently installs a "rootkit"
that attempts to hide itself from detection and
intercepts all calls to the cd drive of your PC. The
rootkit appears to have several vulnerabilities in and
of itself and these are introduced even on a fully
patched and secured windows system.
As reported by The Register:
http://www.theregister.co.uk/2005/11/01/sony_rootkit_d
rm/

Hi, Fred ---- I'll be eagerly awaiting your comments in the
LangaList on this Sony
rootkitting exploit:
Sony Attacks PC's Worldwide With DRM Rootkit
http://wizbangblog.com/archives/007480.php
Mark's Sysinternals Blog: Sony, Rootkits and Digital Rights
Management Gone Too Far
http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-
digital-rights.html
--=Regards, Morton A. Goldberg

Many others wrote in, as well. (Thanks to all!) Lots more: http://www.google.com/search?q=sony+drm+rootkit

Yes, it's a terrible idea; using a Rootkit ( http://www.google.com/search?q=rootkit ) for digital rights management is overkill, if ever there was such.

Hostile and aggressive copy protection has always, always, always backfired on the vendors using it. Example: Lotus1-2-3 was once one of the most widely used pieces of software in the world. Then they instituted a ridiculous "three installs and you're out" copy protection program where you'd be locked out on the fourth install, even if the reinstalls were totally valid ones by the original purchaser on his own machine, using the original disks. And this was back in the early days of PCs when it wasn't uncommon to have to reformat a system every 3-6 months. Didn't matter to
Lotus: There was no appeal, no legal workaround, no option: If your drive crashed, or you bought a new PC, or whatnot, you got three installs, period, and then had to buy a new copy of the very expensive software.

Guess what happened? Users either felt justified in using copy-protection cracking tools so they could access the software they'd paid for; and/or flocked to Microsoft's Excel, which wasn't as good (the macro language wasn't as well-developed then, for instance) but which avoided the hassles of Lotus' draconian copy-protection scheme. Lotus' fortunes changed soon thereafter, and it withered to a fraction of its former size and clout. Note to Sony: Those who do not study history....
Click to email this item to a friend
http://langa.com/sendit.htm

First legal action seems to be started
http://www.alcei.org/index.php/archives/106

YESS!!! Thumbs up!

Its getting worse
http://www.cs.helsinki.fi/u/nikki//files/s...t_readme_en.txt
It looks like the security firms are going to have to jump all over this.

Computer Associates will detect and REMOVE the Sony rootkit beginning Nov 12. So, Kaspsersky what is taking so long with you? I would have sworn KIS would be the first to detect and remove. I am very disappointed.

"Separately, security vendor Computer Associates International said today it is now classifying Sony's software as spyware and will begin searching for and removing XCP with its antispyware software, starting on November 12.

Sam Curry, vice president of eTrust security management with Computer Associates, said the company will direct its eTrust PestPatrol product to remove XCP from customers' PCs. "We have a scorecard, and there are 22 points that we go through examining how the software behaves," he said. "In this case, XCP is falling down."

XCP installs itself without adequately notifying users of what it will do to their computers, it is too difficult to uninstall, and it also appears to be in secret communication with Sony servers, Curry said. "

http://www.pcworld.com/news/article/0,aid,123454,00.asp

@ KL Team: Any official statement from your company yet ?

KIS is a BETA software. Do you remember?

Which is why I originally started this thread in Protection for Home Users

btw even if kis is a beta - it wont be able to remove rootkit driver

grnic - check it.. and see it

Yes I do remember (everytime I post here I am reminded that this is beta because I get the style sheet for the page instead of seeing my post)....but then I guess the question is will 5.0 remove it? If yes, what is the time table for this to added for detection/removal?

I'm not sure what KIS being beta has to do with this! Doesn't the beta product use the same definitions as 5.0? So, are you saying 5.0 will NOT detect or remove this rootkit? Or is this still under discussion what action, if any, Kaspersky will take in this matter?

Today I noticed a during a daily Symantec scan on one of the workstations at work that it picked up a threat called "aries.sys". It could not do anything with this file so I searched Google and found out it was involved with this Sony rootkit. I ran a scan with Rootkit Revealer and sure enough it was there.

I read that getting rid of this through conventional means will cripple Windows so I guess I will have to wait for someone to come up with an uninstaller (Sony's so-called patch is a joke).

I hope Sony gets what's coming to them!

Dido, i hope sony gets what's coming to them, i know technically incompetant people and even they have heard about this.

I earge everone to mention this to everyone they know. Then sony CANNOT ignore their responsiblilty to fix their stuff up.

http://www.viruslist.com/en/weblog?weblogid=173730089
http://www.viruslist.com/en/weblog?weblogid=173731778

i wonder and would really like to know if the current anti-rootkit technology in kav/kis2006 is able to detect this sony rootkit. the important thing here is that i am talking about the anti-rootkit detection of hiden objects, NOT some kind of signature detection. IMO it should be able to do it... ?

for saso - current anti-rootkit can detect only process hidden by driver..
kav/kis2006 cannot remove the driver (unload driver properly and clean registry as well)

kav / kis 2006 even (for build 222b cannot kill hidden(protected) process because KL ppl wont make process termination from driver (or they didnt finished yet... because they wonted.. maybe now they changed they oppinion)

yes i understand that, but i was wondering if someone can confirm that it can at least detect it. and when i say confirm i mean by testing it with the real example.



yes, i remember grnic to say that they are thinking to add this "process termination from driver".

At least, they have signature detection for the latest backdoor that utilises Sony's rootkit technology, and that is reassuring.

I read this morning on Neowin that Sony has released a second patch that does not require you to jump through hoops to obtain. The second patch (called Service Pack 2a) can be directly downloaded here:

Patch

I used this patch on the affected workstation and ran Rootkit Revealer afterwards. It found no trace of it on the hard drive.

I think it's no problem for KL (or others) to release signatures against malware that utilizes Sony's RK technology to cloak trojan or virus activity.
IMHO the main (and fairly political) question is, if the sheer presence of a rootkit in order to prevent circumvention of Sony's DRM protection is to be considered as malicious or not !!

just my two cents again ... Adam

Considering trojans are already exploiting Sony's Rootkit as a method of attack, Kaspersky owes it to theeir customers to detect and remove this rootkit.

The Register

I agree.

The latest news I have found at Viruslist.com is

More on Backdoor.Win32.Breplibot.b
Yury November 10, 2005 | 15:00 MSK

We've been analysing the backdoor program which uses the Sony rootkit technology.
URL: http://www.viruslist.com/en/weblog?weblogid=173731778

There is a comment
11.11.2005 05:18 | TonyW
Since then we've had Backdoor.Win32.Breplibot.c added to the database.

In this forum (post #35) the signature TonyW says
At least, they have signature detection for the latest backdoor that utilises Sony's rootkit technology, and that is reassuring.

This is confusing to an average user.

I don't see what's confusing. KL have provided detection for a backdoor utilising the Sony rootkit, and I was merely commenting on the weblog that a third variant had been added to the database. My post here is to amplify the assurance that the backdoor is being detected.

As to whether the Sony rootkit technology itself should be detected is not for me to decide on. As Adamsky says, the question for AVs to decide is whether the cloaking technique used by Sony is malicious or not.

if kav in current realisation will be doing on-daemand scan - if rootkit is hiding its driver - kav wont detect it... even if it has a signatures

Sorry Tony, you may find me slow, but what confuses me is whether Kaspersky has added detection for malware using the Sony rootkit or not. The referred message does not tell about a new signature, I guess.

Backdoor.Win32.Breplibot.a was added to the db Nov 04 2005, but has nothing to do with the Sony issue?

>> KL have provided detection for a backdoor utilising the Sony rootkit
Where have they said so?

BTW, this discussion should have been posted in the “Virus-related issues” forum?

Yes, they have, in the form of Breplibot. This is malware using the Sony rootkit technology.

Maybe this first variant hasn't anything to do with it, but version .b does.

On the weblog dated November 10: "The first backdoor which utilizes the 'Sony rootkit' was detected today. We've classified this malicious program as Backdoor.Win32.Breplibot.b."

The weblog 10. Nov:

We're analyzing the program at the moment and will have more information soon. Watch this space.

I think Sanja is trying to tell us something in post #28, #33 and #41

I know, and they provided a mini-analysis later that day, which is when I responded on the weblog saying that version .c had been added since that report. According to F-Secure, version .c fixes some bugs which were present in the previous Breplibot variant.

I want to know why Kaspersky has not provided a removal tool. If I had this rootkit on my computer, I'd have to use the Symantec removal tool. That is humilating. Especially considering that a friend and I had a falling out about a month ago over my insisting KAV is much better than NAV. (My friend has been a very strong Symantec supporter for many years). What is wrong with Kaspersky? Scared of Sony?

This is making me think twice about buying KIS 2006. And has made me reconsider my opinion of Symantec. I can see that Symantec is large enough to not have to worry about "offending" Sony but Computer Associates has also provided a removal tool and other AV have said they will also. Sony has been condemned by the public and will pay dearly in the courts across the globe so I don't see why Kaspersky would be afraid to stand up for its customers and provide a removal tool.

never mind.

SSK,

That's not true, you are angry with Mele20.

I know you are a Kaspersky freak, but don't close your eyes when there is the possibility Kaspersky Lab make wrong decisions.

KAV was and is one of the best AV's on the market, but that can change very fast.

I use KAV year after year till today, on my advice a lot of my customers are happy with KAV too, but i can't close my eyes for the problems with Sony's Rootkit and the non-reaction of Kaspersky Lab how to handle with it.

I will be honest: when Kaspersky don't take action against Sony's Rootkit i don't renew my licenses, and with me my customers.

Such record will be added with "riskware" type.

Do you think what "Sony's Rootkit" is a biggest problem now? Maybe you should think about real malware?!