[Dshield] Sony: You dont reeeeaaaally want to uninstall, do you?

Mary Henry malum at freeshell.org
Sun Nov 13 14:25:14 GMT 2005

Hi there,

> It is certainly possible.  The simplest solution is to simply blacklist the
> driver in question and not load it.  Yes, it's a hack, but effective.
> Better solutions will depend on the details, but I suspect it is a pretty
> straightforward filter driver; inside the kernel it need not use any
> undocumented NTDDK stuff just to hide files, at least.

Yes as well =)

But wouldn't this patching only target 'SonyRootkit'?

Example.. two 'anti-piracy' applications that come to mind use 
some older calls: Ke386IoSetAccessProcess and Ke386SetIoAccessMap.

Obviously MS wouldn't release a patch that disables them - they're a part 
of hal and ntoskrnl, disabling would most likely break the OS.. even 
though not many applications use the two calls in my example.  Or 
Sonyrootkit, patching against filter drivers isn't an option.

> As far as whether Microsoft will do anything, I doubt it.  They generally
> are pretty pro-DRM themselves (witness their aggressive pursuit of anyone
> who writes software that can edit unprotected WMV files to see how they feel
> about fair use).

Lately I think "fair use" means something along the lines of keeping users 
confinded to a certain piece of software.  Being someone who runs FreeBSD 
for her desktop, I cannot say I care much for .WMA, WMV ;)

> On the other hand, they take security pretty seriously these days and are
> aggressively moving into the anti-malware space, so I wouldn't completely
> count it out.  When I released JustBeFriends [*], we were counting on the
> probability of a Microsoft patch for ILOVEYOU being zero, but that happened.
> And that was way back in 2000 when Microsoft generally ignored security
> issues.  Their marketing department likes to aggressively fight the
> impression that they don't have to care about their customers since they are
> a monopoly.

2000.. about when OS/2, Novell are good and buried.  As for taking 
security seriously I suppose they don't have a choice.. if nothing else it 
displays some responsibility invested into fixing their own mess.


More information about the list mailing list