[IP] Do read Bruces article Real Story of the Rogue Rootkit]

[Dave Farber <dave@xxxxxxxxxx>]

Do read  Bruces article Here is an piece:

But much worse than not detecting it before Russinovich's discovery was 
the deafening silence that followed. When a new piece of malware is 
found, security companies fall over themselves to clean our computers 
and inoculate our networks. Not in this case.

McAfee didn't add detection code 
<http://vil.nai.com/vil/content/v_136855.htm> until Nov. 9, and as of 
Nov. 15 it doesn't remove the rootkit, only the cloaking device. The 
company admits on its web page that this is a lousy compromise. "McAfee 
detects, removes and prevents reinstallation of XCP." That's the 
cloaking code. "Please note that removal will not impair the 
copyright-protection mechanisms installed from the CD. There have been 
reports of system crashes possibly resulting from uninstalling XCP." 
Thanks for the warning.

Symantec's response to the rootkit has, to put it kindly, evolved. At 
first the company didn't consider XCP malware at all. It wasn't until 
Nov. 11 that Symantec posted a tool to remove the cloaking. As of Nov. 
15, it is still wishy-washy about it, explaining 
<http://securityresponse.symantec.com/avcenter/venc/data/securityrisk.aries.html> 
that "this rootkit was designed to hide a legitimate application, but it 
can be used to hide other objects, including malicious software."

....


-------- Original Message --------
Subject:        [Dewayne-Net] re: Real Story of the Rogue Rootkit
Date:   Thu, 17 Nov 2005 18:38:09 -0800
From:   Dewayne Hendricks <dewayne@xxxxxxxxxxxxx>
Reply-To:       dewayne@xxxxxxxxxxxxx
To:     Dewayne-Net Technology List <dewayne-net@xxxxxxxxxxxxx>
References:     <D8B41691-C5C4-4813-B358-2D7FC13E6532@xxxxxxx>



[Note:  This comment comes from reader Jock Gill.  DLH]

> From: Jock Gill <jg45@xxxxxxx>
> Date: November 17, 2005 3:25:30 PM PST
> To: Hendricks Dewayne <dewayne@xxxxxxxxxxxxx>, Farber Dave  
> <dave@xxxxxxxxxx>
> Subject: Re: [Dewayne-Net] Real Story of the Rogue Rootkit
>
> Dewayne,
>
> Re the Bruce Schneier Sony Rootkit story in Wired at:
>
> <http://www.wired.com/news/privacy/0,1848,69601,00.html>
>
>
> Since we now know that there is a very strong possibility that Sony  
> has planted its rootkit DRM on DoD computers, I have to ask why  
> they are not in Gitmo for the Holidays?
>
> If anyone on this list had been caught, or even suspected, of  
> planting cloaked rootkits on DoD computers, just how long do you  
> think it would take for us to land in Gitmo, or some even worse  
> element of Bush's secret gulag, and declared a Terrorist Enemy  
> Combatant? Denied Habeus Corpus and many of our other  
> Constitutionally guaranteed rights?
>
> Since the suspect Sony is NOT being called a TEC by the Bush admin,  
> how can they now ever prosecute anyone else for a similar deed?
>
> This apparently duplicitous hypocrisy is truly stunningly  
> dangerous.  Corporations appear to be exempt form TEC status and  
> thus more equal than us mere mortals.
>
> Can we dare to hope that our opposition leadership will even begin  
> to address this issue?
>
> We can only hope that DoD and Homeland Security computers were in  
> fact never infected by the Sony rootkit.  But I would not bet on it.
>
> Jock

Weblog at: <http://weblog.warpspeed.com>


-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/