[Gllug] Sony Protected CD's apparently installing rootkits...

Nix nix at esperi.org.uk
Tue Nov 1 22:58:35 UTC 2005


On Tue, 1 Nov 2005, Russell Howe yowled:
> The hooks would appear to do typical rootkit-type things, such as hide
> files in the filesystem (in this case, any file beginning with $sys$ -
> huge potential for 4th party malware to take advantage of this). It
> would appear that the registry keys used by the software are hidden from
> the Windows API calls used to enumerate the registry too, making it
> pretty difficult to tell if the software is installed.

They also stick device filters in front of the CD and behind the hard
drive (killing your CD if you manage to remove the malware), and
their DRMish monster eats 2--10% of available CPU time constantly,
polling the name of every running executable many times a second.

i.e., not just malware but malware written by incompetents. Just what
you want running as SYSTEM on random people's boxes without their
consent.

> * Winsock LSP hooks (hooking into the IP networking layer in Windows, a
>   technique used by such people as newnet)
> * SCSI filters (hooking into the SCSI layer, allowing their software to
>   inspect, modify and disallow arbitrary SCSI commands on a device)
> * Patching the Windows equivalent of the syscall table (as used to mask
>   the file and registry system API calls)

They are doing the last two, at least: see the detailed analysis linked
to from the Inquirer article.

> nasty, nasty and evil. The lot of them.

Seconded. If I'd ever believed that they cared in the least for their
customers, this would have removed that belief.

-- 
`"Gun-wielding recluse gunned down by local police" isn't the epitaph
 I want. I am hoping for "Witnesses reported the sound up to two hundred
 kilometers away" or "Last body part finally located".' --- James Nicoll
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list