PDA

View Full Version : Sony installs rootkits on your PC


masken
3rd November 2005, 10:29
Sony in the US has used "hacker methods" on retail CD's, namely rootkits. Rootkits are hidden apps and services that integrates themselves into Windows API functions or kernel, for hiding malware such as spyware, viruses, or trojans.

Mark Russinovich of Sysinternals found some nasty piece of software on his own pc, after having played a Sony BGM CD on his own PC.

Read here:
http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html

http://www.theinquirer.net/?article=27349

http://www.f-secure.com/weblog/
F-Secure has also aqknowledged that Sony BGM uses this technique. F-Secure antivirus can detect this, but not remove it.

smiller667
3rd November 2005, 10:36
Also see http://forum.doom9.org/showthread.php?t=102125 and yesterday's doom9 news. It has even made it to BBC: http://news.bbc.co.uk/2/hi/technology/4400148.stm

masken
3rd November 2005, 10:56
hmm.. didn't find the news on Doom9's page, must have missed it.

DK
3rd November 2005, 14:14
sony has released a patch to remove the cloaking software:



SOFTWARE UPDATES/ PLUG-INS

November 2, 2005 - This Service Pack removes the cloaking technology component that has been recently discussed in a number of articles published regarding the XCP Technology used on SONY BMG content protected CDs. This component is not malicious and does not compromise security. However to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released to enable users to remove this component from their computers.

very nice of them indeed (that you'll to have activex activated or otherwise you wont be able to download the socalled service pack)

http://cp.sonybmg.com/xcp/english/updates.html

Wilbert
3rd November 2005, 14:18
This component is not malicious and does not compromise security.
Yeah right.

Btw, the patch doesn't remove anything, it just makes the hidden stuff visible.

SeeMoreDigital
3rd November 2005, 14:44
So when did Sony start putting this crap on their audio CD's?

I guess this trate also extends to Sony's affiliated cmpanies such as Columbia, Epic etc


Cheers

unskinnyboy
3rd November 2005, 16:35
..and soon someone will release a patch which will find out and remove this rootkit totally without damaging the OS, and we can all sit and watch in glee when this multi-million anti-piracy effort goes down the drain too.

Shinigami-Sama
3rd November 2005, 19:41
well we have the methid of removal, now we need the batch file to automagic it for us :)
this is pretty much why I buy non-mainstream stuff like slayer and kyprios, never seen one those protected disks, then again, I live in Canada, I haven;t seen one protected disk yet :)

but as wilbert said to the BS 'this is not an attempt to be illegaly comprimise your PC' remark, I agree, total bs on their part

Doobie
3rd November 2005, 21:06
With the Sony protection, any file or directory starting with $sys$ would not be seen by Windows. Talk about an invitaton for virus writers to name their virus programs $sys$ImAVirus.com.

It's most unethical for any program to try to hide things from the user, especially things that suck up CPU time and could compromise security. What's the point? Did Sony think this would never be discovered?

Copy protection should never be through covert meddling with your system.

mpucoder
3rd November 2005, 21:56
Copy protection should never be through covert meddling with your system.
True - but your system should never allow this to happen.
Q - can it happen in NT/2K/XP user mode, or is administrative rights required?

btw - I still use a program called CDDA, which runs in DOS.

setarip_old
3rd November 2005, 22:43
@mpucoder

btw - I still use a program called CDDA, which runs in DOS.

That may or may not circumvent the issue, as one of the articles listed in this thread indicates that the CD will only play with SONY's player (Apparently present on the CD)...Although this protection apparently isn't applicable to MACs, so maybe it's also not applicable to booting up in DOS ;>}

Doobie
4th November 2005, 01:09
btw - I still use a program called CDDA, which runs in DOS.

I believe the malicious code is delivered when you use the media player that comes on the CD.

int 21h
4th November 2005, 02:05
True - but your system should never allow this to happen.
Q - can it happen in NT/2K/XP user mode, or is administrative rights required?

btw - I still use a program called CDDA, which runs in DOS.

Since it installs drivers, that in turn, dynamically patch the system call table, I would guess that it requires administrator rights to install this. This is confirmed in some of the comments on the original post at sysinternals.

I'm curious to what extent you believe the system should be protecting against this, if I log into a Linux box that is running a stock kernel as an Administrator, I too can install modules that can overwrite the syscall table and basically do the same thing this Windows driver is doing.

Its also interesting to note that this won't work on XPx64 or Win2003 because the ability to patch this table has since been removed from the fun stuff that device drivers can do.

I really thought the most interesting thing about this article was the vast power of the sysinternals toolbox that is demonstrated. Once you add IDA Pro, you're setup for some pretty advanced analysis operations.

mpucoder
4th November 2005, 02:31
I'm curious to what extent you believe the system should be protecting against this, if I log into a Linux box that is running a stock kernel as an Administrator, I too can install modules that can overwrite the syscall table and basically do the same thing this Windows driver is doing.
Yes, and that is how it should be. But if the system allows patches of this type in any other mode I would consider it a security hole. And if Windows does prevent this in user mode, then there is a way to protect yourself.

int 21h
4th November 2005, 02:53
Agreed, I'm constantly suprised by some people's inability to distinguish a true escalation in user privileges (via some kernel level or system level flaw) which is something to worry about and be proactive with patching, etc. and a simple case of bad policy.

At work when someone finally got wind of this article, they (a *nix zealot) made a huge deal about how insecure Windows is in allowing this sort of behavior, but finally when I explained that this was akin to the age old:

bash-3.00# rm -rf *

He seemed to calm down.

sysKin
4th November 2005, 03:52
First expoits, user-side this time: http://www.securityfocus.com/brief/34

Mug Funky
4th November 2005, 04:02
rm -rf! i've always been tempted to type that to see what would happen :)

it's a shame to see copy protection taken to such (ludicrous) heights. it only takes one clever-dick out there to make a good copy and put it up on p2p or BT. and then what happens? sony only end up punishing the people courteous enough to actually buy their CD, wheras the people stealing it get the music free without any risk to their system.

do these people even have a clue as to the enemy they're fighting? they need strategies that don't involve bully tactics. people do not want to take any crap from a company, or they'll stop buying from them. and sony have pissed enough people off already over the last 10 years that they can't afford to do it any more. they're the "aging rockers" of the music industry - sad, pathetic and out of touch.

though i find it refreshing that some musicians/bands are a little more open minded about the piracy situation and don't wish to punish their fans. some even specifically request that their music DVDs not even have CSS on them (though their record companies don't often allow such concessions. at least they allow discs to be region 0).

Joe Fenton
4th November 2005, 06:07
rm -rf! i've always been tempted to type that to see what would happen :)

Gah! Don't remind me... I was updating my PS2 development toolchain late one night last week and accidentally did "rm -rf /usr" (don't ask how). I decided to take the opportunity to install SUSE 10. Since I didn't erase /home, I didn't really lose anything more than the time needed to switch over to SUSE.

Shinigami-Sama
4th November 2005, 06:58
why does 'rm -rf' look very familar..
remove mount remove *something here*
??

dragongodz
7th November 2005, 01:34
just incase anyone was interested
http://www.petitiononline.com/bcsony/petition.html

Mug Funky
7th November 2005, 03:27
rm = delete ("remove")
r = include subdirs (i think it stands for "recursive")
f = force, no prompting (no "are you sure you want to delete everything?")

i think that's how it works. never tried it myself (winXP nuked my 'nix partition before i got a chance to learn how to use it... i'm too lazy to re-do everything though i should soon).

Shinigami-Sama
7th November 2005, 03:44
ohh
ok that makes sense, I have to try and remember useing to dos to translate *nix to understandable
that seems kinda scary actualy

Joe Fenton
7th November 2005, 05:13
rm = delete ("remove")
r = include subdirs (i think it stands for "recursive")
f = force, no prompting (no "are you sure you want to delete everything?")

i think that's how it works. never tried it myself (winXP nuked my 'nix partition before i got a chance to learn how to use it... i'm too lazy to re-do everything though i should soon).

Yes, that's it precisely. Be careful, especially when in root mode. I was tired and wasn't careful, and it almost cost me a lot of work.

foxyshadis
7th November 2005, 05:22
why does 'rm -rf' look very familar..
remove mount remove *something here*
??
rm - remove
-r - subfolders/hard links
-f - no prompt
* - everything
put them together and you have a nice shiny clean disk drive. =D

Besides hackers naming stuff $sys$ to get instahide on any windows pc that has sony's drm, all they need to do to get a ready made rootkit that could plausibly not be from hacking is get ahold of a sony cd.

I can't wait for sony's next version, which will use various plug & play, lsass, and other esoteric exploits to install via user-mode.

[Edit, oops, forgot to check page two. >.>]

Shinigami-Sama
7th November 2005, 07:38
heh, thats actualy pretty funny, with what I know about comandlines in windows + the drm
*I* could easily bring a system to its knees, and I'm a lazy sod, not a real programer

dragongodz
8th November 2005, 02:26
getting back on topic.... this is an interesting read aswell with a response from First 4 Internet, the company that implements Sony’s Digital Rights Management (DRM) software.
http://www.sysinternals.com/Blog/

dragongodz
8th November 2005, 13:09
EMI are distancing themselves from the Sony situation saying they dont use a rootkit type protection. here
http://news.com.com/EMI+We+dont+use+rootkits/2100-1029_3-5937108.html?tag=nefd.top

however they do say
"EMI is not using First 4 Internet technology. We recently completed a trial of three content-protection technologies (Macrovision's CDS300, SunnComm's MediaMax and SonyDADC's key2audioXS), and First 4 Internet's technology was not one of those tested," said the spokesman.

and also interestingly it says
Although Sony's use of rootkits has sparked an outcry, users would find it difficult to sue Sony in the U.K., even if their computer was damaged by its copy-restriction software, according to legal experts.

DK
8th November 2005, 22:14
here is something more of interest:
http://www.cs.helsinki.fi/u/nikki/

these programs are said to be searched for when the rootkit is running:
http://hack.fi/%7Emuzzy/sony-drm-magic-list-2.txt

and this list is being checked when installing:
http://hack.fi/%7Emuzzy/sony-drm-magic-list.txt

dragongodz
9th November 2005, 00:25
yay, i made the list. well DVDx did anyway. ;)

hmm so it checks for not just audio rippers but dvd rippers and mp3 players and burning apps etc. wow thats quite a list.

feedback
9th November 2005, 02:51
here is something more of interest:
http://www.cs.helsinki.fi/u/nikki/

these programs are said to be searched for when the rootkit is running:
http://hack.fi/%7Emuzzy/sony-drm-magic-list-2.txt

and this list is being checked when installing:
http://hack.fi/%7Emuzzy/sony-drm-magic-list.txt
Man! that is one long list...shows DVD Shrink and AnyDvD among many others. Looks like Sony hired Sherlock Holmes!

Regards,:)

Shinigami-Sama
9th November 2005, 02:56
I know
winamp, alcohol, nero
if one of my programs was on that list I'd send a 'nice' letter to sony and first4internet 'wondering' why they're so interesting in my product, but then again I"m only a user of said products so meh
dragongodz your getting mighty close to 2k posts, good work

spuddog
9th November 2005, 03:48
I really don't know why Sony considers this a copy protection anyway. I had no problem making a backup by extracting the audio with Cool Edit, then burning to cd.

CWR03
9th November 2005, 07:04
I really don't know why Sony considers this a copy protection anyway. I had no problem making a backup by extracting the audio with Cool Edit, then burning to cd.
That's because you "recorded" it, not unlike connecting a turntable and a cassette deck together to make a copy of a record album. I've done the same thing - I use an MP3 player a lot, and instead of editing CD rips back together or enduring a pause in the middle of a piece of music that spans two or more tracks, I just record it as a .WAV and save each section of music.