Sunday, November 28, 2010

 

FB Spam Spam Spam...	Posted by Sean @ 16:39 GMT

Looks like the situation hasn't improved with the Facebook spam we've been tracking since Thursday.

The "This Girl Killed Herself After Dad Posted THIS on her Wall" application, using a URL of http://apps.facebook.com/suicidegirlg, worked its way past the letter M yesterday (suicidegirlm).

And today the URL is based on "a dead girl" and is using the letter G as in /adeadgirlg.



Not exactly the Da Vinci Code, is it? We predict the next version of the application will be http://apps.facebook.com/adeadgirlh.

Hopefully Facebook can take version H offline faster than version G…

The "This Girl killed Herself After her Husband Posted this on her wall" application is still being posted by "Trica".



This time the account is linked to an application called "Teenage MOM killed herself because of her DAD post".

And then finally, there's the "Profile Watcher" applications posted by bit.ly user gsoft:



This spammer is having a very successful holiday weekend; his public stream now shows a total of more than 686,000 clicks!
 
 

 
 

Friday, November 26, 2010

 

Black Friday Specials: Facebook Spam!	Posted by Sean @ 14:47 GMT

We observed numerous spam runs on Facebook yesterday…

Here's a quick look from earlier today using the same search terms: "http:// omg".

Our first entry:



This uses the same image as yesterday's "This Girl Killed Herself After Dad Posted THIS on her Wall" application.

Question: If Facebook's antispam team took Suicide Girl A/B/C/D/E/F offline yesterday… why is "G" still online today?

Here's a link pointing to "Teenage MOM Killed herself":



It uses the same basic template as yesterday's "This Girl killed Herself After her Husband Posted this on her wall" application.



AND… it was also posted by the same "Trica" account.

Question: If an account is pushing spam applications, shouldn't you kickban the account and not just pull its applications?

And here's a link promoting a so called "Profile Watcher":



It's a bit.ly link, being used by the spammer for tracking purposes.

It redirects to this application:



A quick look at the bit.ly data reveals that its creator has created many other similar applications.

Gsoft's Public Timeline:



Over 200 thousand clicks!

Here's a thought, instead of just playing "Whac-A-Mole" with the Facebook applications, perhaps somebody over at Facebook should send bit.ly an abuse message and request that the entire gsoft account be suspended?

Hopefully the situation improves by Cyber Monday…

---

 
 

 
 

Alternative Theories	Posted by Mikko @ 08:30 GMT

While most Stuxnet origin theories claim the malware to be written by Israel or the US government, there are other theories as well.

Jeffrey Carr wrote an interesting piece for Forbes, proposing four different theories on where Stuxnet might have come from.



While I don't think it's likely that Ydinverkosto would have written Stuxnet, we are aware of real Finnish computer attacks done by ecological extremists. The cases are not recent though.

Think about the PC virus Ekoterror. Found in 1992, this Finnish virus would activate by overwriting the beginning of the hard drive and displaying this message:



In English:

    EkoTerror (C) 1991 ATK-toimisto P.Linkola Oy
    
    Your hard drive has been disabled to protect the environment.
    There must be no nuclear powered hard drives in a green society.

The copyright statement inside the virus was a reference to Mr. Pentti Linkola, a Finnish ecologist known for his radical thoughts. I remember calling him at the time to discuss the incident. It was obvious he had nothing to do with the case and did not know who was behind it.

Is there a link between Ekoterror and Stuxnet? I don't think so.

In any case, Jeffrey's full white paper is available from here. (PDF)

Signing off,
Mikko
 
 

 
 

Thursday, November 25, 2010

 

Happy Spamgiving Day	Posted by Sean @ 18:19 GMT

It's Thanksgiving Day in the United States and most folks are probably at home with their families right now.

But somebody at Facebook security is probably on the job, because we're observing various spam runs on the site. Spammers are probably timing their efforts in an attempt to take advantage of holiday surfers.

It is fairly easy to locate spam links on Facebook using the search options at http://www.facebook.com/search/ and searching "Posts by Everyone" for terms such as "http:// omg".

You'll often get results such as this:



With links that open Facebook Applications such as this:



And this:



To this:



And this:



To this:



And this:



To this:



A TinEye reverse image search of the picture used by the "Girl killed Herself because of her Husband" application yielded three results which link to blogs about a high school senior that killed herself after her boyfriend shared sexting photos.



The application's author "Trica" targeted a particular demographic, as you can see here:



And what happens if you click on any of the applications?

A "Request for Permission" is prompted:



Permissions include basic information and e-mail. Perfect details to commoditize and sell off to e-mail spammers.

Name, age, gender plus e-mail equals targeted spam.



The applications also want permission to "Manage my pages".



That's a problem because if the spammer gains access to your Page, it can be used to spread even more spam, and to collect your Page's insight data.

This seems like something that Facebook really should change… we're generally comfortable with the application controls that are in place. To develop an application, you need to validate your account with either a phone number or a credit card. And each user must approve the request for permissions.

But really, how many applications need to manage your pages?!?

There really should be an extra account validation in place to develop that particular feature.

Several of the applications shown above are now offline, but we're seeing new applications spawning to take their place. Facebook's antispam team has a busy day ahead.

You can assist them by reporting any spam applications you find:



Happy Thanksgiving!

Enjoy your turkey, and we hope it doesn't come with a slice of spam.
 
 

 
 

Wednesday, November 24, 2010

 

Slow CPU equals malware defense?	Posted by Response @ 14:38 GMT

The Lab handles tens of thousands of suspicious binaries every day. The only way a relatively small group of human researchers can handle such volume is of course with automation. Each sample that is imported into our malware sample management system is scanned, classified, and executed in a virtual environment. Observations are made and we humans analyze collections of like samples.

Malware authors know that antivirus vendors use automation and virtualization to attack the lifespan of their latest variants. (A reason why they produce such a large number of variants each day.) In addition to volume, many malware variants also include virtual machine detection and anti-debugging code, in order to inhibit our research and avoid detection for as long as possible.

Sometimes their anti-debugging efforts are too aggressive to the point of being counterproductive.

Last week I was analyzing a Zbot (aka ZeuS) variant that used multiple methods to detect the presence of a debugger. If a debugger is detected, ExitProcess is called immediately and no malicious code is executed. The anti-debug tricks used in the sample have been known for years but one of them has an interesting side effect.

Here's the assembly code:



First, the RDTSC (Read Time-Stamp Counter) instruction is executed. The timestamp counter is incremented on each clock cycle. The high-order 32 bits of the counter are loaded into EDX and pushed onto the stack. Then Sleep(0x7D0) is called which suspends the execution for two seconds. Finally, RDTSC is executed again and the high-order 32 bits is compared to the value that was saved to the stack. If the values are equal, i.e. EDX gets the same value on both times RDTSC is executed, the sample thinks a debugger must be present. This is based on the assumption that at least 2^32 clock cycles happen during the two seconds so the value in EDX should get incremented.

What all this means is that the sample assumes the CPU runs at over 2GHz. In other words, with a CPU below 2GHz the sample acts as if it is being debugged, aborts execution and does not infect the system. I tested the sample on an IBM T42 (1.86 GHz) notebook and the system was slow enough to avoid being infected.

Another interesting side effect of this Zbot's anti-debugging defense is that any computers it does manage to infect will result in a premium collection of bots. Perhaps the Zbot pusher has discriminating tastes?

Response post by — Timo

Updated to add: @ju916 from The H Security had some follow up questions regarding the possibility of infection.

It is not impossible for a computer slower than 2GHz to be infected. The slower the CPU, the less likely the infection. Faster than 2GHz is a sure thing. Thanks to @ju916 for the follow up!
 
 

 
 

Tuesday, November 23, 2010

 

Stuxnet Redux: Questions and Answers	Posted by Sean @ 11:21 GMT

Stuxnet continues to be a hot topic. Here's an updated set of Questions and Answers on it.

Q: What is Stuxnet?
A: It's a Windows worm, spreading via USB sticks. Once inside an organization, it can also spread by copying itself to network shares if they have weak passwords.

Q: Can it spread via other USB devices?
A: Sure, it can spread anything that you can mount as a drive. Like a USB hard drive, mobile phone, picture frame and so on.

Q: What does it do then?
A: It infects the system, hides itself with a rootkit and sees if the infected computer is connected to a Siemens Simatic (Step7) factory system.

Q: What does it do with Simatic?
A: It modifies commands sent from the Windows computer to the PLC (Programmable Logic Controllers, i.e. the boxes that actually control the machinery). Once running on the PLC, it looks for a specific factory environment. If this is not found, it does nothing.



Q: Which plant is it looking for?
A: We don't know.

Q: Has it found the plant it's looking for?
A: We don't know.

Q: What would it do if it finds it?
A: The PLC modification searches for specific high-frequency converter drives (AC drives) and modifies their operation.

Q: What's a high-frequency converter drive?
A: Basically, it's a device that can control the speed of a motor. Stuxnet searches for specific AC drives manufactured by Vacon (based in Finland) and Fararo Paya (based in Iran).

Q: So does Stuxnet infect these Vacon and Fararo Paya drives?
A: No. They drives do not get infected. The infected PLC modifies how the drives run. The modification happens only when very specific conditions are all true at the same time, including an extremely high output frequency. Therefore, any possible effects would concern extremely limited AC drive application areas.

Q: What are those application areas? What are AC drives used for?
A: They are used for various purposes, for example for efficient air pressure systems.

Q: Any other examples?
A: Well yes, they are also used for enrichment centrifuges.

Q: As in?
A: As in Uranium enrichment where centrifuges spin at a very high speed. This is why high-frequency drives are considered dual-use technology and are under the IAEA export restriction list.

Q: Would the Stuxnet code cause centrifuges to disintegrate into projectiles traveling at around Mach 2?
A: It's more likely the modifications would cause the centrifuges to produce bad-quality uranium. The changes could go undetected for extended periods of time.

Q: Have you been in touch with Vacon?
A: Yes. They have been investigating the matter and they are not aware of any instances where Stuxnet would have created problems in the operations of Vacon's customers.

Q: Some suggest the target of Stuxnet was the Natanz enrichment facility in Iran. Are there Vacon AC drives in these facilities?
Q: According to Vacon, they are not aware of any Vacon drives in use in the Iranian nuclear program, and they can confirm that they have not sold any AC drives to Iran against the embargo.

Q: Have you been in touch with Fararo Paya?
A: No.

Q: What do you know about this company?
A: Nothing. It doesn't seem to be very well known outside of Iran. We're not aware of any AC drive customers they would have outside of Iran.

Q: That would indicate what the target country was, wouldn't it?
A: Next question.

Q: Could there be collateral damage? Could Stuxnet hit another plant that was not the original target?
A: It would have to be very similar to the original target.

Q: Do you know of any plants that would be similar to Iran's uranium enrichment plant?
A: Turns out North Korea seems to have a plant that shares the same design.

Q: Why is Stuxnet considered to be so complex?
A: It uses multiple vulnerabilities and drops its own driver to the system.

Q: How can it install its own driver? Shouldn't drivers be signed for them to work in Windows?
A: Stuxnet driver was signed with a certificate stolen from Realtek Semiconductor Corp.

Q: How do you steal a certificate?
A: Maybe with malware looking for certificate files and using a keylogger to collect the passphrase when it's typed in. Or breaking in and stealing the signing gear, then brute-forcing the passphrase.

Q: Has the stolen certificate been revoked?
A: Yes. VeriSign revoked it on July 16th. A modified variant signed with a certificate stolen from JMicron Technology Corp was found on July 17th.

Q: What's the relation between Realtek and Jmicron?
A: Nothing. But these companies have their HQs in the same office park in Taiwan… which is weird.

Q: What vulnerabilities does Stuxnet exploit?
A: Overall, Stuxnet exploits five different vulnerabilities, four of which were 0-days:

  •  LNK (MS10-046)
  •  Print Spooler (MS10-061)
  •  Server Service (MS08-067)
  •  Privilege escalation via Keyboard layout file (MS10-073)
  •  Privilege escalation via Task Scheduler

Q: And these have been patched by Microsoft?
A: All but one of the two Privilege escalations has been patched. A public exploit for the last remaining vulnerability was released in November.

Q: Did the Stuxnet creators find their own 0-day vulnerabilities or did they buy them from the black market?
A: We don't know.

Q: How expensive would such vulnerabilities be?
A: This varies. A single remote code execution zero-day in a popular version of Windows could go for anything between $50,000 to $500,000.

Q: Why was it so slow to analyze Stuxnet in detail?
A: It's unusually complex and unusually big. Stuxnet is over 1.5MB in size.

Q: When did Stuxnet start spreading?
A: In June 2009, or maybe even earlier. One of the components has a compile date in January 2009.

Q: When was it discovered?
A: A year later, in June 2010.

Q: How is that possible?
A: Good question.

Q: How long did it take to create Stuxnet?
A: We estimate that it took over 10 man-years to develop Stuxnet.

Q: Who could have written Stuxnet?
A: Looking at the financial and R&D investment required and combining this with the fact that there's no obvious money-making mechanism within Stuxnet, that leaves only two possibilities: a terror group or a nation-state. And we don't believe any terror group would have this kind of resources.

Q: So was Stuxnet written by a government?
A: That's what it would look like, yes.

Q: How could governments get something so complex right?
A: Trick question. Nice. Next question.

Q: Was it Israel?
A: We don't know.

Q: Was it Egypt? Saudi Arabia? USA?
A: We don't know.

Q: Was the target Iran?
A: We don't know.

Q: Is it true that there's are biblical references inside Stuxnet?
A: There is a reference to "Myrtus" (which is a myrtle plant). However, this is not "hidden" in the code. It's an artifact left inside the program when it was compiled. Basically this tells us where the author stored the source code in his system. The specific path in Stuxnet is: \myrtus\src\objfre_w2k_x86\i386\guava.pdb. The authors probably did not want us to know they called their project "Myrtus", but thanks to this artifact we do. We have seen such artifacts in other malware as well. The Operation Aurora attack against Google was named Aurora after this path was found inside one of the binaries: \Aurora_Src\AuroraVNC\Avc\Release\AVC.pdb.

Q: So how exactly is "Myrtus" a biblical reference?
A: Uhh… we don't know, really. (However, reader Craig B. left a comment in an earlier version of this post.)

Q: Could it mean something else?
A: Yeah: it could mean "My RTUs", not "Myrtus". RTU is an abbreviation for Remote Terminal Units, used in factory systems.

Q: How does Stuxnet know it has already infected a machine?
A: It sets a Registry key with a value "19790509" as an infection marker.

Q: What's the significance of "19790509"?
A: It's a date. 9th of May, 1979.

Q: What happened on 9th of May, 1979?
A: Maybe it's the birthday of the author? Then again, on that date a Jewish-Iranian businessman called Habib Elghanian was executed in Iran. He was accused to be spying for Israel.

Q: Oh.
A: Yeah.

Q: Obviously the attackers had lots of inside information of the target plant and possibly had a mole inside. Why did they use a worm at all? Why couldn't they just have their mole do the modifications?
A: We don't know. For deniability? Maybe the mole had no access to the key systems? Maybe the mole was not at the plant but had access to the design plans? Maybe there was no mole?

Q: Is there a link between Stuxnet and Conficker?
A: It's possible. Conficker variants were found between November 2008 and April 2009. The first variants of Stuxnet were found shortly after that. Both exploit the MS08-067 vulnerability. Both use USB sticks to spread. Both use weak network passwords to spread. And, of course, both are unusually complex.

Q: Is there a link to any other malware?
A: Some Zlob variants were the first to use the LNK vulnerability.

Q: Disabling AutoRun would have stopped Stuxnet, right?
A: Wrong. Stuxnet used a zero-day. When it was new, it would have infected your Windows box even if you were fully patched, had AutoRun disabled, were running under a restricted low-level user account and had disabled execution of programs from USB drives.

Q: But in general, disabling AutoRun in Windows will stop USB worms, right?
A: Wrong. There are several other spreading mechanisms USB worms use, such as companion infections. It is still a good idea to disable it, but it's not a cure-all.

Q: Will Stuxnet spread forever?
A: The current versions have a "kill date" of June 24, 2012. It will stop spreading on this date.

Q: How many computers did it infect?
A: Hundreds of thousands.

Q: But Siemens has announced that only 15 factories have been infected.
A: They are talking about factories. Most of the infected machines are collateral infections, i.e. normal home and office computers that are not connected to SCADA systems.

Q: How could the attackers get a trojan like this into a secure facility?
A: For example, by breaking into a home of an employee, finding his USB sticks and infecting it. Then wait for the employee to take the sticks to work and infect his work computer. The infection will spread further inside the secure facility via USB sticks, eventually hitting the target. As a side effect, it will continue spread elsewhere also. This is why Stuxnet has spread worldwide.

Q: Did Stuxnet sink Deepwater Horizon and cause the Mexican oil spill?
A: No, we do not think so. Although it does seem Deepwater Horizon indeed did have some Siemens PLC systems on it.

Q: Is it true that the US Senate held hearings on Stuxnet?
A: Yes, in November.

Q: Does F-Secure detect Stuxnet?
A: Yes.

Note: We have learned many of the details mentioned in this Q&A in discussions with researchers from Microsoft, Kaspersky, Symantec, and other vendors.


Video from Virus Bulletin 2010 where Symantec researcher Liam O'Murchu demonstrates a proof of concept Stuxnet-like SCADA modification that changes the operation of an air pump.
 
 

 
 

Friday, November 19, 2010

 

TSA "Security"	Posted by Sean @ 14:13 GMT

I've been dealing with a virus this week. NOT a computer virus… but rather, a common cold. Concentration has been a bit difficult, so I have spent much my time catching up on and reading through my news feeds.

Among those that I follow via my Twitter account, there has been a great deal of discussion regarding the Transportation Security Administration's (TSA) new security procedures. Those that wish to opt-out of full body scanner technology must submit to an enhanced patdown.

Bruce Schneier blogged an extensive list of links and observations today.

Here's a quote:

Some experts argue the new procedures could make passengers uncomfortable without providing a substantial increase in security. "Security measures that just force the bad guys to change tactics and targets are a waste of money," said Bruce Schneier, a security expert who works for British Telecom. "It would be better to put that money into investigations and intelligence."

Schneier's post (and related links) is well worth reading if you have the time.

And perhaps it's just me, but the more that I read about TSA procedures, and the alleged bad behavior of some TSA agents, the more I reflect upon the Stanford Prison Experiments.

Wishing you all safer skies,
Sean
 
 

 
 

Tuesday, November 16, 2010

 

Spoof Your Caller ID With an iPhone Web App	Posted by Sean @ 17:48 GMT

For those of you that think every iPhone application must be approved by Apple's App Store guardians… think again.

Here's an application called SpoofCard:



SpoofCard allows smartphone users to spoof their caller ID. This is not exactly new. There was a bit of press coverage one year ago.

But what's now interesting to us is the variety of supported platforms: Android, BlackBerry, Palm, Windows Mobile and… iPhone.

Only, you won't find SpoofCard anywhere on Apple's website.

It's a Web App. All you need to do to "install" it is to visit ispoofcard.com with your iPhone's Safari browser.



SpoofCard's site will prompt you to save an icon to your iPhone's desktop.

At which point, for most, it appears to be just another installed application.



The iSpoofCard Web App calls a service which then facilities the actual spoofing, and the App does prompt for the user's permission before it calls. It's well behaved in that sense.

But we're curious, could social engineering be used to dupe people into giving permissions to an overtly malicious Web App? Can Web Apps access the iPhone contacts if given permission? Can Web Apps send SMS messages? Web Apps can make phone calls… how much social engineering do you think is required to get somebody to make a premium rate call?

But then… Web Apps aren't anywhere as popular as App Store applications. Even if Web Apps can be abused, they aren't likely to be, because iPhone users don't really use them.

And so we suppose in the end, this is yet another case of Apple's standard security through obscurity.
 
 

 
 

Saturday, November 13, 2010

 

Angry Birds Trojan	Posted by Mikko @ 11:30 GMT

Angry Birds is the top-selling mobile game at the moment. Available for Apple, Nokia and Android devices, the game has been downloaded millions of times.



An application called Angry Birds Bonus Levels was uploaded to Android Market earlier this week.



This application was not developed by the company behind Angry Birds (Rovio of Finland), but by researcher Jon Oberheide.



Jon had discovered a security vulnerability in Android. This vulnerability would make it possible for one application to download and launch additional applications from the Market. To demonstrate this, Jon had also uploaded several other applications to Market: Fake Contact Stealer, Fake Location Tracker, and Fake Toll Fraud. These would be launched by the Angry Birds trojan.



In reality, these demonstrations applications did not do anything malicious. Also, there were no Bonus Levels either. Sorry.

We do not know if Mr. Oberheide had permission to use the Angry Birds trademark in his demonstration.

Google has removed these applications from the Market.

To protect your Android phone against malicious attacks, take a look at F-Secure Mobile Security for Android.
 
 

 
 

Wednesday, November 10, 2010

 

Patch Tuesday, November 2010 Edition	Posted by Sarah @ 02:20 GMT

The latest patches from Microsoft are out, resolving multiple vulnerabilities that could result in remote code execution and privilege escalation.

This month, the affected products and components are Microsoft Office (MS10-087), Microsoft PowerPoint (MS10-088) and Forefront Unified Access Gateway (MS10-089).

The patches are available at Microsoft Download Center.
 
 

 
 

Monday, November 8, 2010

 

Case Nobel	Posted by Mikko @ 15:04 GMT

A month ago, the Nobel Committee awarded The Nobel Peace Prize to Mr. Liu Xiaobo. He was awarded for — to quote the prize committee — long and non-violent struggle for fundamental human rights in China.



Two weeks ago, the website of the prize (nobelpeaceprize.org) was hacked with a zero-day attack against Firefox.

Today, the Contagio blog has explosive news.

A targeted attack was launched yesterday, the 7th of November. The attack used an e-mail that was spoofed to look like it originated from oslofreedomforum.com. It didn't.

The spoofed e-mail looked like this:



If the file invitation.pdf (md5: 29DB2FBA7975A16DBC4F3C9606432AB2) is opened, it uses an exploit to crash Adobe Reader and then drops a backdoor to the system. The backdoor calls home to phile.3322.org.

To mask all that, this file is shown to the user:

[Image removed after a request from affected parties. The original image contained a very convincing invitation to the Nobel Peace Prize ceremony]

We don't know who launched the attack, or who the target was.

We detect the PDF file as Exploit.PDF-TTF.Gen and the backdoor as Trojan.Generic.4974556.

E-mail image credit: Contagio Malware Dump
 
 

 
 

Friday, November 5, 2010

 

Hacker Extorted Teenage Girls with a Webcam Trojan	Posted by Mikko @ 14:10 GMT

The FBI has issued a warning about a cautionary incident.

A 31-year-old Californian man was arrested for infecting computers with a backdoor trojan. He was sending the trojan via e-mail to people he had friended online. The malware was typically made to look like a video file. In reality it dropped a backdoor that gave the attacker control of the victim's PC. Then the attacker searched for explicit pictures from victims' computers. If he found any, he downloaded them, and used the images in an attempt to extort more pictures and videos from them. Many of the victims were teenage girls.

Now FBI is trying to find more on the case. The hacker used a variety of screen names and e-mail addresses, which are listed below. If you have seen them online and have information that might help in the case, please contact the investigators working on the case.

Suspect screen names and e-mail addresses:

gui_blt
Woods05
CoFfEkId014
ELEvatrHZrD03
Pimpcess03666
Your3name3here03
Bri23nice
Dmagecntr137
H2IOW14
ELEvATrhRZd03
Playgrl37
Your3name3here3
goldlion14
Hotchit13w
yousoylammer@hotmail.com
christ@yahoo.com
gui_blt@live.com
mistahxxxrightme@aim.com
zapotin@hotmail.com
guich_x@aim.com
guicho_1.1@roadrunner.com
mijangos3@msn.com
 
 

 
 

Tuesday, November 2, 2010

 

More Cash for Bugs	Posted by Alia @ 07:27 GMT

Google has just debuted a new vulnerability rewards program on its Online Security blog.

The blog posting includes some ground rules for how researchers can go about testing for vulnerabilities - basically, anything that crashes their services is out - as well as limiting the types of bugs currently in scope.

Base reward for bugs is USD500, but apparently "unusually clever" ones can rate up to USD3,133.7. Just out of curiosity, it might be interesting to see more about what kind of bug gets rated as 'unusually clever'.

The program only covers Google's web-based properties so far, so any enterprising researchers looking for bugs in the shiny new target of the year - i.e., Android - won't get paid for it. Still, Google has left the door open for later expansion of the program, so who knows.

Best of luck to the program!
 
 

 
 

Monday, November 1, 2010

 

"Most people don't even know what a rootkit is"	Posted by Mikko @ 13:09 GMT

The infamous Sony Rootkit case is five years old today.

The Sony rootkit was shipped on millions on music CDs from well-known artists such as Celine Dion, Neil Diamond and Ricky Martin.

When such audio CDs were played on a Windows computer, a Digital Restrictions Management component was installed and hidden by a tailor-made rootkit. The rootkit would not just hide Sony BMG's own software, but any program that would contain the characters $sys$ in its file name. The rootkit was so effective that at the time, most antivirus programs were not be able to scan the hidden files. As an end result, virus writers started releasing their malware with filenames that would cause the Sony rootkit to hide them automatically, if it was installed.

This was a huge deal, and Sony's reaction was a good example of how not to handle a PR crisis.



We originally found the rootkit in September 2005, but the news broke five years ago, on the first of November 2005, when Mark Russinovich went public with the case.



By far the best write-up on the whole incident was published in an article by MIT Technology Review, complete with comments from Mika St�hlberg and Santeri Kangas from our labs.

Not all security vendors agreed immediately that Sony was wrong. Our two favorite quotes regarding the whole incident are here:

From The Inquirer:
If you want to find a trustworthy security vendor, I would recommend looking for ones that stood up on the Sony malware DRM infection issue and said 'this is bad' early and loudly. F-Secure comes to mind, but there are others. The ones that said 'grumble, mumble, maybe, sorta' a week later are not what you want to have protecting your machines.

From Bruce Schneier:
Perhaps the only security company that deserves praise is F-Secure, the first and the loudest critic of Sony's actions.

Then again, some people say that if you listen to Celine Dion, you deserve to get infected…