Trojan Using Sony DRM Rootkit Spotted 597
Analise writes "The Register reports on the first trojan using Sony's DRM rootkit. A newly discovered variant of the Breplibot trojan makes use of the way Sony's rootkit masks files whose filenames begin with '$sys$'. This means that any files renamed this way by the trojan are effectively invisible to the average user. The malware is distributed via an email supposedly from a reputable business magazing requesting that the businessperson verify his/her attached 'picture' to be used for an upcoming issue. Once the payload is executed, the trojan then installs an IRC backdoor on affected Windows systems."
Re:A Natural Rights perspective (Score:2, Informative)
Re:Back again to Windows Security (Score:3, Informative)
Re:A Natural Rights perspective (Score:1, Informative)
We meet again
I agree that corporate protections have no right to exist, however mens rea dictates that only those who can be reasonably expected to know about this has any reason to feel guilty, or be guilty.
Attacking the shareholders of a corporation does nothing to change how the actual criminals behave, all it does is chill investment. Putting an end to the corporate veil will allow society to quickly weed out those who would prey on others, without having to resort to indirect attacks with collateral damage. It would also reduce the amount of damage that could be done... I suspect that for most people, if their manager instructed them to install a rootkit on every consumer's computer, they would rather polish their resume than look forward to jail time and fines out of their own pockets.
Besides, if shareholders did become culpable for the actions of every janitor and codemonkey in the corporation, and we assume that the stock market completely collapses due to this, and all companies switch to selling bonds for financing, how then would you proceed with the punishment?
Now if only this concept could apply to the repeated breaches of our Constitution by our government.
Re:Sony's actions recently mean they've lost my mo (Score:4, Informative)
Being ignorant == fair game? (Score:4, Informative)
The President of Sony BMG's Global Digital Business, Thomas Hesse, defends Sony's installation of a rootkit by declaring, "Most people, I think, don't even know what a Rootkit is, so why should they care about it?"
Source [about.com]
Clarifying parent's post... (Score:1, Informative)
Re:Back again to Windows Security (Score:5, Informative)
Short answer: No, it just assumes you're running as an administrator, which is generally true.
Much longer answer:
Windows XP comes from two roots: Windows as a DOS shell, and Windows NT. Both of these operating systems encouraged running as Administrator, for a variety of reasons.
Windows as a DOS shell is easy to explain, it was a single-user system, and therefore really had no security system in place at all. This single-user style persisted through to Windows ME, and is essentially "emulated" in Windows XP Home by having the users, by default, run as Administrators. (You can change them to regular users after creating new accounts, though.) By default, Windows XP Home doesn't require passwords on accounts - you just click on the user account you want to use, and you're logged in. So even making "less privileged" users isn't all that helpful. (I believe, by default, Windows XP Home DOES disable the built-in Administrator account, though.)
Anyway, Windows NT is another story. Technically, an "Administrator" account is just a normal user account that just happens to belong to the Administrators group. Because Windows NT's security model is much more complicated than the Unix security model (and I'd argue much more robust), essentially the Administrators group is a group with all permissions set to "allow." (There is a super-user under Windows NT. It's called "SYSTEM" and it's essentially identical to root under Unix.)
But anyway, Windows NT's security model is very complicated. Combined with no ability to "sudo" in Windows NT 4, most people who used NT just made themselves Administrators so that they didn't have to poke around the miriade of settings and ACLs to give them permissions to do whatever they needed to do.
Windows 2000 added "Run As" which allows you to essentially "su" and switch to another account when starting a program. This meant that it would in theory be possible to administer a system from a non-privileged account, much like Mac OS X does.
But the damage was already done. Most of the Windows software had been written for Windows 9x or assumed that you'd be an administrator under Windows NT. So attempting to run as a non-privileged account required constantly using the Run As feature to run the programs you needed to use as an administrator. (For a while, Winamp wouldn't run under a non-privileged account.) Of course, this meant that since most programs were running as administrator ANYWAY, you really weren't gaining much security.
Now, with Windows XP Pro, this is starting to change. Microsoft now requires user programs to run on non-privileged accounts. It's much clearer where user-specific information goes. But the damage has been done. Windows XP Home defaults to an administrator account for all new accounts. Most people are used to not having to enter a password to change their system settings and don't understand the concept of a non-privileged account.
So almost everyone using Windows is running as an administrator, and therefore there's no need to require a password to install a rootkit. They already have the permissions they require.
Re:Rant Time... (Score:4, Informative)
Re:Really easy test to see if you're vulnerable (Score:3, Informative)
1) If you're not using windows, you're fine.
2) Create a file on your desktop ('test.txt' should be fine). Rename the file to '$sys$test.txt'.
If the file is gone, you're vulnerable.
How about a "read-only" way?
Boot with Knoppix
At the command prompt:
$su bash
#mkdir cdrive
#mount
#find cdrive -name $sys$* -print
Any hits? You got da SonySyph...
Re:Back again to Windows Security (Score:1, Informative)
Re:Rant Time... (Score:4, Informative)
Revoke their import/export licenses.
Stop the trading of their securities.
Lots of other ways. You need all kinds of permissions to do big business. Those permissions can be withdrawn.
Computer Associates Removes Sony DRM (Score:2, Informative)