[Dshield] Sony: You dont reeeeaaaally want to uninstall, do you?
tholleb at teknowledge.com
Fri Nov 11 18:56:30 GMT 2005
> Zero? If at all possible. Considering most rootkits use
> 'undocumented functions', et al.. (see NTDKK).
It is certainly possible. The simplest solution is to simply blacklist the
driver in question and not load it. Yes, it's a hack, but effective.
Better solutions will depend on the details, but I suspect it is a pretty
straightforward filter driver; inside the kernel it need not use any
undocumented NTDDK stuff just to hide files, at least.
As far as whether Microsoft will do anything, I doubt it. They generally
are pretty pro-DRM themselves (witness their aggressive pursuit of anyone
who writes software that can edit unprotected WMV files to see how they feel
about fair use).
On the other hand, they take security pretty seriously these days and are
aggressively moving into the anti-malware space, so I wouldn't completely
count it out. When I released JustBeFriends [*], we were counting on the
probability of a Microsoft patch for ILOVEYOU being zero, but that happened.
And that was way back in 2000 when Microsoft generally ignored security
issues. Their marketing department likes to aggressively fight the
impression that they don't have to care about their customers since they are
[*] I almost died laughing when I saw AOL had stolen my joke for one of
their TV ads.
More information about the list