Posted on 11/11/2005 8:53:14 AM PST by softengine
My posting Monday on Sony’s use of a rootkit as part of their Digital Rights Management (DRM) generated an outcry that’s reached the mainstream media. As of this morning the story is being covered in newspapers and media sites around the world including USA Today and the BBC. This is the case of the blogosphere having an impact, at least for the moment. But, there’s more to the story, like how Sony’s patch can lead to a crashed system and data loss and how Sony is still making users jump through hoops to get an uninstaller. At the core of this story, however, is the issue of what disclosure should be required of software End User License Agreements (EULAs) and how the requirements can be made Federal law.
The Uninstaller Despite a chorus of criticism over Sony not delivering an uninstaller with their DRM software, Sony refuses to admit blame and to make an uninstaller readily available. The uninstall question on Sony’s FAQ page directs you to another page that asks you to fill out a form requesting for uninstall directions to be emailed to you:
There’s no way to access the uninstaller without providing this information, and clicking on the Sony privacy policy link at the bottom of the page takes you to a notice that your email address can be added to various Sony marketing lists.
A few minutes after submitting the form I received an email assigning me a case ID and directing me to another page on Sony’s site where I would have to submit an uninstall request a second time:
I’ve filled out the second form and am waiting for the follow-up email.
The Patch You can the get to the patch supplied in the above email from the same Sony support site under Software Updates:
The download text claims that the rootkit does not pose any “potential security vulnerabilities,” however it’s obvious that any software that cloaks files, directories and Registry keys beginning with a certain string of characters is a clear security risk. An innovating exploit of the rootkit utilizes it to compromise the World of Warcraft anti-cheat system.
The download of what should be a small patch is around 3.5 MB because it includes updated drivers and executables for the DRM software that the patch also installs (again, no mention of this is made in the download description). Interestingly, after installing the patch a new entry showed up in the Windows Add and Remove Programs utility, but it’s only because I checked immediately after I ran the patch that I knew it was related to Sony:
Nowhere up to now have I seen the Sony Player or DRM software referred to as “MediaJam”. I looked in the Program Files directory and the only file in the new MediaJam subdirectory was Unicows.dll, a Microsoft DLL:
Assuming that uninstalling MediaJam would uninstall the DRM software, I attempted to do so but was greeted with this dialog:
It looks like their rush to get the patch out precluded any kind of testing.
The actual decloaking, which is the only value the patch advertises, simply performs the equivalent of the following Windows command:
net stop “network control manager”
“Network Control Manager” is the misleading name the developers assigned to the Aries driver so the command directs the Windows I/O system to unload the driver from memory. After the patch had completed I dumped the system call table in LiveKd and noted that the redirected entries had returned to their standard values and that the driver had unloaded from memory:
However, Sony’s uncloaking patch puts users systems at risk of a blue-screen crash and the associated chance of data loss. The risk is small, but I made the point in my last post that the type of cloaking performed by the Aries driver prohibits safely unloading the driver while Windows is running:
It’s never safe to unload a driver that patches the system call table since some thread might be just about to execute the first instruction of a hooked function when the driver unloads; if that happens the thread will jump into invalid memory. There’s no way for a driver to protect against this occurrence, but the Aries driver supports unloading and tries to keep track of whether any threads are executing its code. The programmer failed to consider the race condition I’ve described.
If the developers had heeded this warning the decloaker would have required the system to reboot so that the Aries driver could remain active through the shutdown, but then not load on the next reboot.
I urge Sony to make a real uninstaller readily available for download and to make both the de-cloaking and uninstaller unload the driver safely. In the meantime users can perform a safe decloaking by opening the Run dialog from the Start menu, entering “sc delete $sys$aries”, and then rebooting. This sequence deletes the driver from the Windows Registry so that even though its image is still present on disk, the I/O system will not load it during subsequent boots.
EULAs and Disclosure: Sony’s Player Phones Home There’s more to the story than rootkits, however, and that’s where I think Sony is missing the point. As I’ve pointed out in press interviews related to the post, the EULA does not disclose the software’s use of cloaking or the fact that it comes with no uninstall facility. An end user is not only installing software when they agree to the EULA, they are losing control of part of the computer, which has both reliability and security implications. There's no way to ensure that you have up-to-date security patches for software you don't know you have and there's no way to remove, update or even identify hidden software that's crashing your computer.
The EULA also makes no reference to any “phone home” behavior, and Sony executives are claiming that the software never contacts Sony and that no information is communicated that could track user behavior. However, a user asserted in a comment on the previous post that they monitored the Sony CD Player network interactions and that it establishes a connection with Sony’s site and sends the site an ID associated with the CD.
I decided to investigate so I downloaded a free network tracing tool, Ethereal, to a computer on which the player was installed and captured network traffic during the Player’s startup. A quick look through the trace log confirmed the users comment: the Player does send an ID to a Sony web site. This screenshot shows the command that the Player sends, which is a request to an address registered to Sony for information related to ID 668, which is presumably the CD's ID:
In response the Sony web site reports the last time a particular file was updated:
I dug a little deeper and it appears the Player is automatically checking to see if there are updates for the album art and lyrics for the album it’s displaying. This behavior would be welcome under most circumstances, but is not mentioned in the EULA, is refuted by Sony, and is not configurable in any way. I doubt Sony is doing anything with the data, but with this type of connection their servers could record each time a copy-protected CD is played and the IP address of the computer playing it.
The media has done a great job of publicizing this story, which has implications that extend beyond DRM to software EULAs and disclosure, and I hope that the awareness they’re creating will result in Congressional action. Both the software industry and consumers need laws that will clearly draw lines around acceptable behaviors.
The story continues with Sony's Rootkit: First 4 Internet Responds.
First bots hitting now: CNet News
Just gets better and better, doesn't it? Lol.
Thanks for the post. This is where a huge lawsuit would be a good thing!
Remember in 2004 when TurboTax pulled some similar stunt? They hue and cry was pretty load and they came back on bended knee apolgizing.
Sony is notoriously bad with respect to DRM. They assume EVERYONE is a pirate and restrict their stuff accordingly. I say - Sony keep your cruddy music!
Techie Meta-ping
Which is why I no longer buy Sony products.
Thanks for this update. I think my best bet is to simply not buy Sony music, or, for that matter, anything Sony. This really stinks.
Just say no to BMG music and Sony hardware this Christmas! Tell your friends. Hell, tell your enemies too.
I emailed this to Mark (and haven't heard back yet), but I might as well put it out here as well, since it will probably get more play here:
I found this thing on my system. I do not play music CDs on my system, so it couldn't have come from there. Checking the ownership of the files revealed that they were owned by another user in our network who would never have cause to log on to my machine. I can only assume, therefore, that the rootkit installed itself on this user's machine when they played a sony CD, then searched across the network for open network shares (of which I had one, temporarily). I can only assume that this is intended to make sure that when a home user gets this thing, that they can't use another machine to remotely do a copy (and thus bypass the DRM protection), by installing itself on any machine it can find on the network.
The upshot is, this rootkit doesn't just install itself surreptitiously on your machine and hijack your CDrom drivers, it also propagates across the network, and can infect machines that you didn't even log on to. It's a virus as well as a rootkit.
Got it in one. I don't play music or movie CD's/DVD's on my computer, but this egregious violation of personal and system privacy has put Sony on my "total sh*t list"--i.e. folks whose products any of which I will no longer buy.
Here is the scoop on Sony's use of the rootkit function.
wow
/bookmarked
There will soon be a lot of Sony BMG discs in bargain bins and a lot of ticked of Sony BMG artists.
Just read about this in USA Today during lunch and remembered my wife made a copy of the new Neil Diamond CD last night. Thanks for posting this so I can spend time this weekend cleaning the computer.
And in the future, Sony can kiss my rosy red rectum...
I'd be interested to know what you find out. If it self-propogates, the IT Sec Intel community has a need to know....as of course, does the public.
You can FReepmail me.
A virus would cause it to propagate. I saw a link to an article earlier thats more comprehensive in outlining how a virus would cause a compromise and subsequent propogation.
...I'll try to find it.
Actually, that would be a worm. A virus installs itself onto software or media which the user transports from one machine to another; a worm, by contrast, transports itself.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.