NEWS FROM THE LAB - Wednesday, November 2, 2005

Please stop flaming us Posted by Mikko @ 13:28 GMT

We've been getting lots of hate mail today. People are accusing us for stealing the (quite excellent) research work done by Mark Russinovich at Sysinternals relating to the "Sony rootkit" incident.

This is not the case at all.

We published our technical description and blogged about the case yesterday, several hours after Mark had broken the news in his site. So to some it looked like we were just recycling his work without credit.

In reality we started working on this case on 30th of September when a user of our F-Secure BlackLight rootkit detector started discovering these files on his system and contacted us. They provided us with Blacklight logs like the one below:

  (Blacklight log dated 30th of September 2005)

(Amazon.com receipt dated 3rd of October 2005)The customer suspected a specific audio CD to be the source of these files. To investigate further, we bought two CDs from Amazon.com on October 3rd and did a technical analysis of them around that time.

We didn't go public with the info right away as we were worried with the implications (especially with the info on how virus writers can use this to hide files which have names starting with "$sys$"). So we were in the middle of discussions with Sony BMG and First 4 Internet when Mark broke the news on Monday.

After this we decided to make our research on the topic public.

So that's the story. I'm a bit disappointed for people who jumped to conclusions, and a bit sorry for our rootkit research team who did the hard work on analysing the whole thing only to end up getting accused for plagiarism.