Slashdot Mirror
Sony DRM Installs a Rootkit?
An anonymous read writes "SysInternals.com guru Mark Russinovich has a detailed investigation of a rootkit from Sony Music. It's installed with a DRM-encumbered music CD, Van Zant's "Get Right with the Man". (Mmmm, delicious irony!) The rootkit introduces several security holes into the system that could be exploited by others, such as hiding any executable file that starts with '$sys$'. Russinovich also identifies several programming bugs in the method it uses to hook system calls, and chronicles the painful steps he had to take to 'exorcise the daemon' from his system." This house is clear.
Now is that *sony's* rootkit, or a soon-to-be-former-sony-employer's rootkit?
corporations exploit YOU!
:/
hrm, so much for humor. I don't find it funny at all
DRM wasn't intrusive in the first place.
perpetually dwelling in the -1 pits
We *really* need to get a anti-spyware bill on the books. Something along the lines of, "It shall be a criminal offsense to install non-application software on any computer when the user has not been reasonably notified in advance and/or agreed to have the modifications made. This bill will be reevaluated for its effect in three years."
Anything running in the background, rootkits, and other forms of spyware (which generally rely on the user not knowing they're there) would immediately become illegal.
Javascript + Nintendo DSi = DSiCade
I'm downloading RootkitRevealer now. I wonder how long it is going to take for Norton and McAfee to upgrade their Rootkit detection abilities? Next years anti-virus release? The last rootkit that Norton found on a computer at work was well spread and had been out for 6 months. It still was unable to remove/fix the infection. :(
Not that this makes it better in any way, but I liked how he said
I hadn't noticed when I purchased the CD from Amazon.com that it's protected with DRM software, but if I had looked more closely at the text on the Amazon.com web page I would have known
followed by a picture of the amazon web page in question with [CONTENT/COPY-PROTECTED CD] clearly visible in massive letters.
Since spyware WITH a proper EULA has been held to be in violation by the FTC, and since this EULA doesn't really mention the rootkit's difficulty of removal, this might be litigatable.
Of course, Mark Russinovich did (inadvertantly) dissasemble content protected by the EULA.
Test your net with Netalyzr
RTFA, the EULA does not mention this at all...the writer of the article made a specific point with respect to this.
It's one thing to copy protect your CDs to make it difficult to rip but it's another thing to install a rootkit that is by definition difficult to remove. Who'se going to clean up this mess when a Microsoft patch or SP comes around and breaks any computer with this installed?
I am very glad to hear about this. That CD WAS on my birthday list for next week.
Sony just lost a sale, end of story.
Professional Politicians are not the solution, they ARE the problem.
Yeah, that's called "Trusted Computing"...where Microsloth decides what you can and can't run...
What is next? Drm that will rewrite your bios and turn your pc into an expensive doorstop for copyright violation?
As if spyware itself is miraculiously legal and now we have this? Rootkits and spyware programs that append to windows in the mbr so even a reinstall wont delete thim IS TOO FAR!
I agree with a previous poster that is should be a criminal offense the same catagory as spypainting someones house or breaking an entry. Why do we allow this crap to be legal?
Its time we wrote our elected officials and inform them about what is happening and about Sony's drm and demand civil and criminal responsibility for malware makers. I dont care if its the CEO of some company spraypainting my house vs a teenage kid. Its still illegal and Sony should be held accountable.
I was reading on cnn about the drop of ecommerce even though there is still a rise in internet usage. This is due to all the spyware/scams/malware that is infecting pc's at record rates. This is killing out economy and many companies such as Google, Amazon, and Ebay are already getting hit with their wallets over these scams.
Lets organize and make a difference. This is a slippery slope and I fear what is coming next.
http://saveie6.com/
Turn off autorun.
Slashdot - where whining about luck is the new way to make the world you want.
To make matters worse, not only is everything hidden, but you can't just delete the files and reg keys or you'll cripple your system...the author of the article is a developer and he spend a lot of time just getting rid of the damned thing...I know I couldn't do it
Being a root kit just means that the program works at the OS level, USUALLY in such a way that the end user will not notice it, nor will virus detectors flag it. It changes something about "Windows" as opposed to adding something to it. (over simplified)
The arbitrary code in this case is installed when you hit 'OK'.
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
You're confusing the terms "rootkit" and "trojan"/"backdoor".
A trojan in its strictest sense tricks a user into executing one set of code when they think they're executing another. A backdoor simply allows remote execution of arbitrary code.
A rootkit is usually the set of tools that an attacker deploys on a compromised system. "rootkits" in the terms of this article are programs that trick your kernel into doing things it shouldn't do. This could include a trojan or a backdoor, but not necessarily.
Sony's program is a rootkit because it runs without authorization from the CD and alters the Windows API in order to disguise itself. As far as the article indicates, it doesn't include the ability for Sony to execute code on your machine. It's still dirty and sinister, if you ask me. It also allows any other malicious attackers to conceal anything they plant on your machine - simply by prefixing any file name with $sys$ - that's not cool!
Trusted Computing...
I think this lil video on Trusted Computing is perfect at explaining trusted computing.
I leave it running on the computers on display in my store. Hopeing that I can educate enough people in my small section of the world about the follies they are about to embark on.
DSLIP Web Design and Content Management Australia.
I know you can disable auto-run and such to get around this type of crap. But what happens if you just 'disagree' or whatever on the EULA? I assume that Sony will then not install the rootkit and you can rip the CD with whatever tool you normally use? Or does Sony install the rootkit anyway, setting themselves up for criminal prosecution? Does anybody have a copy of this thing to try and answer that question?
It just seems kind of silly to have DRM which is totally dependant on the user to request it be installed. Or can refusing an EULA be considered a violation of the DMCA?
You can't enter into a contract which violates the law. Thus a "contract killing" is not a valid contract.
...after he tried to rip another Sony produced CD "Healthy in Paranoid Times" by the Our Lady Peace:
Disappointing, to say the least..., October 14, 2005
A Kid's Review (Amazon.com)
I tried copying this CD, not knowing that it was protected. So, I ripped it to my hard-drive and burned it. But, when I inserted the burned copy into my computer, the screen froze for a while, and an installer icon appeared on the taskbar in the bottom right. It installed somthing - and now I cannot burn anything, with any program. I've even tried using a different, external CD burner. A disk error comes up during burning, even if I am not not burning audio CDs. This was not a fluke. I've talked to other people this has happened to. Avoid anything with "copy protection." Sony might as well burn viruses onto the CDs they distribute.
After being presented with a sell-your-babies-to-the-almighty-record-label EULA, and before shoving awfully encoded WMA format files down their throats.
Hint #1: There's no "copy protection" on CDs. For most parts, it's misshapen multi-session CDs. cdrdao read-cd --session 1 ... Hint #2: If you're encoding the files to MP3, Vorbis or, good heavens, WMA, digital rips are wayyyy overrated and plain old CD player, analog RCA-to-RCA cable and an audio recorder app can do really wonders. =)
I used to buy a lot of CDs but stopped around the time of the napster lawsuit. I would probably still be buying 2-3 discs/month if I didn't consider it immoral to buy CDs.
On this CD's product page, there are several negative reviews on account of spyware. My favorite puts into plain English why this is bad: "I am very unhappy, since I now listen to all of my music using my IPod."
I think this is the way to fight DRM. When we complain about DRM rights, we're fighting a crusade on principle, and few people really get what's wrong. When you say, "This CD that I paid for can't be transferred to my iPod," people will see that it's outrageous. When people see that it's installing spyware on your computer, they'll flip. Cheers to whoever's left this feedback.
________________________________________________
suwain_2
I'm glad I get my music off of p2p networks and don't have to worry about trojans and rootkits and that evil hacker stuff!
Easy, Don't run as ADMINISTRATOR. Run as a regular user!!!!!!!
Come on, man. It's 2006 already
You obviously didn't read the article very closely. Sony patched the CD/DVD drivers, Sony's code runs every time you access the drive. He didn't disassemble the entire driver so there is no clear indication that it doesn't contain security problems (whether by incompetence like a buffer overflow, or a deliberate backdoor) that would allow arbitrary code to run. There is no way to audit the code for security, it is probably illegal under the DMCA to disassemble and fully analyze DRM code in sufficient detail for a full code audit
THAT is the biggest problem with these windoze DRM hacks. You can secure your system with all the technology at your disposal, but it means nothing when you are tricked into running a rootkit disguised as DRM. Then you have to trust the DRM vendor did not make any mistakes that expose you to further security risks.
People like to gripe about Apple's DRM, but at least they know better than to pull crap like this.
If you do this, then you are deliberately disabling a copy protection system, which is illegal under the DMCA. So Sony can sue you.
[Note: this varies with your jurisdiction. No DMCA in Canada, yet.]
Doug Moen.
I have written a truly remarkable program which this sig is too small to contain.
Seriously speaking, this shows two things. One is yet another demonstration of the fundamental evil of Microsoft's "security" model. Even if you weren't running as root/Administrator (and everyone does, don't they?), then the "reputable" installation from the "reputable" company would just ask you to elevate your privileges.
The other thing is that power is always abused. If not now and by Sony, then tomorrow by some other "reputable" company. (Or put on your tin hat and say "Yesterday by the NSA.")
I hope they track this story, and if it is not another misguided /. rumor, I certainly hope that Sony repudiates the technique and the software. Soon.
Then they should apologize.
Then sack the person responsible.
Then sack the person responsible for not sacking the responsible person earlier.
[Infinite loop warning.]
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
America - well, there's no privacy in the US of A. The trade in personal information is open and widespread. There is an excellent chance that if anyone tried to prosecute Sony over privacy infringements that it would be laughed out of court. You can't protect what you don't have. Posession is 9/10ths of the law, and Americans posess very little - much as they often like to believe otherwise.
Sony actually has a much stronger case. Reverse-engineering their DRM scheme is in direct violation of both the letter AND the spirit of the DMCA, which is explicitly intended to prohibit exactly this kind of research (ie: the study of the spyware) and this kind of result (ie: the removal of it, afterwards). Depending on who Sony licensed the rootkit from, there is a possibility it might also violate aspects of the PATRIOT act. (If the rootkit is also used by any law enforcement groups, then this study could compromise wiretapping provisions in the act.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
My refrain to the copyright holders: The people being hurt by this DRM software are people who have already communicated their intent to do the right thing by purchasing the CD. Sony has just guaranteed that a lot of people will never make that mistake again.
Welcome to a Brave New World: People who pay for their music get viruses, while people who download it at no cost from illegal sources get clean MP3s that they can freely copy and use on whatever devices they own.
Indeed. I've actually been a little disappointed with the DRM on CDs. When I put them in my Linux boxes they just play. I can rip to MP3 until the cows come home. No problem.
I actually wanted one to fail so I could see how it was failing and maybe do something about it. Contribute something to the community, ya know.
...laura, not a U.S. resident, not covered by the DMCA
Sony still hasn't agreed to come on board with iTunes, which I find damn annoying. Everytime I search for an artist and don't find them (considering they're a big artist), I go and search for that artists publisher.. and what do ya know, always sony.
I'm really starting to hate that company. This BS "DRM" is just the icing on the cake. Sure, iTunes has DRM, but it's quite benign (5 computers, unlimited ipods, unlimited burns per song, 7 burns per album).
They're too big, and have their hands in too many pots. Time for Sony artists to take a stand and go with somebody else (quite difficult, considering the ass-raping contracts they probably had to sign). Essentially, Sony are denying their artists a source of income to satisfy the needs of their consumer electronics department. I'd be pissed.
... the little guys are more likely to crumble. Why not target the source of this crap? I did. Though, admittedly I'm sure SONY keeps their wallets fat enough to ignore us. See below:
o tkits-and-digital-rights.html) for the disreputable practices they are, and for identifying "First 4 Internet" (sounds like a shoddy store-front operation for a bunch of Black Hat rejects) as the company directly responsible for the most vile intrusion my system has ever received. And the fact that your ill-conceived product leaves my system open to additional intrusions of this nature is unforgivable.
===
Mail-To: info@xcp-aurora.com, info@first4internet.co.uk
Subject: attn: Mathew, Tony, Peter, Nick; re: Extreme displeasure with your XCP product.
To Whom it may concern:
I would like to address the outstanding issue regarding the software your company licensed to SONY BMG here in the United States. This software proposes to be a harmless DRM solution for the corporate customer as a method of protection against malicious users. However, what your software critically FAILS at is conscientiously protecting the end user against exploits of your poorly, shit-house written utilities.
Personally, I'm glad that your nasty parlour tricks were recently exposed by SysInternals.com (http://www.sysinternals.com/blog/2005/10/sony-ro
May whatever sink-hole from whence you rose quickly swallow you back. You have no right to voilate my computer's integrity. You have no right to scan the contents of my computer. You may have the right to hide in the darkness of Windows' subsystem like cowards, but that does not mean you won't be seen. You have no right to abuse the trust garnered by SONY from the citizens it regularly calls customers (or, perhaps more appropriately, "guinea pigs"). I hope the light of truth sends you roaches scurrying.
With the wretched taste of bile at the back of my throat,
[my name]
[my email addy]
===
Personally, I purchased "The Dead 60s" latest album, and sure enough it had the exact same copy-protection crap as described on sysinternals.com. That article sure shed some light on the behavioral difference in my system since I got that CD (significantly slower start up and execution times on a 1.2 GHz, and constant 5 - 10% CPU usage with almost nothing running). Fuck them. Fuck them right in the ear.
It was stated before, and I'll reinforce it: This kind of DRM ADVOCATES piracy. You are safer without DRM. I intend to zap my Windows machine and go to Debian (as I've been considering, but now have good reason for security purposes), and return this CD by mail to SONY BMG in a thousand tiny pieces, but not before I copy it and distribute out of sheer spite.
Thank you for reading One Man's Opinion. No participation necessary. Offer void where deemed by law or PATRIOT Act.
They don't put it there. You do. They just packaged it for you. If you didn't want to give them permission to run arbitrary executables on your computer, then WHY DID YOU RUN THEIR EXECUTABLE??
IANAL, however, I believe that contracts that are made in bad faith, or with the intent to decieve a particpant are not binding. If this is the case, I think that I wouldn't be hard to argue in a court that you have no obligation to keep Sony's rootkit (by deffinition an illicit and deceptive tool) on your computer. Moreover, you might also be entitled to damages resulting from said 'bad faith' agreement.
Even if my assessment isn't quite correct, it seems to me that it is probably fuzzy enough of a point to invite litigation. If I were a multimillion(billion?) dollar company I wouldn't be the one to test the legal water on something like this.
HA! I just wasted some of your bandwidth with a frivolous sig!
Sony, you have gone too far...
No PSP for Christmas!
No PS3 next year!
So you protected a $15 CD by killing ~$700 of hardware purchases plus whatever games I would have purchased.
No wonder your stock sucks and your revenues are down!
Your DRM works, I'm exercising my right not to purchase your products any more!
"I say we take off, nuke the site from orbit. It's the only way to be sure."
Cat's out of the bag now. Congratulations, Sony. You fucked up big time.
I'd like to take this opportunity to dissect the article in question here, to point out just how positively obscene this is. There are a few key points I'd like to highlight that I feel we should all take into consideration.
It would appear that Sony has deliberately begun shipping rootkits with its DRM protected CDs. According to the article - and this is a pretty good definition, by the way - "Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, and they are usually employed by malware attempting to keep their implementation hidden." In a nutshell, this means that the program shipped with the CD in question here - and possibly other Sony CDs - is designed to hide itself and other programs from view. In other words, once installed, it will allow Sony and any other interested party familiar with this particular rootkit to operate programs on a compromised system without the user knowing it.
Let's take a step back here to consider the implications of this. Sony is distributing a rootkit, but what does this have to do with DRM? Well, if you really think about it, it has everything to do with DRM. A DRM program that cannot be seen or easily accessed can operate secretly, monitoring and manipulating the system behind the user's back. Any future DRM software Sony distributes could infiltrate a computer secretly, and burrow deep into the system files of said computer.
According to the article, the rootkit was produced by First 4 Internet. Upon investigating the company itself and the products and services it offers, the author dredged up this lovely little nugget of joy: "... However, the fact that the company sells a technology called XCP made me think that maybe the files I'd found were part of some content protection scheme. I Googled the company name and came across this article, confirming the fact that they have deals with several record companies, including Sony, to implement Digital Rights Management (DRM) software for CDs." That right there should be proof enough that this is no accident, and anything but legitimate DRM. Not only does having a rootkit handy make the DRM difficult to thwart, but also allows it to operate secretly.
Now, you'd think that you could just remove this software, right? Wrong. Dead wrong, as a matter of fact. The author of the article had a hell of a time removing the rootkit, actually, and not only that, at any given time, it was consuming between one and two percent of the CPU's power - a small 'penalty' for even having it. (And any programs it's hiding would also have to leech off the CPU and RAM as well.) As he attempted to remove this shit, he discovered even more about the software: "As I was deleting the driver Registry keys under HKLM\System\CurrentControlSet\Services I noted that they were either configured as boot-start drivers or members of groups listed by name in the HKLM\System\CurrentControlSet\SafeBoot subkeys, which means that they load even in Safe Mode, making system recovery extremely difficult if any of them have a bug that prevents the system from booting." Suddenly, this is more than a performance issue. This software could theoretically disable a system should it break or be manipulated by the software it's hiding. It would appear, however, it is possible to remove, but only after eviscerating a handful of driver files, registry entries and keys, and other lovely goodies from your system. The rootkit and the DRM attached to it do not have an uninstaller, and unless you take the same steps the author took to remove this flaming pile of garbage from your system... Well, he puts it pretty well:
"The entire experience was frustrating and irritating. Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users that stumble across the cloaked files wit
What we *can* do is write a detector (only takes one of use) and hopefully a remover. Distribute it widely. Make it plain where this malware came from too... the non-technical will soon understand that playing a Sony CD will break their computer - that's all the knowledge they need.
it's a 5/$5000 penalty, class C felony, to knowingly distribute harmful software to a PC in Minnesota. 1992 law, I believe it was. demonstrating this is a rootkit is prima facie evidence that this would be harmful software.
somebody with means should get a case opened....
if this is supposed to be a new economy, how come they still want my old fashioned money?
If I kill you to prevent you from killing me, killing you is self defense and not a crime. Seems reasonable that if I kill Sony's process to prevent it from stealing my ID that it's self defense and not a crime. The DMCA is one of those laws that is so out of whack, nevermind the US Constitution. It probably violates Brittish common law, the Magna Carta, and if you look hard enough it probably violates the code of Hammurabai and the social order of primitive hunter-gatherer cultures too.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
I thought I was ahead of time, when I implemented a rootkit DRM just a few days ago. My rootkit is a part of my project, trying to show how malware and DRM systems can get really close to each others, and both get protected by law. Under EU Copyright Directive, it's going to be illegal to remove this rootkit.
You can read about my copyright projects here:
http://muzzy.net/files/copyright_projects_en.txt
-- Matti Nikki
Sony is distributing this as part of some larger, possibly effective DRM system for music CDs.
What I see here is an endless amount of whining about how awful this is. You are overlooking the potential of this. The key here is that this is now out in the wild and can be exploited. The contest should be to come up with creative (and possibly destructive) things to do with these drivers when packaged with other software.
The result of this should be interesting. I think the responsiblity for all of this rests with Sony and First 4 Internet, but I would really like to see something creative done with this, such as an ActiveX control that disables the CD drive of anyone who visits a web site. The point is to make as much use of this as possible. Sony has provided the tool, it is now up to everyone to make as much use of this as possible.
So you're telling me that if I prepend a file name with "$sys$" it will be nearly undetectable? Finally! An easy and effective way to hide my pr0n. I can't wait to buy this CD
It's SUPPOSED to be a fucking AUDIO CD!!
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz