Sony installing Spyware with DRM Rootkit

Ely13

Sultan of Slugs
Joined
Mar 23, 2005
Posts
2,585
http://wizbangblog.com/archives/007480.php

Sony Attacks PC's Worldwide With DRM Rootkit
Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, and they are usually employed by the authors of malware, including viruses, spyware, and trojans, to attempt to hide their presence from spyware blockers, antivirus, and system management utilities.

This discovery by famed Windows utility programmer Mark Russinovich, is a public relations disaster for Sony and the hundreds of bands whose music is being distributed in their copy protected format.

http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html

At that point I knew conclusively that the rootkit and its associated files were related to the First 4 Internet DRM software Sony ships on its CDs. Not happy having underhanded and sloppily written software on my system I looked for a way to uninstall it. However, I didn’t find any reference to it in the Control Panel’s Add or Remove Programs list, nor did I find any uninstall utility or directions on the CD or on First 4 Internet’s site. I checked the EULA and saw no mention of the fact that I was agreeing to have software put on my system that I couldn't uninstall. Now I was mad.

...

The entire experience was frustrating and irritating. Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files.

While I believe in the media industry’s right to use copy protection mechanisms to prevent illegal copying, I don’t think that we’ve found the right balance of fair use and copy protection, yet. This is a clear case of Sony taking DRM too far.
 

Ely13

Sultan of Slugs
Joined
Mar 23, 2005
Posts
2,585
Highlander67 said:
Scary shit. It's a good example of how Companies are taking the EULA to an extreme that gives them more power then they should be allowed to have.
This pretty much tops it as Sony didn't even bother including this in their EULA. At least most P2P services have the decency to tell you that they're installing spyware onto your system to defray costs of operation.

On top of it, Sony takes steps to make their spyware very difficult to detect and even more difficult to remove, regardless of whether or not you're done with their software.

I closed the player and expected $sys$DRMServer’s CPU usage to drop to zero, but was dismayed to see that it was still consuming between one and two percent. It appears I was paying an unknown CPU penalty for just having the process active on my system. I launched Filemon and Regmon to see what it might be doing and the Filemon trace showed that it scans the executables corresponding to the running processes on the system every two seconds, querying basic information about the files, including their size, eight times each scan. I was quickly losing respect for the developers of the software:
I linked the Sysinternals link in my original post, but figured it might be too technical for some so I stuck it in the bottom half :)
 

johnroche

Pao Pao Cafe Waiter
Joined
Sep 13, 2003
Posts
1,780
Ely13 said:
This pretty much tops it as Sony didn't even bother including this in their EULA. At least most P2P services have the decency to tell you that they're installing spyware onto your system to defray costs of operation.

On top of it, Sony takes steps to make their spyware very difficult to detect and even more difficult to remove, regardless of whether or not you're done with their software.


I linked the Sysinternals link in my original post, but figured it might be too technical for some so I stuck it in the bottom half :)
The worst part seems to be that it can potentially fuck up your CD-ROM drive. That sort of bullshit cannot be allowed to stand.
 

gamejunkie

Hijacked by a Spambot!
Joined
Aug 21, 2004
Posts
7,002
johnroche said:
The worst part seems to be that it can potentially fuck up your CD-ROM drive. That sort of bullshit cannot be allowed to stand.

Whoa... I'm pretty lazy and don't want to read the entire thing, so could you guys tell me specificly what software is doing this? My brother installed some Sony software [on my pc] for his 20gb sony music player (can't remember it's name). Could this be why my dvd-r drive just all of a sudden stopped working on a [then] one month old pc?
 

onefortheride

Dodgeball Yakuza
Joined
Sep 28, 2004
Posts
637
i saw that on tv the other day.
is it just me ... or should that be illegal?

this just makes me want to steal music from them ...
and i dont even download music. may start now.
 

Ely13

Sultan of Slugs
Joined
Mar 23, 2005
Posts
2,585
gamejunkie said:
Whoa... I'm pretty lazy and don't want to read the entire thing, so could you guys tell me specificly what software is doing this? My brother installed some Sony software [on my pc] for his 20gb sony music player (can't remember it's name). Could this be why my dvd-r drive just all of a sudden stopped working on a [then] one month old pc?
http://it.slashdot.org/it/05/10/31/2016223.shtml?tid=172

An anonymous read writes "SysInternals.com guru Mark Russinovich has a detailed investigation of a rootkit from Sony Music. It's installed with a DRM-encumbered music CD, Van Zant's "Get Right with the Man". (Mmmm, delicious irony!) The rootkit introduces several security holes into the system that could be exploited by others, such as hiding any executable file that starts with '$sys$'. Russinovich also identifies several programming bugs in the method it uses to hook system calls, and chronicles the painful steps he had to take to 'exorcise the daemon' from his system." This house is clear.

http://yro.slashdot.org/yro/05/11/02/1421250.shtml?tid=233&tid=17

A couple of days ago we posted a story about Sony DRM installing a rootkit. Since then we have seen many more stories on the subject that I thought were worth sharing. manno gave us a link to the inquirer and salemnic sent us a page from the washington post. smallfries gave us one from PC Pro. It's nice to see this story not getting lost in the cracks since the implications are gigantic.

http://blogs.washingtonpost.com/securityfix/2005/11/sony_raids_hack.html

Sony's anti-piracy program installer pops up when you drop one of these content-protected CDs into your drive. If you agree to install it, there is no "uninstall" feature. Russinovich was able to use his knowledge of rootkits and the Windows operating system to zero in on the offending driver files needed to run the software. Unfortunately, he found that removing the program also erased the system files that power his CD-ROM drive, rendering it useless.
 
Last edited:

gamejunkie

Hijacked by a Spambot!
Joined
Aug 21, 2004
Posts
7,002
Thanks Ely, I eventually ended up scanning one of those links you posted last night. The software we installed was for a Walkman to transfer songs. Either that program has this rootkit in it, or I just got a bum drive.
 

Ely13

Sultan of Slugs
Joined
Mar 23, 2005
Posts
2,585
The only way I could think that the rootkit would've killed your CD drive was if one of your spyware cleaners picked it up and removed it, but I have a hunch Adaware, Spybot, and the rest of them aren't configured to check for the rootkit yet.

I have no idea if they're including this rootkit on anything other than the copy protected CD installations... wouldn't be surprised if Sony is sticking it on everything, though.
 

Gatchaman

, ,
Joined
Jul 5, 2002
Posts
130
Ely13 said:
The only way I could think that the rootkit would've killed your CD drive was if one of your spyware cleaners picked it up and removed it, but I have a hunch Adaware, Spybot, and the rest of them aren't configured to check for the rootkit yet.

And many of them never will be caught using spybot or Adwaware. By nature many rootkits work between the kernel and the OS and work between system calls (this is a very watered down description see a passable description


here

What makes this dangerous is that if an attacker has comprimised your box and trust me, even if you're running behind latest service packs, adaware, viruscan and the whole nine yards, they can get in. If you've connected to an IRC with your own computer..chances are you have a rootkit installed already and don't even know it........Ever downloaded a keygen for software? Yep..rootkit installed already...Think about that......Then that attacker can use Sony's rootkit to hide thier own files without even installing their own rootkit. I can hide a file on any Sony rootkit infected machine by giving it a $sys$ extension.

I've spent my entire adulthood in IT as a carrer and have been a Solaris UNIX engineer for years now. I'm also a gamer and have refused to give up my XP box for years now. I'm currently focusing my career on security and have been reading like mad and am currently on path to become a Certified Ethical Hacker.. After attending some of these long expesive classes. I've decided I'm going home and shutting down every non-OSX or BSD box I have...

Think you don't have malware because you have antivirus, adaware and spybot... I'd say you're probably wrong..
Especially if you've 1.) used IRC at all from your computer and attached to any bots. 2.) Downloaded any keygen executable or other executable from bittorrent or newsgroups


Gatcha~
 

BIG BEAR

SHOCKbox Developer,
20 Year Member
Joined
Dec 14, 2001
Posts
8,230
After Criticism, Sony Issues Fix for Hidden Rootkits

http://news.yahoo.com/s/nf/20051103/tc_nf/39083
Sony (NYSE: SNE - news) has admitted that it included a stealth rootkit on some music CDs shipped in 2005 and has issued an update to remove the hidden software one day after it was discovered. The company had drawn criticism from security experts who warned that the technology could serve as a tool for hackers.

The nearly undetectable monitoring utility, part of the company's digital-rights management (DRM) technology, was aimed at preventing consumers from producing illegal copies of CDs. The software installed itself automatically in Windows systems whenever a CD was inserted. Any files contained in the rootkit are invisible and almost impossible to remove.

Security expert Mark Russinovich of Sysinternals discovered the hidden rootkit and posted his findings on the company blog on November 1st. Russinovich wrote that although he checked in his system's Add or Remove Programs list, as well as on the vendor's site and on the CD itself, he could not find uninstall instructions. Nor, he says, could he find any mention of it in the End User License Agreement (EULA).

Stealth Tactics

A rootkit is a set of tools commonly used by hackers to circumvent antivirus software and control a computer system. Most rootkits are engineered so that common PC monitoring mechanisms cannot detect them. The rootkits are designed to tuck themselves in to the most basic level of the operating system and remain hidden from users.

A Finnish antivirus company, F-Secure, reported that it had spent several weeks recently trying to find the cause of some unknown files reported by a user who suspected an audio CD as the cause.

Mikko Hyppnen, chief research officer at F-Secure, said hackers could use the rootkit to insert their own files by inserting a simple command at the beginning of the file name that would render them undetectable by most antivirus software. On the F-Secure blog, Hyppnen wrote that he heard rumors that Universal is using the same DRM system on its audio CDs.

Privacy? What Privacy?

Although industry analysts said they cannot fault Sony's motives, some saw the company's initial failure to disclose the hidden technology as a violation of U.S. copyright laws. According to Jared Carleton, an analyst at Frost & Sullivan, Sony is overstepping the fair-use clause that gives consumers the right to make backup copies.

"[Sony] is saying, 'No, we are not going to pay attention to U.S. copyright law that's been generally accepted for the past 30 years,' " he said.

Carleton likened the hidden DRM to malware, and said it was no different than adware and spyware. He said that if Sony was shipping DRM-protected CDs, the company needed to put a notice on its packaging. Consumers understand that artists should be paid for their music, he said, but he added that consumers don't like this type of secrecy.

Andrew Jaquith, senior security analyst at Yankee Group, said the company behaved badly and that there could be a backlash. He said that the desire to protect intellectual property is understandable, but that Sony should have been upfront about its DRM technology, and would have been better off using industry-standard software.

"I haven't seen a single positive comment about this and it makes them look at little slimy," Jaquith said. "They should have been above-board and should have used software that they hadn't cobbled together themselves."

On the Web page containing the update, which enables users to detect and remove the rootkit, Sony said its technology did not pose a security risk. "This component is not malicious and does not compromise security," the company's post said. "However to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released to enable users to remove this component from their computers."

The fix can be downloaded at http://cp.sonybmg.com/xcp/english/updates.html.
-BB
 
Last edited:
Top