Re: Download freeware RKR scanning software (detect Sony rootkit & others)

From: nemo_outis (
Date: 11/22/05

Date: 22 Nov 2005 16:01:29 GMT

"karl levinson, mvp" <> wrote in

> "nemo_outis" <> wrote in message
> news:Xns9715C693F733Eabcxyzcom@
>>>> Hmmm, root kits are not a significant risk? Tell that to the folks
>>>> who bought Sony CDs.
>>> Yes, I would tell that to the folks who bought sony CDs.
>> Thanks for the clarification. I originally thought you were merely
>> badly informed; it now seems instead that you have poor judgment.
> If you don't trust me, listen to Symantec. There is exactly one
> Trojan [Ryknos and Ryknos.B] that exploits the Sony rootkit. Symantec
> rates its risk as a "2."

Here's how Symantec defines risk level 2:

"Medium : Increased alertness
This condition applies when knowledge or the expectation of attack
activity is present, without specific events occuring or when malicious
code reaches a moderate risk rating. Under this condition, a careful
examination of vulnerable and exposed systems is appropriate, security
applications should be updated with new signatures and/or rules as soon
as they become available and careful monitoring of logs is recommended.
No changes to actual security infrastructure is required."
Sure as shit doesn't sound trivial to me. Perhaps you have a more
phlegmatic temperament, are lackadaisical and sloppy regarding security,
or, most likely, are trying to wriggle away from the silly and
thoughtless things you said. Or perhaps all of the foregoing apply to

Moreover, Symantec's rating applies only to the first exploit to take
advantage of the Sony rootkit - within just the first few weeks of it
coming to light. It is highly likely there will be more, some of which
may be of an even nastier character than the current one.

The average user is a clueless twit, or is sloppy, careless and
indifferent regarding security (as you so clearly are). Many do not
patch their systemms as regularly as they should, have virus definitons
which are out of date, run with badly configured security software, or
even run naked. Yes, that's regrettable, but your cavalier attitude of
"to hell with them" doesn't cut it.

Lastly, antivirus checkers can do only a poor to fair job exposing
rootkits in the first place; well-done rootkits can only be reliably
"outed" by booting from an independent OS (e.g., from CD or USB).

>> You clearly have not even begun to understand what I said.
> No, I just have a different opinion.
> What kind of risk assessment did you do to assess this as a high risk?

You clearly understand as little about risk as you do about security.
There are many dimensions to risk assessment. I don't have time to fill
in the lacunae in your knowledge (which, actually, are more like chasms)
but with respect to particular risks there are at least two major
independent dimensions regarding assessment: probability of occurence,
and severity of consequences.

The Sony rootkit has a moderately high profile in both dimensions.
First, the probability of occurence, at least for some users, is very
high. Mistakenly believing Sony is a reputable company, they may treat
Sony CDs as coming from a trusted source, and thereby voluntarily (but
unknowingly) install the rootkit, letting it within the security
perimeter. The Sony rootkit thus becomes a true Trojan in the historical
sense. Accordingly,probability of occurence is very high for the
particular class of users that buys Sony CDs - a not insignificant
segment of the computer-using populace.

As for consequences, they too are high. This arises because the Sony
rootkit is an "enabling" technology for other exploits. We have one
exploit already; there may - no, there will! - be more to come. In other
words we have an ongoing security breach. Yes, antivrus programs may be
able to sqelch some of the nasty stuff that comes through the breach -
one by one, after the fact! - but there can be more and more to follow.
That's serious!