I read a really great white paper on Thursday on this issue from a couple guys at Princeton University, J. Alex Halderman and Edward W. Felten. Excellent work. They seriously tore apart this stuff, and they know what they're talking about. I found it with a Google search, but it was on copyright.gov, and don't ask me what it was doing there. I found a link to it on Wikipedia that was hosted at Princeton: here. And here is the original link I found.
The story goes that Mark Russovich first discovered this, or at least was the first to make it public, when RootkitRevealer turned up evidence of a rootkit. He eventually tracked it back to a protection technology on CD's, which reminded him of a CD he had recently bought that was copy-protected.
If you do accept the license agreement on the program that autoruns, something called active protection software will installed on your system, and a rootkit installed to attempt prevention of defeating the system. The whitepaper goes into detail in this, but it is very well written and clearly worded, so worry not. And, back to the CD, what also autoruns when you insert the CD (of course assuming AutoRun is enabled) is a executable named go.exe (though I have not been able to detect it so far) which is passive protection software.
Since Microsoft added this rootkit to their definitions in the Windows Malicious Software Removal Tool, and I downloaded the September version, and it supposedly runs automatically after downloading, the rootkit should be taken care of. And, assuming everything is the same as mentioned in the whitepaper, it seems to be upon testing. What I did was to prefix the name of a text file with "$sys$" (no quotes). If the rootkit was in effect, that file should have disappeared, as mentioned by Mark Russovich in his blog post. And it didn't. Hmmm. But, much to my chagrin, the rogue drivers that the active protection software put on my system seem to still be in effect, though I cannot find them. Arg. I ran a Symantec tool that would take care of the rootkit, but the tool didn't find it, which confirmed that it wasn't there. The drivers still seem to be having the scrambled-audio effect on protected discs. Or at least this one.
One idea that I have is that I could have a new version of XCP. That would be extremely uncool.
Also something I read; there is evidence that the makers of XCP stole parts of open-source software and illegally put it in the XCP software.
So, this is really getting to be a nasty business. I'll make at least one more post on this.
1 comments:
You have way too much time on your hands.
J/K =p
Seriously though, you have a typo in your post. On the last word of the second line, that should be they're instead of their.
Post a Comment