posted 11-08-2005 09:33 PM                    

quote:

---

Security Watch: Sony CDs Make Your PC Play the Blues

Top Threat:Sony DRM
Executive Summary
Name: Sony DRM
Affects: Windows XP/XP SP2/2000/2003/NT

What it does: As originally discovered by security researcher Mark Russinovich of Winternals Software, certain music CDs published by Sony BMG Entertainment contain DRM protection requiring that the user must install a proprietary music player in order to play the songs. The player contains a rootkit (click here for a definition) as part of an effort to conceal the DRM and prevent its removal.

The DRM software and the rootkit were written by a First 4 Internet of the UK. The rootkit conceals all access to files and registry entries prefixed with the string '$sys$' in order to hide itself, but this behavior could allow other malicious programmers to hide their own programs by using the same file naming scheme. First 4 Internet and Sony deny that the system presents a security problem.

That's not the only problem with the First 4 Internet software. According to Russinovich, the software inserts itself into the CD-ROM driver stack in a way that a naive attempt by a user to remove it could result in making the CD-ROM drive unusable. Furthermore, many of the drivers in the First 4 Internet product are installed to run even when the system boots into safe mode, meaning that if a bug in the drivers interferes with the system or makes it unbootable, it could be very difficult to remove.

How to avoid it: Don't play Sony BMG music CDs in a Windows computer.

How to remove it: First 4 Internet has made a program available that removes the rootkit functionality for hiding the program, but does not remove the player or DRM protection. Sony does not provide an uninstall program, but does provide a web-based form through which you can ask for help uninstalling the program. Sony says that they will e-mail instructions for uninstalling if you fill out the form, but the privacy policy linked to on the form also says that filling it out will allow Sony and their partners to contact you for marketing purposes.

---

posted 11-09-2005 08:49 PM                       

quote: http://news.zdnet.com/2100-1009_22-5424883.html?tag=nl

---

Mac users face rare threat
By Munir Kotadia, ZDNet Australia
Published on ZDNet News: October 25, 2004, 6:20 AM PT

* ZDNet Tags: Viruses and worms
* Mac OS
* Apple Computer Inc

A script-based threat that spies on Mac users caught the attention of some security watchers last week.

The malware, which has been dubbed Opener by Mac user groups, has the potential to disable Mac OS X's built-in firewall, steal personal information or destroy data. At the moment, however, it seems to pose little danger.

Security experts say those threatening traits are common among the thousands of online threats targeting Microsoft's ubiquitous Windows operating system but are virtually unheard of on Apple Computer's Mac OS.

Paul Ducklin, Sophos' head of technology in the Asia-Pacific region, said that the software, which Sophos calls Renepo, is designed to affect Mac OS X drives connected to an infected system and that it leaves affected computers vulnerable to further attack.

Ducklin said Opener disables Mac OS X's built-in firewall, creates a back door so the malware author can control the computer remotely, locates any passwords stored on the hard drive, and downloads a password cracker called JohnTheRipper.

Opener is a "rootkit," or a set of software tools that intruders can use to gain access to a computer; it's installed either through a known vulnerability or password-cracking. Rootkits don't spread on their own, as viruses do, and require administrator access to be installed.

According to Ducklin, Opener could try to spread by copying itself to any drive that is mounted to the infected computer. This could be a local drive, part of a local network or a remote computer.

It could also be the start of a spate of attacks that use Mac OS X’s scripting features against its users, he said.

"The existence of Unix shells--such as Bash, for which this virus is written--and the presence of powerful networking commands opens up the game a little bit for Mac users. It is no longer necessary to know about Mac file formats or executables. You can write your malware in script. And if you really wanted to, you could probably write a portable virus that would run on many flavors of Unix" and Mac, said Ducklin.

Chris Waldrip, president of the U.S.-based Atlanta Macintosh Users Group, posted a detailed description of Opener on the MacInTouch Web site.

Waldrip, who acknowledges that the threat has him "a bit spooked," said Opener seems to have started out with a legitimate purpose but may yet be developed into something more dangerous.

Waldrip's site also cautions against overreacting to Opener and advises people to use proper security techniques: "As readers take pains to point out, the threat has not yet been incorporated into a widespread virus, worm or Trojan horse, but that's a fairly short step from what we've already seen, and it's important to implement good security procedures."

Mikko Hypponen, director of antivirus research at F-Secure, said that viruses targeting the Macintosh system virtually disappeared in the late 1980s.

"Things have been really quiet on Macintosh front, virus-wise. Back in the late 1980s, viruses used to be a much bigger problem on Macs than on PCs. We here at F-Secure used to have an antivirus product for Mac but discontinued it after the macro viruses died out," said Hypponen.

Symantec said users of Norton AntiVirus for Mac OS X were protected as long as they had updated their signatures over the weekend. A representative for the company said the relevant signature files had been available since Friday evening.

Munir Kotadia of ZDNet Australia reported from Sydney.

---