Re: And another Sony DRM Rootkit question

["Mary Landesman" <mlande () bellsouth net>]

According to Zone Labs, ZoneAlarm 6.0 'premium' products detected the
behavior and blocked the installation of the rootkit:
http://download.zonelabs.com/bin/free/pressReleases/2005/pr_17.html

Any permission-based firewall, properly configured, should detect the
player's phoning home. But I see no reason a firewall should detect the
rootkit itself. ZA's premium products do but only because they offer more
holistic protection than would a standalone firewall.

There's good evidence here that the player was able to phone home A LOT:
http://www.doxpara.com/

But, of course, how much of that traffic emanated from rootkitted PCs is
anyone's guess.

-- Mary

----- Original Message ----- 
From: "Pierre Vandevenne" <pierre () datarescue com>
To: "Larry Seltzer" <larry () larryseltzer com>
Cc: <funsec () linuxbox org>
Sent: Thursday, November 17, 2005 1:17 PM
Subject: Re: [funsec] And another Sony DRM Rootkit question


Good Day,

LS> I don't actually have any of the evil CDs, so I can't test this. Does
anyone
LS> know?

I was actually thinking about getting some, they'll soon be
collector's items. Unless they start protecting chamber music CDs I
fell I'll always be a step behind in that race ;^)

And I was also wondering about the reactions of third party firewalls
such as Zone Alarm, etc... Did they, in practice, warn the normal
users that something wierd was going on.

-- 
Best regards,
Pierre                            mailto:pierre () datarescue com
www.datarescue.com - home of the IDA Pro Disassembler.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.