funsec mailing list archives

RE: And another Sony DRM Rootkit question

From: "Larry Seltzer" <larry () larryseltzer com>
Date: Thu, 17 Nov 2005 13:30:10 -0500

I just found an e-mail in which I asked Mark Russinovich about this (sorry I
missed it first time). He said that neither the rootkit nor music player
would work, which he took as further evidence of how badly the software was
written.

I'd still like to know exactly what the error looks like, and I think Mark's
out of town. But I think I have enough information to write with now.

As for firewalls and such, I doubt any of them found anything. Mark found it
using their RootkitRevealer tool which is, after all, designed to find
rootkits. I believe Mikko from F-Secure said that their Blacklight tool
finds it, and another vendor (Tenebril? I think it's ex-Zone Labs people)
told me they find "all rootkits". 

Once again, I haven't tested it (I really ought to buy one if it's still
possible), but there is a class of product that looks generically for
threats (see the excellent review at
http://www.pcmag.com/article2/0,1895,1880015,00.asp) that might have blocked
them. I have no specific information.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
Contributing Editor, PC Magazine
larryseltzer () ziffdavis com 

-----Original Message-----
From: Pierre Vandevenne [mailto:pierre () datarescue com] 
Sent: Thursday, November 17, 2005 1:18 PM
To: Larry Seltzer
Cc: funsec () linuxbox org
Subject: Re: [funsec] And another Sony DRM Rootkit question

Good Day,

LS> I don't actually have any of the evil CDs, so I can't test this. 
LS> Does anyone know?

I was actually thinking about getting some, they'll soon be collector's
items. Unless they start protecting chamber music CDs I fell I'll always be
a step behind in that race ;^)

And I was also wondering about the reactions of third party firewalls such
as Zone Alarm, etc... Did they, in practice, warn the normal users that
something wierd was going on.

--
Best regards,
Pierre                            mailto:pierre () datarescue com
www.datarescue.com - home of the IDA Pro Disassembler.



_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Sony DRM Rootkit (again) and questions about its disclosure... Fergie (Nov 17)
- And another Sony DRM Rootkit question Larry Seltzer (Nov 17)
  - Re: And another Sony DRM Rootkit question Pierre Vandevenne (Nov 17)
    - RE: And another Sony DRM Rootkit question Larry Seltzer (Nov 17)
    - Re: And another Sony DRM Rootkit question Mary Landesman (Nov 17)
- Re: Sony DRM Rootkit (again) and questions about its disclosure... Pierre Vandevenne (Nov 17)
  - Re: Sony DRM Rootkit (again) and questions about its disclosure... Blue Boar (Nov 17)
    - Re[2]: Sony DRM Rootkit (again) and questions about its disclosure... Pierre Vandevenne (Nov 17)
    - Sony DRM Rootkit samples Jochen (Nov 21)
    - RE: Sony DRM Rootkit samples Larry Seltzer (Nov 21)
    - Re: Sony DRM Rootkit samples Jeff Kell (Nov 21)
    - RE: Sony DRM Rootkit samples Larry Seltzer (Nov 21)