Rookit begone, foul tempter!

by Michael S. Kaplan, published on 2005/11/14 03:01 -05:00, original URI: http://blogs.msdn.com/b/michkap/archive/2005/11/14/492267.aspx

As reported by the Anti-Malware Engineering Team in their post about the Sony DRM Rootkit, after analysis of the situation the course of action is clear:

will all have means to detect and root out the previously discussed Sony-installed, XCP Software created Rootkit originally reported by Mark Russinovich that I previously mentioned here and here.

What I like most about this development is the way the objective criteria that were used to determine all of this are really on par with the common sense criteria that anyone reading the coverage from Mark as compare to that from Sony and XCPFirst4Internet would really have determined subjectively -- that (a) the rootkit was not a good idea and that (b) any claim to the contrary is just not going to wash.

As a side note, I do have to wonder what Sony was thinking -- why not just go belly up, say mea culpa, and get the better press for doing the right thing after careful reconsideration? Or even better, claim inury against the creator of the rootkit? Which makes me wonder what XCPFirst4Internet was thinking -- why not claim it was a work for hire, done at the insistence of their customer (Sony)? Unless it is untrue, of course.

The fact that neither of them took the high road suggests more about intent and motivation to me (as a regular customer who wants a fair shake from the products and services I buy) than any amount of positioing later.

In any case, Kudos to the Anti-Malware Engineering Team. Blogs may help make Microsoft seem more human, but it is moves like this that help make Microsoft seem more heroic!

# Rosyna on 14 Nov 2005 3:37 AM:

I think you mean "what First4Internet was thinking", AFAICT, XCP is the software, and First4Internet (http://www.first4internet.com/) is the company that made it.

The moves of the Sony Music division have been a serious problem (profit wise) for the Sony Tech division. Because the label side wants all these lame restrictions. This is what prevented them from ever making a serious iPod competitor (I mean all music had to be transcoded from MP3 to ATRAC? Screw that!).

# Nick Lamb on 14 Nov 2005 4:31 AM:

"the objective criteria that were used to determine all of this"

I was rather hoping this would be a link, either in your blog or in the anti-malware blog. It wouldn't be the first time Microsoft claimed to have "objective criteria" for something without any evidence of it.

# Andreas Magnusson on 14 Nov 2005 10:05 AM:

The objective criteria is that:

A) Any file beginning with $sys$ gets hidden which is clearly exploitable by other malware. Bad for security.

B) The driver that sony installs at a users system is a kernel-level driver so if there's something buggy in the driver (which considering other things F4I has claimed doesn't seem to far fetched) you get a BSOD. Bad for stability.

C) The driver hooks and filters several low-level system calls. Bad system performance.

D) If the driver breaks or you remove the driver manually without knowing every step on the way you will break your CD-drive. Bad for usability.

# Michael S. Kaplan on 14 Nov 2005 12:33 PM:

Rosyna, you are correct!

(its not like I call Microsoft by the name Windows!)

# Mihai on 14 Nov 2005 1:14 PM:

"why not just go belly up, say mea culpa"

Because Sony never does!

They do not want to acknowledge the stick memory is a flop and they keep pushing it in all theyr products (this is why I don't even consider the Sony mp3 players or digital cameras).

Was a long-long time before they acknowledged the mini-disk does not catch.

On the other side, MS is the first one to REMOVE the think, not just detect it! Kudos!
Others complained, some detect it, but nobody had the currage to just remove the crap.

But what I really hope is that the whole mess will end up with some regulations for how DRM and EULAs should work, and what are the rights of the consummer. We already know what rights RIAA believe they have: anything they please!

Check here some comments on the EULA, which is worse that the rootkit: http://www.eff.org/deeplinks/archives/004145.php

# Marvin on 14 Nov 2005 1:50 PM:

Re: "As a side note, I do have to wonder what Sony was thinking"

Their executives followed the rules that every corporate executive/high ranking manager follows these days.
1. Never admit any guilt. If cornered blame somebody else, change the logo, talk about shareholder interest. But NEVER admit any guilt.
2. If you say white is black long enough people will beleive you. If somebody proves to you that white is white refer to rule 1.
3. Customers are cheap, analysts are precious.

You may want to watch this abominable show "Apprentice" to see all this in action under the microscope.

# Michael Dunn_ on 14 Nov 2005 11:19 PM:

Check Mark's latest blog entry[1] - the uninstaller leaves behind an AX control with such lovely methods as "RebootMachine"

[1] http://tinyurl.com/c48t4

# Gabe on 15 Nov 2005 11:38 AM:

I'm not disagreeing that this F4I software is evil and should be removed, but it looks like MS is treading on thing ice here. There is a lot of "legitimate" software out there that is very similar in behavior.

I'd be rich if I had a penny for every piece-of-junk hardware device that had a buggy kernel driver. WHQL certification is an answer but then people (usually with buggy drivers) bitch about how MS is being a monopoly and only allowing preferred vendors make compatible hardware.
Please consider a donation to keep this archive running, maintained and free of advertising.
Donate €20 or more to receive an offline copy of the whole archive including all images.

go to newer or older post, or back to index or month or day