[Dshield] Rootkits All Around: Universal Music Has It ,Too
ed.truitt at etee2k.net
Thu Nov 3 00:15:03 GMT 2005
Oopsie... guess I got a case of Blackberry-induced left-out-a-worditis.
What I meant to say was "I think it meets ONE OF the criteria for a
rootkit." It isn't just that the package hides its files, but also its
reg keys and (I think) its processes as well -- some of the very same
traits displayed by that genre of malware we commonly refer to as
"Windows rootkits." And, as a general rule, this type of behavior is
highly suspicious -- and the fact that it leaves this great big gaping
hole where malware authors can hide their garbage just doesn't make me
think they had my best interests in mind -- or even gave it a momentary
thought -- when they decided to implement this copy protection scheme.
Yes, I think I know why it does this (semi-stealthy install, hides
itself on the system, takes ownership of the CD-ROM, no uninstall):
after all, if you knew where to find it, and how to get rid of it, you
could make several copies, then delete/deinstall the code, then
re-install it and make several more copies, and repeat this cycle as
often as desired. Which would sort of defeat the whole purpose behind
having it there in the first place, eh?
Ed Truitt wrote:
>Well, since this package hides itself from the system, I think it meets the criteria for a rootkit. The fact that it cripples your system if you try and remove it (and aren't very, very careful) gives it a distinctive flavor of 'malware'.
>If it walks like a duck, and talks like a duck... DUCK!
PGP fingerprint: 5368 D25E 468C A250 9833 CCD6 DBAE 9C25 02F9 0AB9
"Note to spammers: my 'delete' key is connected to YOUR ISP.
Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."
More information about the list