[Dshield] Rootkits All Around: Universal Music Has It ,Too

Ed Truitt ed.truitt at etee2k.net
Thu Nov 3 00:15:03 GMT 2005

Oopsie... guess I got a case of Blackberry-induced left-out-a-worditis. 
What I meant to say was "I think it meets ONE OF the criteria for a 
rootkit." It isn't just that the package hides its files, but also its 
reg keys and (I think) its processes as well -- some of the very same 
traits displayed by that genre of malware we commonly refer to as 
"Windows rootkits." And, as a general rule, this type of behavior is 
highly suspicious -- and the fact that it leaves this great big gaping 
hole where malware authors can hide their garbage just doesn't make me 
think they had my best interests in mind -- or even gave it a momentary 
thought -- when they decided to implement this copy protection scheme.

Yes, I think I know why it does this (semi-stealthy install, hides 
itself on the system, takes ownership of the CD-ROM, no uninstall): 
after all, if you knew where to find it, and how to get rid of it, you 
could make several copies, then delete/deinstall the code, then 
re-install it and make several more copies, and repeat this cycle as 
often as desired. Which would sort of defeat the whole purpose behind 
having it there in the first place, eh?


Ed Truitt wrote:

>Well, since this package hides itself from the system, I think it meets the criteria for a rootkit.  The fact that it cripples your system if you try and remove it (and aren't very, very careful) gives it a distinctive flavor of 'malware'.
>If it walks like a duck, and talks like a duck... DUCK!


Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."  

More information about the list mailing list