I had the Sony rootkit on my work PC
I came in this morning to hear my workstation cranking away at nothing. The disks were really churning and nothing was running, not even a screensaver. So I decided to figure out what was causing this problem once and for all. I checked Task Manager to see what my CPU use and I/O Reads and I/O Writes looked like, but nothing really stood out. So I took things up to the next level and checked out ProcessExplorer from SysInternals. I LOVE this tool and I've used it several times to help me out. This particular time I looked at I/O Reads, I/O Writes, and I/O Deltas. Sorting by the I/O Deltas, I could see that the program responsible for the most disk access was $sys$DRMService.exe. I'd previously read about the
Sony rootkit on
Mark Russinovitch's blog, so I knew what I had and what to do about it, but I looked back at his blog entry to see what he did next. Just for kicks, I fired up FileMon to look at the actual file system usage and watch in horror as $sys$DRMService.exe scanned my entire drive, reading each file nearly a dozen times! Mark wasn't kidding - this really was an example of crappy programming! I'm not bothering with screenshots b/c
Mark's post is the end-all and be-all on this particular topic. Still, I wasn't eager to try his twelve step removal process, so I decided to give
Sony's uninstaller a chance and to my surprise, it worked! My disks stopped churning and the cloaked directory was gone.
In a side note, I just wanted to point out how alarming this really is. The problem is this - I put an old copy of CD in my system, and it installed this software without my knowledge. I run an otherwise clean machine will all the latest in patches from both Microsoft AND my antivirus company, yet neither one prevented this installation or even warned me that I could be opening myself up to problems. It has been
confirmed that there are viruses out in the wild that take advantage of the Sony rootkit to work their way into machines, and yet I still had this vunerability on my machine, despite my own personal due diligence. If I'd not actually heard the machine churning away and possessed the knowledge and wherewithall to remove the stupid thing, I'd possibly be opening up my corporate network to some serious security problems. The average user (and in my company, that means only 4 out of nearly 200 machines shouldn't be considered "average users") would have no idea that there was a problem, or if there was a problem they'd have no idea how to find and fix it.
We need to enter an environment where we can run as least priviledged users, where the OS refuses to install or change ANYTHING without the informed user's express permission. An environment where companys such as Sony thinks ahead about these kinds of problems before releasing code which will incur at least six class-action lawsuits and investigation from several government agencies.