Sony DRM Installs a Rootkit?

An anonymous read writes "SysInternals.com guru Mark Russinovich has a detailed investigation of a rootkit from Sony Music. It's installed with a DRM-encumbered music CD, Van Zant's "Get Right with the Man". (Mmmm, delicious irony!) The rootkit introduces several security holes into the system that could be exploited by others, such as hiding any executable file that starts with '$sys$'. Russinovich also identifies several programming bugs in the method it uses to hook system calls, and chronicles the painful steps he had to take to 'exorcise the daemon' from his system." This house is clear.

My question:

[conJunk]

Now is that *sony's* rootkit, or a soon-to-be-former-sony-employer's rootkit?

Re:My question:

[ryanr]

If you read the article, there's a strong implication that this is a purchased commercial rootkit. Presumably, Sony very deliberately licensed and distributed it.

Mark didn't get into a lot of detail about all of the functions, but he didn't mention any backdoors or phone home functionality.

Re:My question:

[networkBoy]

Honestly, I see this as a real exposure to a lawsuit. If I accidently install this rootkit on my system, then try to remove it (seeing as it looks like a genuine security breach) and then disable my computer, thus having to bring it in for service what then?. If a malware company uses the rootkits ability to hide $sys$ prefixed files and uses that to steal my identity, costing me thousands of dollars and hundreds of hours of time to get my identity back, can I sue?

-nB

Re:My question:

[DoraLives]

Actually this is a major limited access high speed expressway to seriously fuck with Sony.

It'll go like this: Somebody out there with an axe to grind against Sony is going to lift this code intact, with no modifications, and marry it with a worm that goes around and infects peoples machines with some nasty or other that executes with a file that has a name beginning with $sys$ and cause some real trouble with it.

Net result, the infected folks are going to have a SERIOUS beef with Sony over the fact that the "invisible" file was able to install itself and run its merry course completely under the radar. All because of a piece of shit attempt by a fucked up Giant Corporation that was attempting to further line its pockets by installing some ... shall we say, hmm, unsavory code?

Ok script kiddies, you have your assignment. Now get to work!

and now with no liability

[jeremy111]

And let me guess, it offers you an EULA and exempts Sony from any liability for damages caused by this thing?

RootKits coming out in bundles?

[cwtrex]

I'm downloading RootkitRevealer now. I wonder how long it is going to take for Norton and McAfee to upgrade their Rootkit detection abilities? Next years anti-virus release? The last rootkit that Norton found on a computer at work was well spread and had been out for 6 months. It still was unable to remove/fix the infection. :(

OS's fault

[aachrisg]

Microsfot needs to make it completely impossible for any software to do something like this unless the user runs in some special maintenance mode or logs in as some special account. They can make an exception for windows updates which are signed by them.

Thanks

[BCW2]

I am very glad to hear about this. That CD WAS on my birthday list for next week.

Sony just lost a sale, end of story.

Re:Anti-spyware Bill

[AKAImBatman]

That's where the "reasonably notified" comes in. The courts haven't been too happy about EULAs as they are. If you try to slide things past the consumer, the courts will find that the contract was misrepresented and hold the company accountable.

What if you refuse the EULA?

[BeBoxer]

I know you can disable auto-run and such to get around this type of crap. But what happens if you just 'disagree' or whatever on the EULA? I assume that Sony will then not install the rootkit and you can rip the CD with whatever tool you normally use? Or does Sony install the rootkit anyway, setting themselves up for criminal prosecution? Does anybody have a copy of this thing to try and answer that question?

It just seems kind of silly to have DRM which is totally dependant on the user to request it be installed. Or can refusing an EULA be considered a violation of the DMCA?

Re:In democratic america...

[caluml]

Or as Osama says: "I'm free - what about you?"

Here is what a kid had to say...

[cyclocommuter]

...after he tried to rip another Sony produced CD "Healthy in Paranoid Times" by the Our Lady Peace:

Disappointing, to say the least..., October 14, 2005

A Kid's Review (Amazon.com)

I tried copying this CD, not knowing that it was protected. So, I ripped it to my hard-drive and burned it. But, when I inserted the burned copy into my computer, the screen froze for a while, and an installer icon appeared on the taskbar in the bottom right. It installed somthing - and now I cannot burn anything, with any program. I've even tried using a different, external CD burner. A disk error comes up during burning, even if I am not not burning audio CDs. This was not a fluke. I've talked to other people this has happened to. Avoid anything with "copy protection." Sony might as well burn viruses onto the CDs they distribute.

It's immoral to buy RIAA music

[Jason1729]

I used to buy a lot of CDs but stopped around the time of the napster lawsuit. I would probably still be buying 2-3 discs/month if I didn't consider it immoral to buy CDs.

Sony is protected by the DMCA

[dmoen]

I see this as a real exposure to a lawsuit. If I accidently install this rootkit on my system, then try to remove it...

If you do this, then you are deliberately disabling a copy protection system, which is illegal under the DMCA. So Sony can sue you.

[Note: this varies with your jurisdiction. No DMCA in Canada, yet.]

Doug Moen.

Re:Sony is protected by the DMCA

[indigoid]

indeed. for the purpose of deciding who is running something, is autorun.inf "us" or "them" ?

Re:Sony is protected by the DMCA

[mrBoB]

Unfortunately, this is only something that could be dealt with at a trial. Whose rights are more valuable, the content provider, or the paying customer? A person has a reasonable expectation of privacy and security on his or her home computer. Any attempt to circumvent this privacy or security should be construed as trespass. On the flipside, recording artists and the companies that represent them have an expectation that their work is compensated, and that "legal" means to protect their interests be respected. I'm not arguing for the DMCA here, however it _IS_ law. By removing the Sony-installed malware, Mark has broken the law. But so is trespass illegal, so tell me, which is a greater abomination?

      I'd vote for trespass, but I also don't have any content to sell. Mark, how's the adminpak selling? I hope you've got some good DRM on your CD's if you're any indication of the talent that's out there...

Re:Sony is protected by the DMCA

[stonedonkey]

Even the most ardent proponent of EULAs couldn't make the claim that you give such permissions by default. Unless they specifically ask, they don't have permission to do anything that isn't specifically part of the product as a reasonable person would perceive it to be.

And the EULA doesn't mention this rootkit or anything like it, from what I've read. In my opinion, I have the right to create a secure environment for my data, and the rootkit subverts that. Since the EULA doesn't mention it, I'm free to remove unauthorized the unauthorized code.

Bad Sony! No biscuit!

Re:Sony is protected by the DMCA

[coats]

I'll wager you a Coke against a Pepsi that Mark Russinovich's computer was password-protected. Sony deliberately and surreptitiously evaded that password protection to invade and change settings on Mark's computer. Tell me why he should not sue SONY for DMCA violation!

Britain's Computer Misuse Act...

[jd]

...could probably be used in this way, for this software. The program was unquestionably not authorized by the user, as it is not declared in the EULA. As there is no apparent (yet) "Phone Home" capability, it would not violate the Data Protection Act. It might violate tresspass/break-and-entry laws, as the only reason the hacker of Prince Philip's e-mail account escaped conviction was that a transient tool was not considered a lockpick. This is a permanent tool that permits repeated intrusion, so I would guess the courts would be more sympathetic to the argument that it was breaking and entering. IANAL, but most people in computing in Britain have covered the DPA and CMA to some degree, because these are things IT people need to be careful of. It is possible - though unlikely - that the EU could also prosecute Sony over this, as it may infringe on privacy and computer protection laws in Europe. It's very doubtful the EU would take such action - they barely took any action against Microsoft for anything it did - but if Sony or other companies agravate the situation enough, there ARE elections in Italy coming up and the ruling elite there could do with someone to victimize.

America - well, there's no privacy in the US of A. The trade in personal information is open and widespread. There is an excellent chance that if anyone tried to prosecute Sony over privacy infringements that it would be laughed out of court. You can't protect what you don't have. Posession is 9/10ths of the law, and Americans posess very little - much as they often like to believe otherwise.

Sony actually has a much stronger case. Reverse-engineering their DRM scheme is in direct violation of both the letter AND the spirit of the DMCA, which is explicitly intended to prohibit exactly this kind of research (ie: the study of the spyware) and this kind of result (ie: the removal of it, afterwards). Depending on who Sony licensed the rootkit from, there is a possibility it might also violate aspects of the PATRIOT act. (If the rootkit is also used by any law enforcement groups, then this study could compromise wiretapping provisions in the act.)

Re:This has gone too far!

[mcrbids]

Lets organize and make a difference.

OK, let's. I assume that this is a call to join a foundation, organization, or movement. What have you decided to call this organization? What's the mission statement? What are the goals of the organization? Meeting times? Rallies?

Yep, I just might be interested. Really.

If you're serious, that is - but I don't think you are. See, if you were, you'd have to stretch yourself outside of your current "comfort zone", which currently includes your computer, and quite possibly your mother's basement, but not much else.

But, if you WERE serious, and you REALLY DID put out enough effort to register a domain name, make a website, put together some business cards, talk to REAL LIVE PEOPLE (instead of your laptop) at real, live events, you'd find out very quickly what real, live people think. You'd grow immensely, as a result. Your skills at working with people, and your earning power would be forever improved, and your understanding of your true role in society would be much, much firmer.

You would forever be a bigger, better person.

I dare you to put together an organization of at least 100 members towards your cause. In order to be a "member", they have to have contributed at least $10 in CASH towards your cause's war chest. (And, I know you can do it, because I did)

Re:Wouldn't happen if you dont run MainstreamOS.

[spaceyhackerlady]

Want to stop this nonsense from happening in the future? Actually run a non-mainstream OS. That shouldn't be hard for most of the visitors of this website, shouldn't it?

Indeed. I've actually been a little disappointed with the DRM on CDs. When I put them in my Linux boxes they just play. I can rip to MP3 until the cows come home. No problem.

I actually wanted one to fail so I could see how it was failing and maybe do something about it. Contribute something to the community, ya know.

...laura, not a U.S. resident, not covered by the DMCA

iTunes Australia and Japan

Sony still hasn't agreed to come on board with iTunes, which I find damn annoying. Everytime I search for an artist and don't find them (considering they're a big artist), I go and search for that artists publisher.. and what do ya know, always sony.

I'm really starting to hate that company. This BS "DRM" is just the icing on the cake. Sure, iTunes has DRM, but it's quite benign (5 computers, unlimited ipods, unlimited burns per song, 7 burns per album).

They're too big, and have their hands in too many pots. Time for Sony artists to take a stand and go with somebody else (quite difficult, considering the ass-raping contracts they probably had to sign). Essentially, Sony are denying their artists a source of income to satisfy the needs of their consumer electronics department. I'd be pissed.

the big guys take punches like candy...

[DigitalEntropy]

... the little guys are more likely to crumble. Why not target the source of this crap? I did. Though, admittedly I'm sure SONY keeps their wallets fat enough to ignore us. See below:

===

Mail-To: info@xcp-aurora.com, info@first4internet.co.uk

Subject: attn: Mathew, Tony, Peter, Nick; re: Extreme displeasure with your XCP product.

To Whom it may concern:

I would like to address the outstanding issue regarding the software your company licensed to SONY BMG here in the United States. This software proposes to be a harmless DRM solution for the corporate customer as a method of protection against malicious users. However, what your software critically FAILS at is conscientiously protecting the end user against exploits of your poorly, shit-house written utilities.
Personally, I'm glad that your nasty parlour tricks were recently exposed by SysInternals.com (http://www.sysinternals.com/blog/2005/10/sony-roo tkits-and-digital-rights.html) for the disreputable practices they are, and for identifying "First 4 Internet" (sounds like a shoddy store-front operation for a bunch of Black Hat rejects) as the company directly responsible for the most vile intrusion my system has ever received. And the fact that your ill-conceived product leaves my system open to additional intrusions of this nature is unforgivable.
May whatever sink-hole from whence you rose quickly swallow you back. You have no right to voilate my computer's integrity. You have no right to scan the contents of my computer. You may have the right to hide in the darkness of Windows' subsystem like cowards, but that does not mean you won't be seen. You have no right to abuse the trust garnered by SONY from the citizens it regularly calls customers (or, perhaps more appropriately, "guinea pigs"). I hope the light of truth sends you roaches scurrying.

With the wretched taste of bile at the back of my throat,

[my name]
[my email addy]

===

Personally, I purchased "The Dead 60s" latest album, and sure enough it had the exact same copy-protection crap as described on sysinternals.com. That article sure shed some light on the behavioral difference in my system since I got that CD (significantly slower start up and execution times on a 1.2 GHz, and constant 5 - 10% CPU usage with almost nothing running). Fuck them. Fuck them right in the ear.

It was stated before, and I'll reinforce it: This kind of DRM ADVOCATES piracy. You are safer without DRM. I intend to zap my Windows machine and go to Debian (as I've been considering, but now have good reason for security purposes), and return this CD by mail to SONY BMG in a thousand tiny pieces, but not before I copy it and distribute out of sheer spite.

Sony is flirting with trouble...

[TiggertheMad]

They don't put it there. You do. They just packaged it for you. If you didn't want to give them permission to run arbitrary executables on your computer, then WHY DID YOU RUN THEIR EXECUTABLE??

IANAL, however, I believe that contracts that are made in bad faith, or with the intent to decieve a particpant are not binding. If this is the case, I think that I wouldn't be hard to argue in a court that you have no obligation to keep Sony's rootkit (by deffinition an illicit and deceptive tool) on your computer. Moreover, you might also be entitled to damages resulting from said 'bad faith' agreement.

Even if my assessment isn't quite correct, it seems to me that it is probably fuzzy enough of a point to invite litigation. If I were a multimillion(billion?) dollar company I wouldn't be the one to test the legal water on something like this.

You just helped with my PSP/PS3 decision

[Bodhammer]

Sony, you have gone too far...

No PSP for Christmas!

No PS3 next year!

So you protected a $15 CD by killing ~$700 of hardware purchases plus whatever games I would have purchased.

No wonder your stock sucks and your revenues are down!

Your DRM works, I'm exercising my right not to purchase your products any more!

this is illegal under Minnesota law

[swschrad]

it's a 5/$5000 penalty, class C felony, to knowingly distribute harmful software to a PC in Minnesota. 1992 law, I believe it was. demonstrating this is a rootkit is prima facie evidence that this would be harmful software.

somebody with means should get a case opened....

Re:this is illegal under Minnesota law

[Reziac]

If it's a felony, file charges with your local district attorney, and let the DA's office take it from there (you may be called as a witness, but you don't have to defend yourself or hire a lawyer, tho doing so might not hurt). Criminal prosecutions aren't like a civil suits, where you have to finance the operation yourself. In criminal cases, your tax dollars have already funded it, and the other guy is on the defensive by default.

Interesting thought: what if, propelled by enough such prosecutions, DRM alone became grounds for "reasonable suspicion of criminal activity"??

Damn, I thought I was first

[muzzy]

I thought I was ahead of time, when I implemented a rootkit DRM just a few days ago. My rootkit is a part of my project, trying to show how malware and DRM systems can get really close to each others, and both get protected by law. Under EU Copyright Directive, it's going to be illegal to remove this rootkit.

You can read about my copyright projects here:
http://muzzy.net/files/copyright_projects_en.txt

The feedback I sent to Sony

[keraneuology]

Dear Sony Regarding the rootkit you are attempting to install on the computers of customers who purchase Van Zant's "Get Right with the Man": my relationship with you is over. I will never again purchase -any- CD from Sony Music. Period. Your intentional introduction of security holes and your undisclosed modification of the operating system is simply unacceptable and uncalled for. Your application of excessive, intrusive and unreasonable DRM has ensured that I will -never- purchase any work with the Sony logo. The number of pirated copies this prevents me from downloading or sharing? Zero - I don't pirate. I don't give people copies of my music. The number of future dollars your DRM (which is sure to be broken within weeks anyway) has cost your company? Beyond calculation: my life expectancy has me sticking around - NOT buying Sony music, by the way - for decades to come. Was this worth the trade? If you want my business then I demand nothing short of full public disclosure, an appology, and the very public firing of the executive who gave the green light to this horrible, horrible concept. Please note that I intend to share this letter with others. With luck they too will refuse to purchase Sony music in the future.

Microsoft's reaction to this?

[alouts]

Isn't this something that Microsoft should have issues with? Sony isn't just installing its own software, they're overwriting part of the operating system, and in a sloppy manner such that it will prevent Microsoft from releasing patches to those drivers/services...

Although I'm sure they'd be noncommital in their official response, I'd love to hear what they think internally about this kind of thing. If "security" really is their #1 corporate focus as they've been so eager to tell us, this should have them screaming at the top of their lungs.

The chances of us slackers motivating our corporate-owned legislators to smack Sony is comically low, but if we could get a second big player in there on our behalf, there's a real chance to get this awful idea blackholed like it should be.

Anyone have any high-up connections within the Empire?

just to play devil's advocate here for a sec...

[smash]

Whilst I don't like what sony has done here in the slightest, those calling for them to be sued, etc are missing a cruicial (IMHO) piece of information.

I am under *NO DOUBT* whatsoever that Sony will simply point the finger at first4internet, and simply say "We simply contracted them to provide a content protection scheme - we are unaware of the implementation" (or words to that effect). Given that the tech has been sold to several other record companies, I'm pretty sure that's close to the mark as to what actually happened, too.

So, it's first4internet who will take the heat in a criminal case, not Sony, no doubt.

Sony is evil and all, but I don't think it was Sony who was responsible for the way it works...

smash.