Author Topic: I wonder what's Alwil's view of the SonyBMG rootkit issue  (Read 3727 times)

0 Members and 1 Guest are viewing this topic.

Uzi

  • Guest
I wonder what's Alwil's view of the SonyBMG rootkit issue
« on: November 08, 2005, 04:15:13 AM »
A few antivirus vendors said that regardless of Sony BMG claims, the rootkit should be reported by their AV.

http://www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html

It is interesting to see the view of Alwil, if they have managed an official one.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86498
  • No support PMs thanks
Re: I wonder what's Alwil's view of the SonyBMG rootkit issue
« Reply #1 on: November 08, 2005, 03:39:33 PM »
I don't believe there is an official view, but one of the Alwil Team started the first thread about the Sony Rootkit issue.

Regardless of the AVs that intend to report it, the big trick is how are they going to deal with it?

In it's current state many AVs can't remove rootkits much less this one and removal could break your system as has been mentioned in in reports it may stuff your CD burning. Now many would probably think that more of a problem than the Sony RootKit.

Personally no matter what Sony do from now, I won't buy another product from Sony from music CD to TV, trust is a two way street and they have lost my trust.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.2.6003 (build 22.2.7013.717) UI 1.0.697/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Uzi

  • Guest
Re: I wonder what's Alwil's view of the SonyBMG rootkit issue
« Reply #2 on: November 08, 2005, 04:14:57 PM »
Thanks for letting me know about the original threads. I found them.

There is a safe method of removing the rootkit, and Mark Russinovich has mentioned it.
He only showed, that a simple termination and deletion of the rootkit is not enough, and you will  lose your contact with the CD. But there are viruses, that cleaning them is much more than unloading them and deleting them, and antivirus programs are able to cope with that.

The sad joke is that Mark's method is safe, while Sony BMG's patch is not.

Uzi

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86498
  • No support PMs thanks
Re: I wonder what's Alwil's view of the SonyBMG rootkit issue
« Reply #3 on: November 08, 2005, 04:21:19 PM »
Isn't that always the way ;D after spending time (probably a lot) developing this strategy only to be pasted in the media and hastily throw a patch at it without the same development only to be told it makes the problem worse.

It almost sounds like Sony went to the MS school of patching and gained a degree ;D
I wonder if Sony is a member of the Trustworthy computing organisation ;D
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.2.6003 (build 22.2.7013.717) UI 1.0.697/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Uzi

  • Guest
Re: I wonder what's Alwil's view of the SonyBMG rootkit issue
« Reply #4 on: November 08, 2005, 11:23:43 PM »
According to Russinovich, it comes out of First4Internet's ignorance about the handling device drivers.
« Last Edit: November 09, 2005, 01:59:43 AM by Uzi »

MrBabis

  • Guest
Re: I wonder what's Alwil's view of the SonyBMG rootkit issue
« Reply #5 on: November 09, 2005, 12:51:19 PM »
Sony has released patch that will remove/disable rootkit feature.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86498
  • No support PMs thanks
Re: I wonder what's Alwil's view of the SonyBMG rootkit issue
« Reply #6 on: November 09, 2005, 04:29:50 PM »
If your talking about the Service Pack 2 released by Sony then this too is full of issues and has been discussed in the past.

However, if you are talking about yet another patch I'm sure people would like to see it if you have the link.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.2.6003 (build 22.2.7013.717) UI 1.0.697/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Uzi

  • Guest
Re: I wonder what's Alwil's view of the SonyBMG rootkit issue
« Reply #7 on: November 09, 2005, 04:35:48 PM »
This is the patch we were speaking about. It has many problems:

a) It does more than they claim. They do write something, but the puprpose is misleading.

b) It removes the cloack in an unsafe manner which in some legitimate situations will cause crashes - this is due to basic lack of knowledge about how drivers should be handled, by the company who produced this software that Sony BMG use.

c) One will use it only if one can track the source of the problems to Sony BMG, and it is likely that there will be such. Because of the tricks that they used it is not easy to track the source of the code to Sony, and it even demands some non-trivial knowledge to know that its even there. Software that meddles with the core of the operating system, and is not coordinated with Microsoft, is likely not to be compatible with future changes, and there is no reliable update mechanism to fix such problems. It is not an application, that at most will crash. It may take the whole OS with it.
Such a reliable system cannot always exist (because one may install the software on a computer which is not connected to the Internet).

d) One that follows the instruction that Russinovich's followed in Sony BMG's site, will be instructed to send e-mail, while agreeing to receive promotional content from Sony and other third party, just in order to get the patch.

e) and the main problem with this patch is that it comes from a company which has already shown a lack of integrity - so it doesn't really matters what is the purpose of the patch and how much is this purpose legitimate. I can no longer trust anything that comes from Sony BMG, and don't want to have any code that comes from them.
They offer no way to uninstall all of their code (and if they were, then I still need that someone like Russinovich will check that it is indeed what it claims to be).

bhtooefr

  • Guest
Re: I wonder what's Alwil's view of the SonyBMG rootkit issue
« Reply #8 on: November 09, 2005, 06:25:22 PM »
At this point, I would take ANY automated tool to remove it.

Detection is ridiculously easy, if SP2 hasn't been installed.

Removal, OTOH, is VERY tricky.