sony rootkit

[reaper]

a friend's cdrom stopped working.  it looks like sony's rootkit hooks into the normal cdrom driver.

this cdrom doesn't show in windows, and the driver says it has an error.  so I copy all new .sys files over from a recovery partion, and there is still an error.  looking further in the registry someone these keys "upperfilter" and "lowerfilter" actually somehow load code that somehow hooks into the cdrom driver.  so I delete all this $sys$ files, and fake services, then I remove all the $sys$ stuff from the registry and it still comes back.  I will be trying again tonight.


http://www.privsoft.com/archive/psc-drm.html

wow, sony owes me some money for this bullshit after fucking with it for about 4 hours.  I hope Sony pays dearly for this.

[QwazyWabbit]

Sony rootkit is very old news (2005). Windows was patched long ago (internet time) to eliminate the vulnerability it exploited. Your friend wasn't patching windows or running the MS tools needed to prevent exploitation.

Microsoft MSRT detects and removes Sony rootkit automatically.
http://www.microsoft.com/security/malwareremove/default.mspx

MSAS also alerts when the kit attempts action to install itself.

[reaper]

I'm sure my friends wasn't patching windows as he knows nothing about computers.  One of the first things I did was run a removal tool, it was from symantec, but I did see the sony removal tool (didn't try it, I read it leaves files behind and actually is malware..), and I haven't tried the microsoft one.  Possibly the semantic removal tool didn't work because the malware was half removed as the machine already had been taken over, and I removed all the bs services and crap running.

I went to sony's site and I cannot claim any money for fixing the computer because it's passed 2007, but they owe me some money regardless.  I hope they fail miserably.

[QwazyWabbit]

Turn on automatic Windows updates it's designed for novice computer users and will keep him patched same as a Mac, install the MSRT and MSAS and Windows firewall. Get rid of Symantec AV, it's junk. I used to recommend Norton AV but Symantec has turned it into bloatware. Have him get NOD32 instead. Even AVG free edition is better than Symantec. MSRT must be manually run and is a post-infection tool but it knows how to remove all the major threats, including the sony rootkit.

[reaper]

Looks like the computer has been automatically patching and running MSRT for some time.  Looking at the MSRT log it found nothing for a while.

The Microsoft online virus scan detected the rootkit and removed some files, however the cd rom still does not show.  Looking for $sys$ files anywhere, they are finally all gone, even entries in the registry.

My guess is the registry is corrupted so the windows CD rom configuration is broke so it doesn't show.  Not exactly sure how to fix that, but I'll have to do some research and mess with it this weekend.

good job sony!

[Whirlingdervish]

hrm, something very similar to that happened on a rig here at work and I haven't had time to fix it yet.

I think I'll check it out with the rootkit tool just in case.

 

[QwazyWabbit]

MSRT does not scan automatically and it is not pro-active. It doesn't work like an A-V tool and must be manually run retroactively to eliminate malware but it does remove the rootkit. Fingering the registry before running MSRT may cause it to not detect some elements.

Rootkit Revealer will also detect the sony rootkit but it requires some expertise.

[reaper]

I know MSRT didn't get the rootkit because its logs go back months and months long before anyone touched the registry.  It is run every so often, after being patched.  It logs to a file and tells you what it's detected and removed.

AVG and the symantec removal tool did not find the rootkit, however microsoft onine virus scan did.  It's just that the cdrom registry is corrupt, after I remove the upper filter and lower filter registry entries for the cdrom and reinstall the driver it should be fine.

[reaper]

yes finally working.

the registry entry for upperfilters under the cdrom section still passed through gear...sys which was breaking the driver for some reason.  sony root kit done.