Sony's DRM Rootkits

Hi all,

Here is something that’s interesting in Mark’s Systernals blog.

It’s all over the news right now and rightly so:

http://news.google.com/?ncl=http://www.washingtonpost.com/wp-dyn/content/article/2005/11/02/AR2005110202362.html&hl=en

Somone else actually came across the “problem” 3 months ago and posted a thread about it at Castlecops (Hidden files and directories - DRM or trojan?).

The part of the thread I found very interesting was the reply posted by Mikefive where he talks about how Symantec AV detected the rootkit (although they weren’t as helpful on what, if anything, he could do about it as I would have expected especially since the DRM software facilitates the use of the rootkit for more malicious purposes. See: http://www.freedom-to-tinker.com/?p=919).

Although all of this is interesting by itself, what I want to know (and hence the reason for this post) is does Avast! detect rootkits of any kind, including Sony’s DRM rootkit as Symantec AV seems to? What about rootkits of the more malicious variety?

Regardless, I have added Mark Russinovich’s RootkitRevealer that he mentions in his blog to my arsenal just in case. It’s a small 183 KB download that you don’t even have to install - simply unpack and run on an idle system.

I have fortunately not found anything suspicious on my system. I would be interested to hear if any Avast! user has come across this or any other rootkit after scanning with RootkitRevealer.

In response to criticisms that intruders could take such advantage, First4Internet Ltd. -- the British company that developed the software -- will make available on its Web site a software patch that should remove its ability to hide files, chief executive Mathew Gilliat-Smith said.

http://www.washingtonpost.com/wp-dyn/content/article/2005/11/02/AR2005110202362.html

That doesn’t address rootkits in general.

Here’s something else, however, that does: http://www.f-secure.com/blacklight/

And here is somethig that one of Alwil guys (Igor to be precise) already started on October 31st on this topic:

http://forum.avast.com/index.php?topic=17187.0 :wink: