Jump to content


Mark's Sysinternals Blog


  • Please log in to reply
67 replies to this topic

#51 OFFLINE   Marsden11

Marsden11

    Posting Prodigy

  • Members
  • PipPipPipPipPipPipPipPipPipPip
  • 2,078 posts

Posted 14 November 2005 - 07:55 PM

The MS Malicious Software Removal Tool will ship with a removal signature for the Sony DRM rootkit on the next path Tuesday.The removal tool will remove bad software. It would be useless to just "de-cloak" offending software.That means it will be offered two ways.1- Through the monthly update of the Malicious Software Removal Tool via Windows Update2- As an addition to the MS Defender product line now in beta release.This is from: According to Jason Garms, group product manager in Microsoft's Anti-Malware Technology Team, the rootkit removal signature will be pushed out at Windows users through the anti-spyware application's weekly signature update process.

#52 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,548 posts

Posted 14 November 2005 - 08:24 PM

I am not trying to start an argument on this. I just want to clarify, Microsoft's Anti-Malware Engineering Team page (that Marsden11 posted in this topic states and I copied and quoted from the page:

Quote

We have analyzed this software, and have determined that in order to help protect our customers we will add a detection and removal signature for the rootkit component of the XCP software to the Windows AntiSpyware beta, which is currently used by millions of users.
(bold emphasis mine)That tells me that it will not be removing the entire XCP software.Am I missing something here?

Edited by LilBambi, 14 November 2005 - 08:25 PM.

Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#53 OFFLINE   Marsden11

Marsden11

    Posting Prodigy

  • Members
  • PipPipPipPipPipPipPipPipPipPip
  • 2,078 posts

Posted 14 November 2005 - 08:27 PM

Removal signature means removal from your system. If Sony's DRM installed something on your system it will be removed.Why do you think it will not be removed?

#54 OFFLINE   patio

patio

    Thread Head

  • Members
  • PipPipPipPipPipPip
  • 715 posts

Posted 15 November 2005 - 03:40 AM

They are now pulling product according to USA Today:Sony to pull controversial CDs, offer swapBy Jefferson Graham, USA TODAYLOS ANGELES — Sony BMG Music Entertainment said Monday it will pull some of its most popular CDs from stores in response to backlash over copy-protection software on the discs.Sony also said it will offer exchanges for consumers who purchased the discs, which contain hidden files that leave them vulnerable to computer viruses when played on a PC."Sony BMG deeply regrets any inconvenience to our customers and remains committed to providing an enjoyable and safe music experience," the company said. Sony says more than 20 titles have been released with the XCP copy-protection software, and of those CDs, over 4 million have been manufactured, and 2.1 million sold.Details about how long it will take to replace the XCP CDs and about its consumer exchange program will come later in the week, Sony said.For now, pulling the CDs off shelves "could go a long way toward making a consumer feel comfortable that the CD they just purchased isn't going to mess up their computer," says record store owner John Kunz of Waterloo Records in Austin.Country-rockers Van Zant's Get Right with the Man kicked off the firestorm when a blogger traced a hidden, spyware-type file on his computer to the CD. Other XCP copy-protected CDs include new releases by Neil Diamond, Celine Dion, Cyndi Lauper and Burt Bacharach.Before Sony's announcement, Van Zant manager Ross Schilling urged the label to recall all the CDs. "I said we've got to be proactive, or it could destroy the business model," Schilling says. "Sony should be in the artist business, promoting and selling records. This type of issue sheds a negative light on their ability to do that."Sony began adding copy-protection to its CDs in June 2004 with the release of a record by the band Velvet Revolver, saying it was taking a step against unauthorized online file-sharing and CD burning.The label says it will issue all major releases with copy-protection in 2006, as will rival label EMI. The other major labels, Universal Music and Warner, have yet to release copy-protected CDs.Sony also issues copy-protected CDs using software from digital rights management company SunnComm. But those, which include releases by the Foo Fighters and the Dave Matthews Band, haven't come under the same kind of attack.However, many artists have spoken out about all forms of copy-protected CDs, including Matthews, the Foo Fighters and Christian rock band Switchfoot. Bela Fleck and the Flecktones are set to release a new album on Sony in January, and it will not be copy protected, says Fleck's manager, David Bendett.Frustrated when he bought a copy-protected Dave Matthews release and couldn't copy it to his Apple iPod, Fleck insisted that Sony not release his new album with such restrictions, Bendett says.Sony says its copy-protected CDs are clearly marked, but the front labels don't identify whether they use the XCP software. That information is included in small print on the back of the CD, which reads "?cp.sonybmg.com/xcp".patio. :thumbsup:

#55 OFFLINE   epp_b

epp_b

    Discussion Deity

  • Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 4,735 posts

Posted 15 November 2005 - 11:07 AM

I doubt there is any way to truely remove every bit (pun intended) of this software barring a complete reformat & reinstall.

#56 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,548 posts

Posted 15 November 2005 - 12:37 PM

Well, thank you patio! Your posting about the USAToday story, got me searching the web this morning...and there is quite a collection today on my blog entitled: Security Fix - Brian Krebs on Computer and Internet Security - (washingtonpost.com) - More Sony Problems to Be Revealed. That is just the beginning of where we go on this posting.

Quote

Several groups of privacy and security experts are expected to release research later today that points to multiple, serious security flaws present in “XCP,” the anti-piracy software used on an undisclosed number of Sony BMG music CDs. (For the record, Security Fix observed that experts were busily searching for such flaws shortly after this whole fiasco began).    According to details provided by prominent security researcher Dan Kaminsky, the resulting public outcry could make Sony feel like the last two weeks of consumer backlash were a walk in the park.
One of the other articles I found was from The Big Picture: DRM Crippled CD: A bizarre tale in 4 parts which is an amazing story!

Quote

DOWN THE RABBIT HOLE:  Ever come across something that only gets stranger and stranger the deeper you delve into it? That was my experience when I almost purchased a new CD -- a DRM crippled CD -- this weekend. This tale is part of a larger struggle within the recording and digital download industry -- not of P2P or piracy -- but one of innovation and competition. As you follow this odd story (broken into 4 increasingly strange parts), you will note that as it gets weirder, Artists and Consumers are the collateral damage. It makes one wonder just what the **** the Recording Industry is thinking about these days:
The rest of the story at the Big Picture link above and it is mind boggling. And don't stop at the end ... the update on October 31 leads to another big story on this whole DRM thing:Burning the Faithful - New copy-protected CDs screw over the only honest customers the music industry has left. By Eli Messinger

Quote

While lawsuits against Internet file-sharing outposts like Grokster (and a few shots at individual Napster users) have grabbed headlines, major record labels have quietly shifted their target to casual CD copying between friends and family members. This, they now claim, is the real scourge behind the industry's prolonged slump. In contrast to pay-for-play download sites, physical CDs have always been wide open, and consumers now expect that they can play the discs in standard CD players, rip the audio files to their computers for desk-side listening, download the tracks into a portable music player, burn a compilation of favorite tunes, and make a physical backup copy for safe keeping, all easily and cheaply.
Believe it or not, these are only a few of the links I posted about this morning from my Google search and postings at BBR (which by the way has some great comments and discoveries as well from it's posters.)

Edited by LilBambi, 15 November 2005 - 12:48 PM.

Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#57 OFFLINE   hkspike

hkspike

    Message Mogul

  • Members
  • PipPipPipPipPip
  • 412 posts

Posted 16 November 2005 - 09:46 AM

http://news.bbc.co.u...ogy/4441928.stmLilBambi - Understand your skepticism but this Beeb article suggests that Sony will offer a tool to remove the program.

Quote

Sony is also providing software to make it easy to remove the controversial program from Windows computers.
"Remove" - quote/unquote!We'll see.....
If you try and take a cat apart to see how it works, the first thing you have on your hands is a non-working cat.

#58 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,548 posts

Posted 16 November 2005 - 10:15 AM

Not so fast hkspike!  :D There's more to that story too. Sony has removed the link to their uninstaller temporarily.The reason is at Freedom to Tinker's site:

Quote

Update: Sony Uninstaller Hole Stays OpenTuesday November 15, 2005 by J. Alex HaldermanEarlier today Ed Felten and I reported a serious security hole opened by the uninstaller that Sony provides to users who want to remove the First4Internet copy protection software. Further testing has confirmed that computers remain vulnerable even after the uninstall process is complete.Sony’s web-based uninstaller is a three step process:   1. You fill out an uninstall request on Sony’s web site.   2. Sony sends you an email with a link to a second request form. When you follow this link, Sony’s site automatically installs a piece of software–an ActiveX control created by First4Internet–called CodeSupport.   3. After delay, Sony sends another email with a link to a third web page that removes the copy protection software. However, the CodeSupport component remains on your computer indefinitely.Due to a serious design flaw, the CodeSupport component allows any web site you visit to download and run software on your computer. A malicious web site author can write an evil program, package up that program appropriately, put the packaged code at some URL, and then write a web page that causes CodeSupport to download and run code from that URL. If you visit that web page with Internet Explorer, and you have previously performed at least step 2 of Sony’s uninstall process, then the evil program will be downloaded, installed, and run on your computer, immediately and automatically. Your goose will be cooked.You can tell whether you are vulnerable by visiting our CodeSupport detector page.If the component is installed, you should try to remove it using the instructions from our earlier post. However, this may not be enough to prevent the software from being installed again, depending on your security settings. If you have been exposed, the safest thing to do is to avoid using Internet Explorer until you receive a fix from Sony and First4Internet. Firefox should be a safe alternative.
What a fiasco.More info in the articles at Freedom to Tinker.

Edited by LilBambi, 16 November 2005 - 10:17 AM.

Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#59 OFFLINE   epp_b

epp_b

    Discussion Deity

  • Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 4,735 posts

Posted 16 November 2005 - 11:52 AM

Sony must die!!!  B)  :rant:  :ph34r:  :)  :excl:  :bye2:  :D

#60 OFFLINE   Cluttermagnet

Cluttermagnet

    Nocturnal Radio Geek

  • Forum MVP
  • 3,870 posts

Posted 17 November 2005 - 06:17 AM

The SonyBMG spyware rootkit story was just hitting our local 6PM TV media outlets last night (Wed 16 Nov 2005). This gives some idea how much time it takes to have a fairly 'major' story on the internet filter down to the popular media. They had it partly wrong, not having a firm grasp as to what the rootkit means technically, but they did get it right about Sony having to do a massive recall of the CDs in question. They did show a clear camera shot of the spine area of the CD case with the copy protection notation. I have absolutely no pity for Sony. Needless to say, my boycott of all Sony products is now all the more resolute. A shame, as they were once a technically excellent company with some good hardware products. But they have lost their hardware edge anyway, ceding leadership to others, and this blatant, in your face attitude about DRM etc. was the last straw for me. Have any heads rolled at Sony yet? I haven't been following this the past couple days. I'll bet that not one single person at Sony has lost their job over this- yet.
Special Limited Edition Cluttermaster 2007 with direct air cooling system.
"ClutterLabs" --open hardware for open software" .......... Registered Linux User 446867


("It takes an entire village to raise a child...")
"It takes only one bulldozer to raze an entire village..."
"Hey, Fred- isn't that your kid driving that bulldozer?"

In loving memory of Bruno Knaapen of Amsterdam, who shared
his love of Linux, and thereby made the world a better place...

#61 OFFLINE   Webb

Webb

    Multithreader

  • Members
  • PipPipPipPipPipPipPipPip
  • 1,066 posts

Posted 17 November 2005 - 11:49 AM

This story poses an interesting question:

Quote

What do you think of your antivirus company, the one that didn't notice Sony's rootkit as it infected half a million computers? And this isn't one of those lightning-fast internet worms; this one has been spreading since mid-2004. Because it spread through infected CDs, not through internet connections, they didn't notice? This is exactly the kind of thing we're paying those companies to detect -- especially because the rootkit was phoning home.But much worse than not detecting it before Russinovich's discovery was the deafening silence that followed. When a new piece of malware is found, security companies fall over themselves to clean our computers and inoculate our networks. Not in this case.McAfee didn't add detection code until Nov. 9, and as of Nov. 15 it doesn't remove the rootkit, only the cloaking device.

The 9000 series is the most reliable computer ever made. No 9000 computer has ever made a mistake or distorted information. We are all, by any practical definition of the words, foolproof and incapable of error. - HAL-9000

You know, this used to be a helluva good country. I don't understand what's gone wrong with it.  - George Hanson, 1969

A bad day at golf is better than a good day at work.


Posted Image
Jim

#62 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,548 posts

Posted 17 November 2005 - 12:38 PM

Webb, that was my concern (on  a post here) on SNL Forums earlier with Microsoft's Antispyware and Anti-malware tool. It sounded like they were only removing the de-cloaking from the the anti-malware blog at Microsoft. And now we find out that the AVs like McAfee are only removing the de-cloaking too?  :huh:  :o  B)  :rant:  ;) And if that wasn't bad enough ... on my blog entry "Sony malware infections in the millions - security expert | TG Daily", one of the comments posted this morning gave a link to Sony's site where they list the discs that include the XCP .... 52 of them!!!!This gets worse by the day!  :angry:  ;)  B)

Edited by LilBambi, 17 November 2005 - 12:41 PM.

Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#63 OFFLINE   Temmu

Temmu

    The Assimilator

  • Forum MVP
  • 12,543 posts

Posted 22 November 2005 - 07:09 PM

wow, amazing, but not surprising.it's amazing, it's legal to tape songs from the radio and use them to your heart's content, but to not be able to even play them on pc...howzit that you can get music fer free from the radio, to keep and hold fer ever, but napster was impaled?
Posted Image

#64 OFFLINE   Marsden11

Marsden11

    Posting Prodigy

  • Members
  • PipPipPipPipPipPipPipPipPipPip
  • 2,078 posts

Posted 22 November 2005 - 07:46 PM

Sony should be headed down after all the rootkit rucus... Are they? Nope!

Quote

According to data from market tracker Nielsen SoundScan, the discs carrying Sony's copy protection software suffered little, if any, decline in sales compared with other medium-selling titles at similar points in their release cycles--at least up to the point of Sony's recall last week. Sales of the title first and most widely associated with the problem, southern rockers Van Zant's "Get Right with the Man," actually climbed in the two weeks following exposure of the CD's security risks, according to Nielsen SoundScan data. Celine Dion's album "On Ne Change Pas" held steady at 300 copies per week throughout the controversy. Several titles that were closer to their release dates, such as albums by Trey Anastasio and Puerto Rican singer Chayanne, showed more substantial drops over the same period of time. However, industry insiders said even these week-to-week drops were not unusual, close to an album's release. Another measure of albums' popularity is provided by Gracenote, whose CDDB--Compact Disc Database--service counts how many times people put CDs in their computers using a media player such as iTunes, Windows Media Player or RealPlayer. These programs automatically look up the album name and song titles. A representative for Gracenote said the company's data shows no appreciable difference in trends--and specifically no obvious drop-off in listening--between Van Zant and similar-selling albums that don't carry the rootkit. The same goes for several other recalled Sony titles, it noted.
Source:The online outrage has been huge... but what about brick & mortar music? Zero change... people are not running in demanding Sony's offerings be tossed off the store shelves.Makes you think about wasting time ranting about these things...

Edited by Marsden11, 22 November 2005 - 07:47 PM.


#65 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,548 posts

Posted 22 November 2005 - 07:48 PM

Not really. Just mkes me sad that there will be more computers with this rootkit on them.
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#66 OFFLINE   Marsden11

Marsden11

    Posting Prodigy

  • Members
  • PipPipPipPipPipPipPipPipPipPip
  • 2,078 posts

Posted 22 November 2005 - 08:19 PM

And if all the companies that offer rootkit removal schemes only de-cloak, then after that de-cloaking, it really isn't a rootkit anymore is it? It sure isn't hiding anything anymore...

#67 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,548 posts

Posted 22 November 2005 - 10:57 PM

The web page decloaker that Sony was using, and has stopped distributing, created a secondary problem where any website can make use of it to install whatever they want without user intervention.I hope that's not what they provided to the AV companies to remove it.Sony themselves have not posted an alternate fix on their site. Maybe they are counting on the AVs and Microsoft to remove it for them?

Edited by LilBambi, 22 November 2005 - 10:57 PM.

Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#68 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,548 posts

Posted 23 November 2005 - 06:28 PM

Maybe this has not made it big in the brick and mortar stores, which by the way are not as big as the online stores these days, it has made a tremendous impact on the artists at online outlets like Amazon.com as evidenced by this BBC article: Sony’s Escalating “Spyware” Fiasco

Quote

Along with lawyers, prosecutors, and furious fans, artists are joining the backlash against the label for slipping a hidden, anti-theft program into users’ computers    Van Zant’s Get Right with the Man CD was released in May, but six months later it still was doing better-than-respectable business on Amazon.com (AMZN). The album ranked No. 887 on the online retailer’s list of music sales on Nov. 2. Then news of the CD’s aggressive content safeguards — a sub-rosa software program incorporated courtesy of Sony BMG — exploded on the Internet.
To go from Amazon’s Top 40 to No. 25,902 because of something their “Label” did to them without their knowledge and consent is nothing to sneeze at.Much more in the article, and at my blog.
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users