Steve’s Stuff

Sometime overnight on January 5, the viruses went away. Well, not all of them, but the 10,000 Sober.U variants that had been pounding us stopped. It’s quiet out there…. too quiet.

Maybe this SANS warning is it. Look for corrupted user files on February 3.

Cited in the Spyware Weekly Newsletter : The Texas Attorney General’s web site has a two step check to determine if you’ve been hit by the Sony Rootkit.

1) From Windows, choose Start, then Run, then type cmd. At the command prompt, type (include the quote marks):

“cd windows\system32\$sys$filesystem”

If you are able to change to that folder, you have been infected. If you see the following message, then you likely are not infected: “The system cannot find the path specified.”

2) From Windows, open any word processor and create a text document (named test.txt). Once saved, rename the file to “$sys$test.txt”. Refresh the folder where you saved the file (by pressing the F5 button). If the file disappears, you have been infected.

sony, rootkit

In the Washington Post, this article (Security Fix - Brian Krebs on Computer and Internet Security) notes that there is Yet Another Security Hole in Internet Explorer. This one lets a carefully crafted web page lift data from the target machine if local data has been indexed by the Google Desktop.

At the bottom of this page is a link to Firefox. Click it. Install Firefox and use it as your default browser.

Internet Explorer

Mark Russinovich feels he made a Premature Victory Declaration. He writes “[C]lose to two weeks later it’s obvious that Sony has done little to advertise to store owners, even larger chains, that a recall is in place. [CDs with the rootkit] were present in stores in the Austin, Philadelphia and Chicago areas And as of last week Eliot Spitzer, the Attorney General of New York State, reports that his investigators found them in the New York City area. Many store clerks were unaware that a withdrawal had even been ordered.”

The Sony rootkit is still out there.

Our friendly mail servers have had a busy 10 days coping with Worm.Sober.U (as known by ClamAV) and W32.Sober.X (as known by Symantec).

Since we saw our first instance of the worm on Nov 21 at 15:23:15, we’ve turned away 47,277 individual mails to 1,163,846 addressees (24.62 addresses for the average email).

According to this story in The Register, Sober accounts for 1 in 13 emails sent. Our experience is that it’s much, much higher.

virus, worm

Even as we start redeveloping websites in the CCIM family planning on using more JavaScript than ever (think Ajax), I’m here to tell you to turn off JavaScript in your browser.

E-Week is reporting, as are other sites including the SANS Internet Storm Center and the Washington Post, an unpatched vulnerability in Javascript that allows websites to execute programs on your computer without restriction.

Infected or malicious websites might be able to do very bad things to your computer and the networks to which it is attached without any action on your part other than visiting such a website.

If you use Internet Explorer, you MUST immediately turn of ActiveScript / JavaScript for non-trusted websites. Microsoft does not yet have a patch for this problem. Read the rest of this entry »

javascript, security, internet explorer

An entry by Fred von Lohmann on the EFF site disects the 3,000 word EULA that comes with a Sony CD. Basically, it’s only by the grace of Sony that you’re allowed to even hum the music. And, not in public.

DRM, rootkit

Microsoft will wipe Sony’s ‘rootkit’ | CNET News.com
Microsoft will update its security tools to detect and remove part of the copy protection tools installed on PCs when some music CDs are played.

Piling on!

Sony, rootkit, DRM

The Washington Post notes that the Department of Homeland Security had negative things to say about Sony’s rootkit.

Reuters has a report that “Sony BMG is temporarily suspending the manufacture of CDs containing XCP technology”.

Sony, Rootkit, DRM

This is important. Mark Russinovich, a respected Windows expert, developed a tool to find rootkits that run under Windows. As he was running it on one of his computers that he was sure was clean, he found a rootkit! It turns out to have been installed by a Sony music CD.

The mainstream media has now taken note: Security Fix - Brian Krebs on Computer Security - (washingtonpost.com).

I certainly won’t be buying any CDs with DRM on them — or at least won’t be ripping them on a Windows system.

Sony, DRM, Rootkit