Home » General Discussions » General Discussion » Rootkits and Renguard
Rootkits and Renguard [message #178469] |
Tue, 08 November 2005 22:50 |
|
YSLMuffins
Messages: 1144 Registered: February 2003 Location: Moved a long time ago (it...
Karma: 0
|
General (1 Star) Moderator - Mod Forum |
|
|
Slashdot and The Register.
According to this, an exposé by sysinternals about an evil Sony DRM technique has resulted not only in a backlash against Sony BMG, but also allowed World of Warcraft cheaters to defeat The Warden, Blizzard's Renguard.
I'm just wondering if this is something to be concerned about--not just with Renegade and Renguard, but in general. What's the likelihood of a new hoard of viruses that exploit this code? They would be virtually undetectable, from what I've read about rootkits.
Right now, Sony has released a "patch" to allow this rootkit to be detectable, but they are offering no uninstall unless you e-mail Sony directly...
-YSLMuffins
The goddess of all (bread products)
See me online as yslcheeze
[Updated on: Tue, 08 November 2005 22:52] Report message to a moderator
|
|
|
|
Re: Rootkits and Renguard [message #178514 is a reply to message #178469] |
Wed, 09 November 2005 07:22 |
JPNOD
Messages: 807 Registered: April 2004 Location: Area 51
Karma: 0
|
Colonel |
|
|
Yep...
And I would like to add, people running Windows Firewalls and thinking they are safe, well guess what your not. It does not check outgoing c0nn, so run a real firewall.
Or let's say you download a program there might be a botnet in it, not being detected by a virusscanner.. WIndows firewall will just let it trough.
Windows Firewall, does block most worms/trojans. but incomming obviously. (think of msblaster at that time).
Running a Hardware firewall ( like a router is a plus), but a software firewall is needed.
WOL nick: JPNOD
|
|
|
|
Re: Rootkits and Renguard [message #178541 is a reply to message #178514] |
Wed, 09 November 2005 12:52 |
|
Blazer
Messages: 3322 Registered: February 2003 Location: Phoenix, AZ
Karma: 0
|
General (3 Stars) Administrator/General |
|
|
JPNOD wrote on Wed, 09 November 2005 09:22 | Yep...
And I would like to add, people running Windows Firewalls and thinking they are safe, well guess what your not. It does not check outgoing c0nn, so run a real firewall.
Or let's say you download a program there might be a botnet in it, not being detected by a virusscanner.. WIndows firewall will just let it trough.
Windows Firewall, does block most worms/trojans. but incomming obviously. (think of msblaster at that time).
Running a Hardware firewall ( like a router is a plus), but a software firewall is needed.
|
This is absolutely false. Most windows firewalls explicitly check outgoing connections, and this is the best way to detect trojans and the like. As I explained, ANY program which initiates any network connection (TCP or UDP) causes a popup and tells you which application is doing it and if you should temporarily or permanately allow it.
This sort of firewall is how I discovered the "FlyingBuzz Trojan" years ago (it was a trojan that stole your renegade serial number and posted it to FlyingBuzz's website).
As for "real firewalls" being hardware-based, that is also not entirely true. Most routers, including the cisco router I have in my home network just have "ACL's" (Access Lists), that restrict access by IP subnets.
Also, a certain large ISP that I used to work for did extensive testing and found that a software firewall (OpenBSD + IPF), far outperformed all of the tested hardware-based products
That being said, again I want to stress that using a windows firewall more than likely DOES check outgoing connections, at least I have not used one that does not, including Kerio, Norton, ZoneAlarm, BlackIce, etc.
|
|
|
Re: Rootkits and Renguard [message #178542 is a reply to message #178516] |
Wed, 09 November 2005 12:58 |
|
Blazer
Messages: 3322 Registered: February 2003 Location: Phoenix, AZ
Karma: 0
|
General (3 Stars) Administrator/General |
|
|
Olaf van der Spek wrote on Wed, 09 November 2005 09:27 | Any anti-virus/firewall that runs on the same OS as the rootkit can not be trusted.
|
I would rather have local anti-virus and firewalls, than to trust one central firewall/antivirus, which, once compromised, exposes your entire LAN.
There is no foolproof firewall, the best thing one can do is to be aware of your network connections and OS activity. Even if you had a central firewall that blocked outgoing connections from your PC, it still has to let *something* through, or you wouldn't be able to check email, log into IRC, etc. So then all the attacker has to do is trick you into downloading a rootkit/trojan that sends data out through ports you have permitted, and/or use various methods like arp poisoning.
In short, the only completely secure PC is one that is not connected to the internet in any way, has no USB, floppy, or CDROM drives, and locked behind a cage so there is no physical access.
|
|
|
Re: Rootkits and Renguard [message #178548 is a reply to message #178541] |
Wed, 09 November 2005 13:21 |
JPNOD
Messages: 807 Registered: April 2004 Location: Area 51
Karma: 0
|
Colonel |
|
|
[quote title=Blazer wrote on Wed, 09 November 2005 14:52]JPNOD wrote on Wed, 09 November 2005 09:22 | Yep...
And I would like to add, people running Windows Firewalls and thinking they are safe, well guess what your not. It does not check outgoing c0nn, so run a real firewall.
Or let's say you download a program there might be a botnet in it, not being detected by a virusscanner.. WIndows firewall will just let it trough.
Windows Firewall, does block most worms/trojans. but incomming obviously. (think of msblaster at that time).
Running a Hardware firewall ( like a router is a plus), but a software firewall is needed.
|
This is absolutely false. Most windows firewalls explicitly check outgoing connections, and this is the best way to detect trojans and the like. As I explained, ANY program which initiates any network connection (TCP or UDP) causes a popup and tells you which application is doing it and if you should temporarily or permanately allow it.
Uhhh, With Windows Firewalls I actually just meant the Windows Built in Firewall which comes with SP2, and was already in but with less options and which is also built in Windows Server 2003.
For example, run brenbot, and it windows firewall wont notice it going out. Use zonealarm, or sygate and it will see it straight away. I do agree on that a pc connected to the Internet is nowhere near 100% safe, but if you don't have anything important on it or whatsover. It is really not worth bypassing all this??
http://www.techimo.com/photo/data/500/12firewall.jpg
WOL nick: JPNOD
[Updated on: Wed, 09 November 2005 13:28] Report message to a moderator
|
|
|
|
|
Re: Rootkits and Renguard [message #178565 is a reply to message #178549] |
Wed, 09 November 2005 16:46 |
|
Blazer
Messages: 3322 Registered: February 2003 Location: Phoenix, AZ
Karma: 0
|
General (3 Stars) Administrator/General |
|
|
Olaf van der Spek wrote on Wed, 09 November 2005 15:35 | I didn't say I prefered hardware firewalls. My points is that once a trojan is on your system, it's already too late.
|
Not always...if you have a decent firewall like the ones I noted, you can catch them trying to make outbound internet access. There have been cases of trojans though that were coded to specifically disable the users virus scanner and/or firewall as one of their first malicious actions. Fortunately since trojans are by design relatively small, they usually aren't complex enough to know how to disable all of the virus scanners or firewalls one might be using.
Pretty much all one can do is to, along with just using common sense as to what one is downloading and installing, is to have an up to date virus scanner and also a firewall that monitors outgoing connections. Even if you detect a trojan, once it's installed, they can be a real pain to erradicate, or even worse, it may just sit there, being silently blocked by your firewall, but using up your valuable system resources.
|
|
|
Re: Rootkits and Renguard [message #178818 is a reply to message #178469] |
Fri, 11 November 2005 14:51 |
|
YSLMuffins
Messages: 1144 Registered: February 2003 Location: Moved a long time ago (it...
Karma: 0
|
General (1 Star) Moderator - Mod Forum |
|
|
The question remains, though--why would Sony BMG put a rootkit on one of their audio CDs?
-YSLMuffins
The goddess of all (bread products)
See me online as yslcheeze
|
|
|
|
Re: Rootkits and Renguard [message #178836 is a reply to message #178469] |
Fri, 11 November 2005 15:17 |
|
YSLMuffins
Messages: 1144 Registered: February 2003 Location: Moved a long time ago (it...
Karma: 0
|
General (1 Star) Moderator - Mod Forum |
|
|
It's too bad that it's something that installs automatically without any type of consent or notice. Sony isn't doing much else to help uninstall this rootkit, though.
-YSLMuffins
The goddess of all (bread products)
See me online as yslcheeze
|
|
|
Re: Rootkits and Renguard [message #178837 is a reply to message #178469] |
Fri, 11 November 2005 15:18 |
|
light
Messages: 988 Registered: January 2005
Karma: 0
|
Colonel |
|
|
the term root-kit is going to be mis-used so many times.
A rootkit is a set of software tools frequently used by a third-party (usually an intruder) after gaining access to a computer system. These tools are intended to conceal running processes, files or system data, which helps an intruder maintain access to a system for purposes unbeknownst to the user.
http://en.wikipedia.org/wiki/Rootkit
And here is the section on Copy-Protection:
Rootkits as copy protection
There are reports as of November 1, 2005 that Sony is using a form of copy protection, or digital rights management, on its CDs called "XCP-Aurora" (a version of Extended Copy Protection from First 4 Internet) which constitutes a rootkit, surreptitiously installing itself in a cloaked manner on the user's computer and resisting attempts to detect, disable, or remove it. Much speculation is taking place on blogs and elsewhere about whether Sony might be civilly or criminally liable for such actions under various anti-computer-hacking and anti-malware legislation. Ironically, there is also speculation to the effect that the bloggers who point out what Sony CDs do, with technical details, may also be committing a civil or criminal offense under anti-circumvention provisions of laws such as the Digital Millennium Copyright Act in the United States. [3] [4]
On November 2, 2005, Sony released a patch to remove this rootkit, while continuing to maintain that it is not malicious and does not pose a security risk. But the patch itself has come under fire as well. First, it requires ActiveX controls to install, and therefore is only available to users of Microsoft's Internet Explorer. Second, the update is more than 3.5 megabytes in size, and appears to contain new versions of almost all the files included in the initial installation of the entire DRM system, and some new files as well. It appears that the patch is adding things to the system, and once again, not informing the user of exactly what is being done.[5][6]
Informed opinions differ on the security implication of this Sony 'XCP-Aurora' technology as there is evidence that the software has caused Blue screen (BSoD) errors on Windows systems while in normal use. In addition the software has been criticized as poorly implemented and the file hiding scheme could be used to hide arbitrary files on a PC simply by prefixing the filename with $sys$.
Further commentary, including security implications, can also be found on the Security Now! #12 podcast with Steve Gibson and Leo Laporte, entitled "Sony's 'Rootkit Technology' DRM (copy protection gone bad)."
A class-action lawsuit has been filed on behalf of California consumers who may have been harmed by anti-piracy software installed by some Sony music CDs. A second, nationwide class-action lawsuit is expected to be filed against Sony in a New York court on Wednesday seeking relief for all U.S. consumers who have purchased any of the 20 music CDs in question.[7]
On November 9, 2005, security companies Sophos and Symantec announced that they had discovered viruses which were exploiting the Sony rootkit in order to gain access to affected systems.[8]. These viruses are appearing primarily on the form of emails with attachments. ZoneAlarm users were protected by the an "os firewall" in their paid products.
As of November 10, 2005, World of Warcraft hackers have confirmed that the hiding capabilities of Sony BMG's content protection software can make tools made for cheating in the online world impossible to detect. The software - deemed a "rootkit" by many security experts - is shipped with tens of thousands of the record company's music titles. Furthermore, experts at SophosLabs™, Sophos's global network of virus and spam analysis centres, have detected a new Trojan horse that exploits the controversial Sony DRM (Digital Rights Management) copy protection included on some of the music giant's CDs.[9][10][11][12]
Again from: http://en.wikipedia.org/wiki/Rootkit
I love WikiPedia
|
|
|
Goto Forum:
Current Time: Sat Nov 02 08:25:16 MST 2024
Total time taken to generate the page: 0.00900 seconds
|