Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

Do read Bruces article Real Story of the Rogue Rootkit]

From: Dave Farber <dave () farber net>
Date: Fri, 18 Nov 2005 16:29:20 -0500
Do read  Bruces article Here is an piece:
But much worse than not detecting it before Russinovich's discovery was the deafening silence that followed. When a new piece of malware is found, security companies fall over themselves to clean our computers and inoculate our networks. Not in this case.
McAfee didn't add detection code <http://vil.nai.com/vil/content/v_136855.htm> until Nov. 9, and as of Nov. 15 it doesn't remove the rootkit, only the cloaking device. The company admits on its web page that this is a lousy compromise. "McAfee detects, removes and prevents reinstallation of XCP." That's the cloaking code. "Please note that removal will not impair the copyright-protection mechanisms installed from the CD. There have been reports of system crashes possibly resulting from uninstalling XCP." Thanks for the warning.
Symantec's response to the rootkit has, to put it kindly, evolved. At first the company didn't consider XCP malware at all. It wasn't until Nov. 11 that Symantec posted a tool to remove the cloaking. As of Nov. 15, it is still wishy-washy about it, explaining <http://securityresponse.symantec.com/avcenter/venc/data/securityrisk.aries.html> that "this rootkit was designed to hide a legitimate application, but it can be used to hide other objects, including malicious software." 

....


-------- Original Message --------
Subject:        [Dewayne-Net] re: Real Story of the Rogue Rootkit
Date:   Thu, 17 Nov 2005 18:38:09 -0800
From:   Dewayne Hendricks <dewayne () warpspeed com>
Reply-To:       dewayne () warpspeed com
To:     Dewayne-Net Technology List <dewayne-net () warpspeed com>
References:     <D8B41691-C5C4-4813-B358-2D7FC13E6532 () mac com>



[Note:  This comment comes from reader Jock Gill.  DLH]


From: Jock Gill <jg45 () mac com>
Date: November 17, 2005 3:25:30 PM PST
To: Hendricks Dewayne <dewayne () warpspeed com>, Farber Dave <dave () farber net> 
Subject: Re: [Dewayne-Net] Real Story of the Rogue Rootkit

Dewayne,

Re the Bruce Schneier Sony Rootkit story in Wired at:

<http://www.wired.com/news/privacy/0,1848,69601,00.html>
Since we now know that there is a very strong possibility that Sony has planted its rootkit DRM on DoD computers, I have to ask why they are not in Gitmo for the Holidays?
If anyone on this list had been caught, or even suspected, of planting cloaked rootkits on DoD computers, just how long do you think it would take for us to land in Gitmo, or some even worse element of Bush's secret gulag, and declared a Terrorist Enemy Combatant? Denied Habeus Corpus and many of our other Constitutionally guaranteed rights?
Since the suspect Sony is NOT being called a TEC by the Bush admin, how can they now ever prosecute anyone else for a similar deed?
This apparently duplicitous hypocrisy is truly stunningly dangerous. Corporations appear to be exempt form TEC status and thus more equal than us mere mortals.
Can we dare to hope that our opposition leadership will even begin to address this issue?
We can only hope that DoD and Homeland Security computers were in fact never infected by the Sony rootkit. But I would not bet on it. 

Jock


Weblog at: <http://weblog.warpspeed.com>


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: