Update: Microsoft will indeed add the Sony rootkit software to the list of software detected by its Malicious Software Removal Tool. This capability will appear in the December 2005 update to the utility. Signatures for the XCP component will also be added to Windows AntiSpyware, Windows Defender, and the Windows Live Safety Center. Details here.
Mark Russinovich has analyzed Sony’s “patch” for its rootkit-based software and discovers that the patch is crap and Sony is still lying.
Microsoft’s John Howard just found out about the Sony rootkit debacle and says, “Be worried – very worried”:
Normally, I wouldn’t comment on news like this except on anything except my personal blog, but I’m am so outraged and stunned by what I’ve discovered having spent the past hour or so researching and reading about the techniques and implications of the “RootKit” approach and the legalities, the fact that a half-baked patch has been issued, and the follow up entry from yesterday on Marks blog about the way that the software “calls” home.
Yes, there is a huge amount of publicity out there about this, but what worries me most now is that even with that publicity, how many home users are really going to take action on it? There is a probable chain reaction:
- Home users generally won’t read or hear about this, are highly unlikely to run a root kit revealer to discover the “rootkit”, blame XP for potentially crashing or certainly being slower due to the “rootkit” performance overhead.
- By not knowing about it means the majority of infected users will not visit the appropriate site to patch/remove the DRM software (which it appears is not flawless either).
- Many people will purchased CDs with this DRM “rootkit” software.
- Given a significant percentage of purchasers will play those CDs on home machines, there will be many home machines installed with an unpatched rootkit
- Joe Hacker now has it on a plate with an easy way to cloak their worms/viruses on “infected” machines through the sys$ file prefix.
My proposed solution?
Each month, Microsoft updates its Malicious Software Removal Tool and pushes it down to all Windows XP clients via Automatic Updates. The next release of this software should target the First 4 Internet software and automatically remove it. It should also inoculate the system so that the software cannot be reinstalled.
Yes, I know this is unlikely to happen because the software doesn’t technically qualify as “malicious.” But it could happen if Sony gave its permission to Microsoft.
So, add one more item to my list of things Sony should do immediately:
- Fire First 4 Internet immediately and publicly.
- Remaster the CDs with DRM-free versions.
- Offer free replacement CDs to anyone who purchased one of the rootkit-infected CDs.
- Provide toll-free tech support for anyone who experiences a problem with their Windows computer that they think is related to this software.
- Assist Microsoft in updating the Malicious Software Removal Tool to remove the rootkit-based software from any infected systems and prevent it from being reinstalled.