Caution SONY Music CDs have trojan Malware

On that special day, Art, (nu**@zilch.com ) said...

I suppose
one might consider root kits as a subset of stealth malware just as
some view worms as a subset of viruses. But that's just my impression.
I don't recall seeing a terminolgy discussion/debate on that subject
here.

Then it is bound to happen now. Few have an idea, what Stealth is, and
although I have been interested in virus question for nearly ten years,
I may be wrong.

I remember that stealth viruses would be sitting in the MBR, putting
the content of the original one into a different place, and when a
scanner would come along and try to read the MBR in order to check for
unwanted things, the (memory resident) virus would intercept this query
and present the scanner with the stored original MBR content as a
"result".

This is kind of hiding, too, although it isn't cloaking as in "run a
driver that makes everything that begins with $sys$ unnoticeable".

But the idea behind it is similar. Yet, the stealth virus would only
behave in one specific, determined way, while a driver allows for
interesting side effects, like the one that circumvents the Warden
memory scanning.
Gabriele Neukam

Ga************* ************@t-online.de
--
Ah, Information. A property, too valuable these days, to give it away,
just so, at no cost.

Gabriele Neukam wrote:

I remember that stealth viruses would be sitting in the MBR, putting
the content of the original one into a different place, and when a
scanner would come along and try to read the MBR in order to check for
unwanted things, the (memory resident) virus would intercept this query
and present the scanner with the stored original MBR content as a
"result".
Thats an MBR stealth infector.
This is kind of hiding, too, although it isn't cloaking as in "run a
driver that makes everything that begins with $sys$ unnoticeable".
No, but memory resident exe/com stealth infectors could. :)
They were able to prevent anything from noticing changes made to the
host executable, should something come along and want to scan it. It
did this by intercepting findfirst/findnextf routines. This is quiet
similiar to a windows system driver service.
But the idea behind it is similar. Yet, the stealth virus would only
behave in one specific, determined way, while a driver allows for
interesting side effects, like the one that circumvents the Warden
memory scanning.

The concept is close. The hidden driver sony installs is remapping a
few api calls to stealth items found during findfirst/findnextf
routines. It's filtering. And useful for things beside sony. heh.

Regards,
Dustin Cook

Rebecca wrote:

Dustin Cook wrote:

Towelie wrote:

Dustin - so don't buy Sony. Your choice. Why use the issue to try to
prove your perceived intellectual superiority over others?
Inferiority complex? Can't handle being contradicted?

What in the world are you talking about? I'm not trying to prove any
superiority,

That's good. You'd be laughed out of town if you did.

Uh huh. So tell me something wiz, Why are you using such insecure
software for usenet? Incapable of installing better software?

"X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 "

Entertaining. heh...

What if he turned off the dangerous services... that would take a few
seconds... to change news readers would take him seconds longer. Why
bother? People who know are safe. People who dont need to take the
longer road.

Ken wrote:

What if he turned off the dangerous services... that would take a few
seconds... to change news readers would take him seconds longer. Why
bother? People who know are safe. People who dont need to take the
longer road.

Obviously dustbin hasn't a clue.

--
Come to us with a problem only if you want help solving it.
That's what we do. Sympathy is what your girlfriends are for.

On Sat, 05 Nov 2005 12:22:25 GMT, Simon.
<sj************ @blueyonder.co. uk> wrote:

on Sat, 05 Nov 2005 00:24:25 GMT, Art <nu**@zilch.com > wrote this wisdom:

On Fri, 04 Nov 2005 19:13:42 -0500, Jeffrey A. Setaro
<jasetaro@SPA M_ME_NOT_mags.n et> wrote:

I see Sony has offered a remover:
http://cp.sonybmg.com/xcp/english/updates.html

Art; what Sony/BMG is offering is not an uninstaller... It's a
de-cloaker. The patch removes the rootkit driver but leaves the DRM
software behind.

And you would be willing to install MORE software that SAYS it will decloak the
old software?

Nope... I've got backup images of my system going back several weeks.
I can wipe my system and restore from a clean image if I need to. @#$%
Sony and their patch!
What if this program simply replaced the old software with something even worse?

Sony should review the federal trial courts ruling in the case of
Sotelo v. Direct Revenue. In its ruling, the court held that the
ancient legal doctrine of trespass to chattels (meaning trespass to
personal property) applies to the interference caused to home
computers by spyware.

See
<http://www.usatoday.co m/tech/columnist/ericjsinrod/2005-10-11-spyware_x.htm>
for good overview of the case.
Are YOU going to trust SONY after the mess they made first time?

Nope... But then I didn't trust Sony to begin with.

Cheers-

Jeff Setaro
jasetaro@SPAM_M E_NOT_mags.net
http://people.mags.net/jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99 New RSA: 0xA19EBD34

Good try, Dustin, but about a million miles wide of the mark. The very
fact that you expected that to be my own UA speaks volumes.

Ken wrote:

What if he turned off the dangerous services... that would take a few
seconds... to change news readers would take him seconds longer. Why
bother? People who know are safe. People who dont need to take the
longer road.

What exactly do the system services he may or may not be running have
to do with the insecurity of the particular newsreader (Email client
actually, a very bad one at that) he's using?

Outlook Express has a long wonderful history of exploits... I don't
recall any of them requiring a particular service to be running.

You were saying something about a longer road? I suppose you have the
directions. :)

Regards,
Dustin Cook
http://bughunter.atspace.org

Dustin Cook wrote:
[snip]

Art, refresh my memory if you don't mind. Didn't we used to call
applications that hid their presence, stealth? When did this rootkit
terminology replace that?

http://anti-virus-rants.blogspot.com...r-windows.html

it seems like you and i may be on the same page...

--
"they threw a rope around yer neck to watch you dance the jig of death
then left ya for the starvin' crows, hoverin' like hungry whores
one flew down plucked out yer eye, the other he had in his sights
ya snarled at him, said leave me be - i need the bugger so i can see"

"kurt wismer" <ku***@sympatic o.ca> wrote in message
news:Od******** ************@ne ws20.bellglobal .com...

Dustin Cook wrote:
[snip]

Art, refresh my memory if you don't mind. Didn't we used to call
applications that hid their presence, stealth? When did this rootkit
terminology replace that?

http://anti-virus-rants.blogspot.com...r-windows.html

it seems like you and i may be on the same page...

This "rootkit" is a misnomer (should just call it stealthing), but what
you call a rootkit is no closer to the truth it seems to me. The rootkit
was a kit you could use once you already had sufficient privileges - to
replace commonly used utilities and such with versions modified to help
stealth whatever other activities you had in mind. Getting cpu access
and root privileges is not done with a kit, but with exploit code aimed
at a vulnerability (*possibly by flawed software) either running with
privilege or possibly leveraged from the lesser privilege via an
escalation vector (possibly more flawed software) to get root.

Filter driver stealthing of filesystem and process listing is no more
"rootkit" than is simple hiding of extensions for known filetypes -
although the 'stealthing' effect is similar.

* Could also be just poorly configured security