Free Republic
Browse · Search
Topics · Post Article

Skip to comments.

Sony, Rootkits and Digital Rights Management Gone Too Far
Mark's Sysinternals ^ | Monday, October 31, 2005 | Mark's Sysinternals

Posted on 10/31/2005 7:59:57 PM PST by zeugma

From article:
" guru Mark Russinovich has a detailed investigation of a rootkit from Sony Music. It's installed with a DRM-encumbered music CD, Van Zant's "Get Right with the Man". (Mmmm, delicious irony!) The rootkit introduces several security holes into the system that could be exploited by others, such as hiding any executable file that starts with '$sys$'. Russinovich also identifies several programming bugs in the method it uses to hook system calls, and chronicles the painful steps he had to take to 'exorcise the daemon' from his system."

Last week when I was testing the latest version of RootkitRevealer (RKR) I ran a scan on one of my systems and was shocked to see evidence of a rootkit. Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, and they are usually employed by malware attempting to keep their implementation hidden (see my “Unearthing Rootkits” article from the June issue of Windows IT Pro Magazine for more information on rootkits). The RKR results window reported a hidden directory, several hidden device drivers, and a hidden application:

TOPICS: Business/Economy; Culture/Society; News/Current Events; Technical
KEYWORDS: drm; malware; privacy; privacylist; rootkit; sony; windows
Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-8081-88 last

I've been reading over this story the past few days and it is far worse than most can imagine.

First off, like in the sysinternal blog, if you remove it under normal means (such as deleting it) your CD-Rom is gone. You have to do a bit of work to get it back.

From what I've read, the sony rootkit hoses Windows Vista installs to the point of requiring a reinstall.

From what I understand, the EULA that you agree to that installs the player from the CD DOES NOT mention the rootkit that gets installed with it. Neither is there an uninstall routine provided with it. Sony's uninstall for it that just came out requires installing an ActiveX control onto your machine to remove the rootkit. Hopefully there's an uninstall for the control.

And yes, people have been threatened with jail time for doing these very same things.

Apparently this has been around for a while and it is only recently people have found it or discovered the true nature of the DRM so there's no telling how many machines are infected. An early version of it was easily bypassed by going to safe mode in Win so it was updated to list the rootkit as a safe mode driver which only makes it worse. There seems to be a big list of threads on tech forums from up to a year ago from people trying to figure out why weird things were happening on their machines to point of reinstall of windows is needed. Theories are now pointing at this rootkit as the cause.

Plus I believe the sony rootkit uses 1 to 2 percent of your cpu cycles even if there is no CD in the drive.

Now for the worst part, the sony rootkit is so badly written that it simply just hides any file that starts with &sys& on the system. Meaning that virus writers can now just name all of their files beginning with &sys& and the sony rootkit will hide those files for them. Therefore no virus scanner would be able to detect a virus using that naming scheme on a system with the sony rootkit. Even if you knew for a fact it was there! You would need something like Rootkit Revealer to see it. So, open door for all the nasty software of the world.

Thanks sony.

If there is to be a lawsuit over this I think it would be after a virus hits the net that takes advantage of it. And if the virus is nasty enough that causes enough problems then heads will roll at sony. Probably also at the company that made the rootkit in the first place. Most hopefully the programmer or programmers involved.

With their names on some sort of blacklist.

Woops, it looks like the first malicious use of the sony rootkit has happened. I found this while researching as I typed this up. Blizzard uses a program called Warden to scan your machine's processes while you play attempting to catch you cheating at games like World of Warcraft. Cheaters can now use the naming scheme that the sony rootkit uses to cheat because the Warden program would be unable to detect the cheating programs the user has. Anybody want to start a pool on when the first virus hits?

Good news is that it doesn't seem to affect Mac users. I think I even saw a workaround that allows a Mac user to rip the music from the disc to give to their PC buddy so that he can play his music on the PC. Maybe this is a bad attempt from sony to get everybody to switch to the Mac.

Also, if you are running a non-adminstrator account on your Windows machine it should not get installed. Of course you probably can't listen to your music on your computer from the cd that you purchased but why would sony worry over that small detail?

There is a great podcast called SecurityNow! that I listen to and they released an early edition covering this topic. There are also starting to cover Wi-Fi security which I recommend everyone with a wireless router to download.

81 posted on 11/03/2005 2:46:55 PM PST by talmand
[ Post Reply | Private Reply | To 80 | View Replies]

To: talmand

Oh yeah, I almost forgot. The sad part of this whole story? That Mark guy over at SysInternal that worked all this out and let us know of the nasty potential of this DRM scheme?

He probably broke the law under the Digital Millenium Copyright Act for reverse engineering how sony's DRM rootkit works.

So not only have our lawmakers made it easier for corporations to control how we use the content we pay for they've made it illegal to figure out why software we install (knowingly or unknowingly) on our systems screw them up.

It's also probably illegal to remove the rootkit from your computer because of the DMCA without sony's permission.

82 posted on 11/03/2005 3:10:33 PM PST by talmand
[ Post Reply | Private Reply | To 81 | View Replies]

To: zeugma; ShadowAce
Even More About Sony's Rootkit

Even More About Sony's Rootkit

Permalink | Top

News certainly happens fast sometimes. In between the time I first heard of this Sony rootkit and the time I finished writing about it, the story exploded around the web. Sony appears to have been caught flat-footed by the sudden, highly-negative publicity.

One aspect of this rootkit, which I didn't mention in my first article, is that it allows someone to hide any file or memory process on the system. All you have to do is add a certain word to the beginning of the file's name and you'll never see it again (without a rootkit detector anyway). Some people speculated that this situation could be put to nefarious use.

I did not mention this in the earlier piece because it was unlikely to be of much danger. A malware creator would be relying on dumb luck to protect his software. What I didn't consider was a person buying a Sony CD with the intention of using the rootkit for his own, less-than-honorable intentions.

Well, that is exactly what has happened. In another part of this same newsletter, I mention the controversy surrounding World of Warcraft's Warden anti-cheat program. That is a program which searches a computer's memory for evidence of a program used to cheat at the game. After word of Sony's rootkit made the news, some of these cheating programs were altered to take advantage of it.

The method couldn't be simpler. If you want to circumvent the program looking for a cheat, you simply go out and purchase a Sony music CD. You put the CD into your computer and let it install the rootkit. Then all you have to do is rename your cheating program so that the rootkit will hide it. WoW's Warden program will never know it is there.

Great work Sony. I'm sure World of Warcraft players will be thanking you after their favorite servers are overwhelmed by cheaters.

Realizing that they have done something wrong and that they have been caught doing it, the geniuses at Sony have decided to provide an uninstaller for their rootkit. It won't remove the copy protection software but it will stop hiding it.


83 posted on 11/04/2005 8:38:19 AM PST by Born Conservative (Prince Charles is Camilla Parker Bowles' tampon - MadIvan)
[ Post Reply | Private Reply | To 1 | View Replies]

To: zeugma
It's official folks, GE supports spyware and rootkits as long as it's done in the name of preventing "piracy".

Note that one design purpose of Palladium is to allow rootkits to be installed that are completely undetectable. I wish someone would explain why that's a good idea.

84 posted on 11/10/2005 7:59:51 PM PST by supercat (Don't fix blame--FIX THE PROBLEM.)
[ Post Reply | Private Reply | To 35 | View Replies]

To: zeugma
Automated tools to find this particular corporate back door are going to be moderately problematic, as the rootkit hides itself by modifying windows APIs.

Wouldn't it actually be very easy to test for? Something like:

@echo off
echo Hey >c:\$sys$zzz.txt
if not exist (c:\$sys$zzz.*) echo Uh oh...
del c:\$sys$zzz.txt
I haven't used any Sony CD's, so I can't test the above, but based on the descriptions it would seem like it should work.
85 posted on 11/10/2005 8:06:45 PM PST by supercat (Don't fix blame--FIX THE PROBLEM.)
[ Post Reply | Private Reply | To 52 | View Replies]

To: js1138
Perhaps something like this should have been done years ago, but MS has been obsessed with making Windows work with legacy programs. I have programs from 1982 that still run on XP.

There is no reason why Windows couldn't support old applications within a VM. Indeed, since there are still some old programs I use and Microsoft will be dropping support, I'm getting closer and closer to switching to Linux.

BTW, has anyone else had problems with DOS programs outputting black text on black for no apparent reason? I've had the problem occasionally with a variety of DOS programs on 3 different machines, running Win2K and XP.

86 posted on 11/10/2005 8:09:49 PM PST by supercat (Don't fix blame--FIX THE PROBLEM.)
[ Post Reply | Private Reply | To 59 | View Replies]

To: supercat
You're right. Looks to me like it works too. I didn't even think to wrap a test into a batch file. I've been doing unix so long, that I forget that DOS has any usefulness at all as a batch processor. I used to make all kinds of stuff like that back when I had to support windows.

Thank G-d for bash!

87 posted on 11/10/2005 9:05:55 PM PST by zeugma (Warning: Self-referential object does not reference itself.(TM))
[ Post Reply | Private Reply | To 85 | View Replies]

To: supercat
Note that one design purpose of Palladium is to allow rootkits to be installed that are completely undetectable. I wish someone would explain why that's a good idea.

That's because it is not. :-) I think "palladium" is a rootkit in and of itself. It certainly offers no substantial value to the owner of the computer.

88 posted on 11/10/2005 9:11:33 PM PST by zeugma (Warning: Self-referential object does not reference itself.(TM))
[ Post Reply | Private Reply | To 84 | View Replies]

Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-8081-88 last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794 is powered by software copyright 2000-2008 John Robinson