Remember the Sony web-based "patch" that removed the cloaking ability of the XCP rookit and updated all the files to XCP2?
It appears that if you believed the magic words of Sony and ran the web-based patch, you may have dug a larger security hole into your computer than the original cloaking rootkit itself.
A post co-written by Ed Felten & J. Alex Halderman over at Freedom to Tinker explains the new security threat posed by the CodeSupport ActiveX control.
The root of the problem was in a serious security flaw in Sony's web-based uninstaller patch. When you first fill out Sony’s form to request a copy of the uninstaller, the request form downloads and installs a program – an ActiveX control created by the DRM vendor, First4Internet – called CodeSupport. CodeSupport remains on your system after you leave Sony’s site, and it is marked as safe for scripting, so any web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site. Unfortunately, CodeSupport doesn’t verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user’s permission.
In short, this is the situation that Sony has created for THEIR CUSTOMERS that currently have the CodeSupport ActiveX control installed -
1) A malicious website author can write a malware program.
2) Package it up and throw it on some URL.
3) Trick the user into visiting the site that calls the above URL using IE. (Think Phishing or Pharming)
As soon as you visit the evil site, the package is downloaded to your computer and executed automatically without the user seeing a thing. You now have a non-sony rootkit/keylogger/bot installed on your computer. Thanks again Sony. Depending on the target range of the attack, the now installed malware may not even be detected by anti-virus.
Sony has again heard the voices of the public and provided an EXE version of this uninstaller patch. As long as you have never used the web-based patch, then you should be safe from this new threat.
If you think you might have the CodeSupport ActiveX installed, try Muzzy Reboot Test.
After infecting more than half a million networks, including military and government, Sony has decided to pull the XCP CDs off the shelf.
For now, pulling the CDs off shelves "could go a long way toward making a consumer feel comfortable that the CD they just purchased isn't going to mess up their computer," says record store owner John Kunz of Waterloo Records in Austin.
If you ever feel the need to dig for vinyl records, Waterloo and Alien are both great Austin stores.
Microsoft has finally jumped in the game and joined the rest of the anti-spyware world in its view of the Sony Rootkit. Microsoft will include removal signatures for the Sony rootkit in the Windows AntiSpyware beta, the Malicious Software Removal Tool, and the Windows Live Safety Scanner. Good news for many Windows users.
To top off all the lawsuits currently in the works against Sony, a Dutch article was released today that indicates that Sony may have used the LAME LGPL mp3 encoder in their rootkit. If this is true, then Sony failed to follow the rules for using open-source software, therefore putting it in direct violation of the open-source license agreement.
No comments:
Post a Comment