Microsoft plans to root out Sony rootkit

Hot damn! Microsoft’s Anti-Malware Engineering Team is on the ball:

We are concerned about any malware and its impact on our customers’ machines. Rootkits have a clearly negative impact on not only the security, but also the reliability and performance of their systems.

We use a set of objective criteria for both Windows Defender and the Malicious Software Removal Tool to determine what software will be classified for detection and removal by our anti-malware technology. We have analyzed this software, and have determined that in order to help protect our customers we will add a detection and removal signature for the rootkit component of the XCP software to the Windows AntiSpyware beta, which is currently used by millions of users. This signature will be available to current beta users through the normal Windows AntiSpyware beta signature update process, which has been providing weekly signature updates for almost a year now. Detection and removal of this rootkit component will also appear in Windows Defender when its first public beta is available. We also plan to include this signature in the December monthly update to the Malicious Software Removal Tool. It will also be included in the signature set for the online scanner on Windows Live Safety Center.

That was fast! I hope my request from last week was at least partially responsible.

Sony backs down after DHS smackdown

Here’s some good news:

Sony to stop making protected CDs:

Beleaguered Sony BMG will temporarily suspend the manufacture of copy-protected CDs and re-examine its digital-rights management strategy, the media giant said on Friday.

Maybe this stinging criticism from the Department of Homeland Security made them nervous?

[A]t a U.S. Chamber of Commerce-sponsored event in downtown Washington on combating intellectual-property theft … Stewart Baker, recently appointed by President Bush as the Department of Homeland Security’s assistant secretary for policy … wrapped up his opening comments with the following admonition for the industry:

“I wanted to raise one point of caution as we go forward, because we are also responsible for maintaining the security of the information infrastructure of the United States and making sure peoples’ [and] businesses’ computers are secure. … There’s been a lot of publicity recently about tactics used in pursuing protection for music and DVD CDs in which questions have been raised about whether the protection measures install hidden files on peoples’ computers that even the system administrators can’t find.”

In a remark clearly aimed directly at Sony and other labels, Stewart continued: “It’s very important to remember that it’s your intellectual property — it’s not your computer. And in the pursuit of protection of intellectual property, it’s important not to defeat or undermine the security measures that people need to adopt in these days.

“If we have an avian flu outbreak here and it is even half as bad as the 1918 flu epidemic, we will be enormously dependent on being able to get remote access for a large number of people, and keeping the infrastructure functioning is a matter of life and death and we take it very seriously.”

It would be appropriate, in my opinion, if all of the executives in charge of this cascade of truly lame decisions would just resign.

Working around the Sony rootkit

Ed Felten has put together a SonyBMG DRM Customer Survival Kit. It includes command-line instructions to determine if you have the Aries.sys driver installed on your computer, along with instructions on how to disable the service.

Professor Felten also notes that Sony will actually tell you how to work around its copy protection if you ask:

How to get songs from these discs into iTunes, an iPod, or anywhere else you can legally put them: SonyBMG will send instructions on how to do this to anyone who asks. Note that their instructions direct you to agree to their End User License Agreement; be sure to read the agreement and think about whether you want to accept it.

Or you could just read the instructions at his site.

Unfortunately, the workaround involves making inferior (128K) WMA copies of the tracks, burning them to a CD, then reripping them in any format you like. There’s no way to get a decent copy, much less a perfect digital copy.

Removing the Sony rootkit

Sophos is the first security software vendor to make available a removal tool for the Sony rootkit. Get it here:

Resolve is the name for a set of small, downloadable Sophos utilities designed to remove and undo the changes made by certain viruses, Trojans and worms. They terminate any virus processes and reset any registry keys that the virus changed. Existing infections can be cleaned up quickly and easily, both on individual workstations and over networks with large numbers of computers.

This version of the tool detects and disables the Sony DRM cloaking copy protection technology (which Sophos refers to as Troj/RKProc-Fam). It also detects and disables other Trojans, including Troj/Stinx variants, which are stealthed by Troj/RKProc-Fam.

I just ran it. Pretty much painless (and as expected I didn’t find a trace of it here).

What to do when your PC locks up

The PC Doctor has excellent advice on what to do when you PC locks up. It’s an excellent eight-point checklist, which is well worth reading and remembering right now, when your computer is working just fine. When you’re confronted with a mysterious lock-up, it helps to fall back on training like this. You might even want to print out the advice!

Oh, and he echoes one of my favorite pieces of advice in the “What I don’t do” section of the same piece: Don’t just start randomly pounding on the keyboard in the hopes that you’ll hit the magic key. If Windows is temporarily locked by a process that is refusing to give up control, you’ll fill the keyboard buffer with those random keystrokes, which will be executed in horribly annoying fashion when the misbehaving app finally surrenders control.

Sony versus the world

F-Secure says “I told you so”:

We have just analyzed the first malware (Breplibot.b) that is trying to hide on machines that have Sony DRM software installed.

I’ve seen reports that Pest Patrol and some Norton products are now detecting the Sony rootkit.

And in the comments to a previous post in which I asked for Microsoft’s help (Dear Microsoft: Please clean up the Sony mess), my old friend Giesbert Damaschke points out an encouraging new article:

Microsoft ‘Concerned’ by Sony DRM

The Redmond, Wash., software maker said that the security of its customers’ information is a “top priority” and that the company is concerned by software like that deployed by Sony to block illegal CD copying.

However, unlike other security software vendors, Microsoft hasn’t decided whether to take more aggressive action against the product, such as detecting and removing it from systems, the spokesperson said.

Hmmm. Maybe someone could write a little tweak that causes your computer to make a loud retching sound whenever a rootkit-infected CD is inserted?

Update: Brian Krebs of the Washington Post passes along this five-year-old quote from Sony’s CEO, which discloses how the company really feels about its customers:

Sony CEO Howard Stringer, who kept the audience laughing throughout the night with a battery of quips, said, “Right now it would be possible for us, and I’ve often thought it would cheer me up to do it, you could dispatch a virus to anybody whose files contain us or Columbia records, and make them listen to four hours of Yanni … but in the end we’re going to have to get serious about encryption and digital-rights management and watermarking.”

Something tells me the tape of that conference will be played at a future trial.

And somewhere in Sony HQ, a PR person is banging her head against a desk realizing that the spin is just not working.

List of Sony/BMG titles with rootkits

Dwight Silverman shrugs off the plague and publishes a list of Sony/BMG titles with rootkits.

I only recognize two of them. And I don’t think the list is complete. Unless I’m mistaken, the latest CD from Leo Kottke and Mike Gordon installs this crap.

The irony to me is that Trey Anastasio and Mike Gordon are both on this short list. Ironic, because these two are members of the disbanded Phish, which built up a community of tapers who traded noncommercial copies of concerts with the band’s imprimatur.

So far, no really big artists on this list. No Dylan, no Springsteen…

(PS: Go back to bed, Dwight!)

Apple ready to turn on activation

Goodness gracious! Apple apparently wants to lock their new OS to your hardware:

Apple Computer, which is in the process of switching to computers based on the omnipresent Intel processor, has filed a patent application describing a method for securely running Mac OS X on specific hardware.

The Mac maker has applied for a patent to cover a “system and method for creating tamper-resistant code.” Apple describes ways of ensuring that code can be limited to specific hardware, even in a world in which operating systems can be run simultaneously, in so-called virtual machines. The patent application was made in April of 2004, but only made public last Thursday.

In its application, Apple describes a means of securing code using either a specific hardware address or read-only memory (ROM) serial number. Apple also talks about securing the code while interchanging information among multiple operating systems. Mac OS X, Windows and Linux are called out specifically in the filing.

I’ll be eagerly awaiting the screams of anguish from the usual suspects.

A clever way to get multiple monitors

Matrox has just announced an interesting hardware idea called DualHead2Go . According to the press release, it’s:

… a palm-sized box that connects to the existing single monitor output (i.e. external VGA output) of a computer and appears to the system as a single ultra-widescreen monitor with native support for resolutions up to 2560 x 1024, which are twice as wide as standard resolutions.

Clever idea, and Matrox claims it will work with notebooks and desktops alike. Instead of adding a second video card (with the attendant hassles of getting multiple video drivers to play nice with each other), you just plug your current video output into this box and let its embedded graphics hardware do the work.

In my experience, adding a second monitor is one of the best ways to increase your productivity. This seems like a pretty hassle-free way to do it.

I’ll see if I can get a review unit and try it out.

More on the Windows Defender name flap

Over the weekend, Dwight Silverman asked: “Does Microsoft know there’s already a Windows Defender out there?” I answered hypothetically:

Microsoft has an army of lawyers, and one would have to assume that no product naming decision gets publicly announced until there’s been a thorough trademark search.

Todd Bishop of the Seattle P-I says that assumption was right. He tracked down the developer of the original Windows Defender program, 22-year-old Adam Lyttle from Adelaide, Australia:

Lyttle wasn’t inclined to get into a legal tussle with the software giant and its army of lawyers. For one thing, he had stopped working on his Windows Defender program nearly a year before that point.

He was puzzled by one element of the agreement, which gives to Microsoft all rights to the Windows Defender name. However, after consulting with a friend in law school, he decided to just sign it and move on.

The story doesn’t make Microsoft look very good.

Thanks for following up, Todd!