[funsec] And another Sony DRM Rootkit question

Larry Seltzer larry at larryseltzer.com
Thu Nov 17 12:30:10 CST 2005


I just found an e-mail in which I asked Mark Russinovich about this (sorry I
missed it first time). He said that neither the rootkit nor music player
would work, which he took as further evidence of how badly the software was
written.

I'd still like to know exactly what the error looks like, and I think Mark's
out of town. But I think I have enough information to write with now.

As for firewalls and such, I doubt any of them found anything. Mark found it
using their RootkitRevealer tool which is, after all, designed to find
rootkits. I believe Mikko from F-Secure said that their Blacklight tool
finds it, and another vendor (Tenebril? I think it's ex-Zone Labs people)
told me they find "all rootkits". 

Once again, I haven't tested it (I really ought to buy one if it's still
possible), but there is a class of product that looks generically for
threats (see the excellent review at
http://www.pcmag.com/article2/0,1895,1880015,00.asp) that might have blocked
them. I have no specific information.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
Contributing Editor, PC Magazine
larryseltzer at ziffdavis.com 

-----Original Message-----
From: Pierre Vandevenne [mailto:pierre at datarescue.com] 
Sent: Thursday, November 17, 2005 1:18 PM
To: Larry Seltzer
Cc: funsec at linuxbox.org
Subject: Re: [funsec] And another Sony DRM Rootkit question

Good Day,

LS> I don't actually have any of the evil CDs, so I can't test this. 
LS> Does anyone know?

I was actually thinking about getting some, they'll soon be collector's
items. Unless they start protecting chamber music CDs I fell I'll always be
a step behind in that race ;^)

And I was also wondering about the reactions of third party firewalls such
as Zone Alarm, etc... Did they, in practice, warn the normal users that
something wierd was going on.

--
Best regards,
Pierre                            mailto:pierre at datarescue.com
www.datarescue.com - home of the IDA Pro Disassembler.





More information about the funsec mailing list