Free Republic
Browse · Search
Topics · Post Article

Skip to comments.

Sony DRM infection removal vulnerability uncovered
The Inquirer ^ | : Tuesday 15 November 2005, 20:45 | Charlie Demerjian

Posted on 11/16/2005 9:27:30 AM PST by dickmc

"Tool is worse than original infection"

"SONY PULLS OFF ANOTHER blatant stupidity in the 'cure is worse than the disease' category. No, not the DRM infection itself, not the security compromising removal agreement, but the removal tool itself. Yes, this one appears to put you in MORE danger than the original rootkit.....

According to Freedon To Tinker, the web based installer is a worse vulnerability than the original rootkit. .............
the 'cure' from Sony involves downloading an ActiveX control ........
that lets just about anyone download, install and execute arbitrary code on your machine.

To make matters even funnier, the uninstaller, supposedly anyway, leaves this control on your machine. So, the Sony uninstaller is not a total uninstaller, it leaves a hole you can drive a truck through on your system, silently of course.

The more disturbing part is that it appears the control is signed. I wonder who at MS approved this, and how this blatant security hole got through the barest minimum of QC?

.....if you bought Sony products, you are screwed. If it causes you problems, you are screwed more. If you uninstall, you are screwed yet harder......

That's what you get for buying music."

(Excerpt) Read more at ...

TOPICS: Technical
KEYWORDS: drm; sony
The Freedon to Tinker analysis supporting the article is here.

Also, here is the top part of the country list:

217296 'JAPAN'




27527 'SPAIN'

12061 'KOREA'

10351 'PERU'

8857 'FRANCE'



7660 'CHINA'

5853 'NORWAY'

4988 'CANADA'

4703 'ITALY'

4613 'SWEDEN'

4197 'BRAZIL'

4097 'TURKEY'

3528 'GERMANY'

2769 'AUSTRIA'

2489 'TAIWAN'


2075 'DENMARK'


1427 'HONG KONG'

1368 'IRELAND'




997 'INDIA'


864 'POLAND'


756 'GREECE'




597 'ISRAEL'



457 'CHILE'


Dan Kaminsky, the fellow working this, is at the DoxPara Research site here and his detailed list is here. There are five nets infected in Iraq.

Dan's detailed U.S. and Europe photos showing the infestation were posted yesterday in FR here in case you missed them or want to look again.

In addition to the U.S., Italy is highlighted above in red . This is because Italy has some very tough laws that have criminal penalties.

Unlike in the U.S. when you weld on a pressure vessel in Italy, you sign your name on it as the welder. If the vessel blows up and injures someone due to something you did wrong, you go to jail! As another example of legal differences: when Ayrton Senna was killed at a Formula One race in Italy due to a potential steering column design problem, the Williams team owners would not go to Italy for fear they might be hauled off to jail.

While this Sony incident is obviously different, Italy has some pretty serious criminal law. Things that might be a civil penalty or wrist slap in the U.S. or U.K. can have real criminal penalties in Italy.

Apparently there is now a Sony investigation underway in Italy!

1 posted on 11/16/2005 9:27:31 AM PST by dickmc
[ Post Reply | Private Reply | View Replies]

To: dickmc

One of the reasons I've quit buying anything Sony.

2 posted on 11/16/2005 9:30:03 AM PST by sionnsar (†† || (To Libs:) You are failing to celebrate MY diversity! || Iran Azadi)
[ Post Reply | Private Reply | To 1 | View Replies]

To: sionnsar

Interesting...but Breaking News??

3 posted on 11/16/2005 9:30:38 AM PST by HHKrepublican_2 (OP Spread the Truth)
[ Post Reply | Private Reply | To 2 | View Replies]

To: HHKrepublican_2; dickmc

You might want to ask that of the poster of this thread.

4 posted on 11/16/2005 9:31:35 AM PST by sionnsar (†† || (To Libs:) You are failing to celebrate MY diversity! || Iran Azadi)
[ Post Reply | Private Reply | To 3 | View Replies]

To: rdb3; chance33_98; Calvinist_Dark_Lord; Bush2000; PenguinWry; GodGunsandGuts; CyberCowboy777; ...

5 posted on 11/16/2005 9:33:28 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Nightshift


6 posted on 11/16/2005 9:36:38 AM PST by tutstar (
[ Post Reply | Private Reply | To 1 | View Replies]

To: HHKrepublican_2

Sorry. Wrong check.

7 posted on 11/16/2005 9:44:39 AM PST by dickmc
[ Post Reply | Private Reply | To 3 | View Replies]

To: dickmc
Unlike in the U.S. when you weld on a pressure vessel in Italy, you sign your name on it as the welder.

Not true. In the case of pressure vessel welding (ASME) here in the US, the welder 'stamps' the weld at specified and/or pre-determined intervals along the entire weld. A welder must have appropriate training and qualifications and is assigned his/her own 'stamp'; extensive recordkeeping is required. There are so many more requirements related to pressure vessel welding that your eyes would gloss over. For a time, my Company did pressure vessel work (U & R); I shuttered the entire metal fabrication operations in April 2003. I can tell you that if anything goes wrong with any of the vessels manufactured by my Company, the sh*t will hit the fan. While jail may not be explicitely stipluated, one should not discount the potential ruthlessness of litigants in asserting negligence, even though all standards were followed.

8 posted on 11/16/2005 9:52:15 AM PST by fuquadukie (If you can't hang with the big dogs, then don't jump off the porch.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: dickmc
...Italy has some pretty serious criminal law...

I read yesterday that in Italy foreigners have to show a passport to use a computer in an Internet cafe.

9 posted on 11/16/2005 9:52:38 AM PST by FReepaholic (I don't look good naked anymore.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: dickmc

The Sophos rootkit detection and removal tool is at:

Use at your own risk, but it is recommended by several reliable sources. I certainly wouldn't use any Sony removal tools, given their record so far.

10 posted on 11/16/2005 9:56:31 AM PST by Cicero (Marcus Tullius)
[ Post Reply | Private Reply | To 1 | View Replies]

To: HHKrepublican_2

What kind of question is that? Every single solitary Freeper is a computer user.

11 posted on 11/16/2005 10:20:01 AM PST by JoJo Gunn (Help control the Leftist population. Have them spayed or neutered. ©)
[ Post Reply | Private Reply | To 3 | View Replies]

To: Cicero
Seems to be a lot of confusion as to whether anything is 'removed' by the AVs or simply 'uncloaked'.

Per Mark Russinovich's Sysinternals site who discovered all this:

Unfortunately, there has been some confusion with regard to the level of cleaning that antivirus (AV) companies are providing for the rootkit.

Some articles imply that AV companies remove all of the Sony DRM software in the cleaning process, but they are in fact only disabling and removing the Aries.sys driver that implements the rootkit cloaking functionality.

Unfortunately, all of the AV cleaners I’ve looked at disable it improperly by unloading it from memory - the same way Sony’s patch behaves - which as I noted previously, introduces the risk of a system crash.

While they post disclaimers on their web sites to that effect, they should use the safe alternative that I described a couple of posts ago, which is to delete the rootkit’s registration from Windows so that it won’t activate when Windows boots:

1. Open the Run dialog from the Start menu

2. Enter “cmd /k sc delete $sys$aries”

3. Reboot

Much more detail at his site here.

12 posted on 11/16/2005 10:31:51 AM PST by dickmc
[ Post Reply | Private Reply | To 10 | View Replies]

To: Cicero
I've heard that after running the Sony Rootkit Remover, your computer will only boot up in CP/M.

let's see what kind of internet rumor we can get started here..

13 posted on 11/16/2005 10:42:44 AM PST by Tennessee_Bob ("Those who "abjure" violence can only do so because others are committing violence on their behalf.")
[ Post Reply | Private Reply | To 10 | View Replies]

To: dickmc

OK. He doesn't mention Sophos specifically, but presumably their tool was one that he looked at. Hmm.

Well, in that case, maybe the thing to do is to use Sophos to detect whether you have the Sony Rootkit, but then don't try to remove it until this issue is completely resolved.

Microsoft is now making noises about adding Sony Rootkit to the things their antispyware will detect. But there, again, I don't know if they will safely remove it or only detect it.

14 posted on 11/16/2005 10:47:40 AM PST by Cicero (Marcus Tullius)
[ Post Reply | Private Reply | To 12 | View Replies]

To: Tennessee_Bob

Yes, I certainly wouldn't use the Sony tool at the moment. And if 12 is correct, maybe it's safest just to leave the damned thing on your computer until a safe way is found to remove it entirely.

15 posted on 11/16/2005 10:48:50 AM PST by Cicero (Marcus Tullius)
[ Post Reply | Private Reply | To 13 | View Replies]

To: dickmc
Excellent time line with links on this whole mess is at boingboing here.
16 posted on 11/16/2005 10:50:24 AM PST by dickmc
[ Post Reply | Private Reply | To 1 | View Replies]

To: JoJo Gunn

Yeah, and every one with an audience uses two.

17 posted on 11/16/2005 11:03:59 AM PST by Old Professer (Fix the problem, not the blame!)
[ Post Reply | Private Reply | To 11 | View Replies]

To: dickmc
Finally some details as to what the Sony DRM is actually doing.

Apparently according to Muzzy's site here the Sony DRM appears to have a large potential 'black' list that it scans for every two seconds as long as your computer is running.

Moreover, Sony's official uninstaller also leaves a plethora of stuff behind, some of which may be exploitable!

18 posted on 11/16/2005 11:12:13 AM PST by dickmc
[ Post Reply | Private Reply | To 1 | View Replies]

To: tscislaw
The ALECI (Electronic Frontiers Italy) press release excerpt

The law

The claim that ALCEI formally filed on November 4th 2005 to the Commander in Chief of the Fraud Contrast Group of the Financial Police in Italy (Guarda di Finanza) points out that the behavior of whoever decided, inside Sony BMG Entertainment, to use such a dangerous DRM system (and of anybody else who behaves similarly) is criminally liable, besides being unethical and fraudulent. The possible charges range from arbitrarily “self-made” justice, intentional damage to computer systems, and diffusion of software that damages information and communication systems - all of which are criminal offenses under Italian law.

The irony of this case is that the promoters of criminal indictment could be subjected (much more correctly) to the same rigor that they have been unfairly and brutally inflicting on their customers. While absurd laws in Italy, inspired by the lobbying power of very large economic interests, are condemning the holding of copied material as a ferocious crime, a correct and considerate law states that willfully damaging computer systems, as well as making justice “on his own” without taking the issue into court , are criminal offenses that the public prosecutor must investigate.

Further more, criminal liability, in Italy, cannot be waived by offering a “remedy” after the fact, which may perhaps allow a lighter penalty at the end of the process, but in the meantime it is an explicit admission of guilt.

ALCEI’s action

On November 4 2005 ALCEI formally requested that the Financial Police identify the authors of the software, and those who made the willful decision of distributing it in a hidden form, and also detect if other organizations committed similar abuses. Now the law enforcement bodies must mandatorily start the investigations. This is the necessary preliminary phase of an action that intends to bring to criminal court anybody who, in Sony BMG Entertainment , has committed such illegal acts in Italy, as well as anyone else who helped in committing such crimes - or, in any other prduccircumstances, performed similar actions.

Underlines are mine. Entire release is here. Looks like the Italian justice system has no choice but to at least investigate.

I doubt that any Sony executives will be planning on vacationing or going to conferences in Italy any time in the near future.

19 posted on 11/16/2005 12:41:57 PM PST by dickmc
[ Post Reply | Private Reply | To 9 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794 is powered by software copyright 2000-2008 John Robinson